mirror of
https://github.com/openai/codex.git
synced 2026-05-05 22:01:37 +03:00
d692b74007
CXC-392 [With 401](https://openai.sentry.io/issues/7333870443/?project=4510195390611458&query=019ce8f8-560c-7f10-a00a-c59553740674&referrer=issue-stream) <img width="1909" height="555" alt="401 auth tags in Sentry" src="https://github.com/user-attachments/assets/412ea950-61c4-4780-9697-15c270971ee3" /> - auth_401_*: preserved facts from the latest unauthorized response snapshot - auth_*: latest auth-related facts from the latest request attempt - auth_recovery_*: unauthorized recovery state and follow-up result Without 401 <img width="1917" height="522" alt="happy-path auth tags in Sentry" src="https://github.com/user-attachments/assets/3381ed28-8022-43b0-b6c0-623a630e679f" /> ###### Summary - Add client-visible 401 diagnostics for auth attachment, upstream auth classification, and 401 request id / cf-ray correlation. - Record unauthorized recovery mode, phase, outcome, and retry/follow-up status without changing auth behavior. - Surface the highest-signal auth and recovery fields on uploaded client bug reports so they are usable in Sentry. - Preserve original unauthorized evidence under `auth_401_*` while keeping follow-up result tags separate. ###### Rationale (from spec findings) - The dominant bucket needed proof of whether the client attached auth before send or upstream still classified the request as missing auth. - Client uploads needed to show whether unauthorized recovery ran and what the client tried next. - Request id and cf-ray needed to be preserved on the unauthorized response so server-side correlation is immediate. - The bug-report path needed the same auth evidence as the request telemetry path, otherwise the observability would not be operationally useful. ###### Scope - Add auth 401 and unauthorized-recovery observability in `codex-rs/core`, `codex-rs/codex-api`, and `codex-rs/otel`, including feedback-tag surfacing. - Keep auth semantics, refresh behavior, retry behavior, endpoint classification, and geo-denial follow-up work out of this PR. ###### Trade-offs - This exports only safe auth evidence: header presence/name, upstream auth classification, request ids, and recovery state. It does not export token values or raw upstream bodies. - This keeps websocket connection reuse as a transport clue because it can help distinguish stale reused sessions from fresh reconnects. - Misroute/base-url classification and geo-denial are intentionally deferred to a separate follow-up PR so this review stays focused on the dominant auth 401 bucket. ###### Client follow-up - PR 2 will add misroute/provider and geo-denial observability plus the matching feedback-tag surfacing. - A separate host/app-server PR should log auth-decision inputs so pre-send host auth state can be correlated with client request evidence. - `device_id` remains intentionally separate until there is a safe existing source on the feedback upload path. ###### Testing - `cargo test -p codex-core refresh_available_models_sorts_by_priority` - `cargo test -p codex-core emit_feedback_request_tags_` - `cargo test -p codex-core emit_feedback_auth_recovery_tags_` - `cargo test -p codex-core auth_request_telemetry_context_tracks_attached_auth_and_retry_phase` - `cargo test -p codex-core extract_response_debug_context_decodes_identity_headers` - `cargo test -p codex-core identity_auth_details` - `cargo test -p codex-core telemetry_error_messages_preserve_non_http_details` - `cargo test -p codex-core --all-features --no-run` - `cargo test -p codex-otel otel_export_routing_policy_routes_api_request_auth_observability` - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_connect_auth_observability` - `cargo test -p codex-otel otel_export_routing_policy_routes_websocket_request_transport_observability`
247 lines
8.9 KiB
Rust
247 lines
8.9 KiB
Rust
use base64::Engine;
|
|
use chrono::DateTime;
|
|
use chrono::Utc;
|
|
use codex_api::AuthProvider as ApiAuthProvider;
|
|
use codex_api::TransportError;
|
|
use codex_api::error::ApiError;
|
|
use codex_api::rate_limits::parse_promo_message;
|
|
use codex_api::rate_limits::parse_rate_limit_for_limit;
|
|
use http::HeaderMap;
|
|
use serde::Deserialize;
|
|
use serde_json::Value;
|
|
|
|
use crate::auth::CodexAuth;
|
|
use crate::error::CodexErr;
|
|
use crate::error::RetryLimitReachedError;
|
|
use crate::error::UnexpectedResponseError;
|
|
use crate::error::UsageLimitReachedError;
|
|
use crate::model_provider_info::ModelProviderInfo;
|
|
use crate::token_data::PlanType;
|
|
|
|
pub(crate) fn map_api_error(err: ApiError) -> CodexErr {
|
|
match err {
|
|
ApiError::ContextWindowExceeded => CodexErr::ContextWindowExceeded,
|
|
ApiError::QuotaExceeded => CodexErr::QuotaExceeded,
|
|
ApiError::UsageNotIncluded => CodexErr::UsageNotIncluded,
|
|
ApiError::Retryable { message, delay } => CodexErr::Stream(message, delay),
|
|
ApiError::Stream(msg) => CodexErr::Stream(msg, None),
|
|
ApiError::ServerOverloaded => CodexErr::ServerOverloaded,
|
|
ApiError::Api { status, message } => CodexErr::UnexpectedStatus(UnexpectedResponseError {
|
|
status,
|
|
body: message,
|
|
url: None,
|
|
cf_ray: None,
|
|
request_id: None,
|
|
identity_authorization_error: None,
|
|
identity_error_code: None,
|
|
}),
|
|
ApiError::InvalidRequest { message } => CodexErr::InvalidRequest(message),
|
|
ApiError::Transport(transport) => match transport {
|
|
TransportError::Http {
|
|
status,
|
|
url,
|
|
headers,
|
|
body,
|
|
} => {
|
|
let body_text = body.unwrap_or_default();
|
|
|
|
if status == http::StatusCode::SERVICE_UNAVAILABLE
|
|
&& let Ok(value) = serde_json::from_str::<serde_json::Value>(&body_text)
|
|
&& matches!(
|
|
value
|
|
.get("error")
|
|
.and_then(|error| error.get("code"))
|
|
.and_then(serde_json::Value::as_str),
|
|
Some("server_is_overloaded" | "slow_down")
|
|
)
|
|
{
|
|
return CodexErr::ServerOverloaded;
|
|
}
|
|
|
|
if status == http::StatusCode::BAD_REQUEST {
|
|
if body_text
|
|
.contains("The image data you provided does not represent a valid image")
|
|
{
|
|
CodexErr::InvalidImageRequest()
|
|
} else {
|
|
CodexErr::InvalidRequest(body_text)
|
|
}
|
|
} else if status == http::StatusCode::INTERNAL_SERVER_ERROR {
|
|
CodexErr::InternalServerError
|
|
} else if status == http::StatusCode::TOO_MANY_REQUESTS {
|
|
if let Ok(err) = serde_json::from_str::<UsageErrorResponse>(&body_text) {
|
|
if err.error.error_type.as_deref() == Some("usage_limit_reached") {
|
|
let limit_id = extract_header(headers.as_ref(), ACTIVE_LIMIT_HEADER);
|
|
let rate_limits = headers.as_ref().and_then(|map| {
|
|
parse_rate_limit_for_limit(map, limit_id.as_deref())
|
|
});
|
|
let promo_message = headers.as_ref().and_then(parse_promo_message);
|
|
let resets_at = err
|
|
.error
|
|
.resets_at
|
|
.and_then(|seconds| DateTime::<Utc>::from_timestamp(seconds, 0));
|
|
return CodexErr::UsageLimitReached(UsageLimitReachedError {
|
|
plan_type: err.error.plan_type,
|
|
resets_at,
|
|
rate_limits: rate_limits.map(Box::new),
|
|
promo_message,
|
|
});
|
|
} else if err.error.error_type.as_deref() == Some("usage_not_included") {
|
|
return CodexErr::UsageNotIncluded;
|
|
}
|
|
}
|
|
|
|
CodexErr::RetryLimit(RetryLimitReachedError {
|
|
status,
|
|
request_id: extract_request_tracking_id(headers.as_ref()),
|
|
})
|
|
} else {
|
|
CodexErr::UnexpectedStatus(UnexpectedResponseError {
|
|
status,
|
|
body: body_text,
|
|
url,
|
|
cf_ray: extract_header(headers.as_ref(), CF_RAY_HEADER),
|
|
request_id: extract_request_id(headers.as_ref()),
|
|
identity_authorization_error: extract_header(
|
|
headers.as_ref(),
|
|
X_OPENAI_AUTHORIZATION_ERROR_HEADER,
|
|
),
|
|
identity_error_code: extract_x_error_json_code(headers.as_ref()),
|
|
})
|
|
}
|
|
}
|
|
TransportError::RetryLimit => CodexErr::RetryLimit(RetryLimitReachedError {
|
|
status: http::StatusCode::INTERNAL_SERVER_ERROR,
|
|
request_id: None,
|
|
}),
|
|
TransportError::Timeout => CodexErr::Timeout,
|
|
TransportError::Network(msg) | TransportError::Build(msg) => {
|
|
CodexErr::Stream(msg, None)
|
|
}
|
|
},
|
|
ApiError::RateLimit(msg) => CodexErr::Stream(msg, None),
|
|
}
|
|
}
|
|
|
|
const ACTIVE_LIMIT_HEADER: &str = "x-codex-active-limit";
|
|
const REQUEST_ID_HEADER: &str = "x-request-id";
|
|
const OAI_REQUEST_ID_HEADER: &str = "x-oai-request-id";
|
|
const CF_RAY_HEADER: &str = "cf-ray";
|
|
const X_OPENAI_AUTHORIZATION_ERROR_HEADER: &str = "x-openai-authorization-error";
|
|
const X_ERROR_JSON_HEADER: &str = "x-error-json";
|
|
|
|
#[cfg(test)]
|
|
#[path = "api_bridge_tests.rs"]
|
|
mod tests;
|
|
|
|
fn extract_request_tracking_id(headers: Option<&HeaderMap>) -> Option<String> {
|
|
extract_request_id(headers).or_else(|| extract_header(headers, CF_RAY_HEADER))
|
|
}
|
|
|
|
fn extract_request_id(headers: Option<&HeaderMap>) -> Option<String> {
|
|
extract_header(headers, REQUEST_ID_HEADER)
|
|
.or_else(|| extract_header(headers, OAI_REQUEST_ID_HEADER))
|
|
}
|
|
|
|
fn extract_header(headers: Option<&HeaderMap>, name: &str) -> Option<String> {
|
|
headers.and_then(|map| {
|
|
map.get(name)
|
|
.and_then(|value| value.to_str().ok())
|
|
.map(str::to_string)
|
|
})
|
|
}
|
|
|
|
fn extract_x_error_json_code(headers: Option<&HeaderMap>) -> Option<String> {
|
|
let encoded = extract_header(headers, X_ERROR_JSON_HEADER)?;
|
|
let decoded = base64::engine::general_purpose::STANDARD
|
|
.decode(encoded)
|
|
.ok()?;
|
|
let parsed = serde_json::from_slice::<Value>(&decoded).ok()?;
|
|
parsed
|
|
.get("error")
|
|
.and_then(|error| error.get("code"))
|
|
.and_then(Value::as_str)
|
|
.map(str::to_string)
|
|
}
|
|
|
|
pub(crate) fn auth_provider_from_auth(
|
|
auth: Option<CodexAuth>,
|
|
provider: &ModelProviderInfo,
|
|
) -> crate::error::Result<CoreAuthProvider> {
|
|
if let Some(api_key) = provider.api_key()? {
|
|
return Ok(CoreAuthProvider {
|
|
token: Some(api_key),
|
|
account_id: None,
|
|
});
|
|
}
|
|
|
|
if let Some(token) = provider.experimental_bearer_token.clone() {
|
|
return Ok(CoreAuthProvider {
|
|
token: Some(token),
|
|
account_id: None,
|
|
});
|
|
}
|
|
|
|
if let Some(auth) = auth {
|
|
let token = auth.get_token()?;
|
|
Ok(CoreAuthProvider {
|
|
token: Some(token),
|
|
account_id: auth.get_account_id(),
|
|
})
|
|
} else {
|
|
Ok(CoreAuthProvider {
|
|
token: None,
|
|
account_id: None,
|
|
})
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Deserialize)]
|
|
struct UsageErrorResponse {
|
|
error: UsageErrorBody,
|
|
}
|
|
|
|
#[derive(Debug, Deserialize)]
|
|
struct UsageErrorBody {
|
|
#[serde(rename = "type")]
|
|
error_type: Option<String>,
|
|
plan_type: Option<PlanType>,
|
|
resets_at: Option<i64>,
|
|
}
|
|
|
|
#[derive(Clone, Default)]
|
|
pub(crate) struct CoreAuthProvider {
|
|
token: Option<String>,
|
|
account_id: Option<String>,
|
|
}
|
|
|
|
impl CoreAuthProvider {
|
|
pub(crate) fn auth_header_attached(&self) -> bool {
|
|
self.token
|
|
.as_ref()
|
|
.is_some_and(|token| http::HeaderValue::from_str(&format!("Bearer {token}")).is_ok())
|
|
}
|
|
|
|
pub(crate) fn auth_header_name(&self) -> Option<&'static str> {
|
|
self.auth_header_attached().then_some("authorization")
|
|
}
|
|
|
|
#[cfg(test)]
|
|
pub(crate) fn for_test(token: Option<&str>, account_id: Option<&str>) -> Self {
|
|
Self {
|
|
token: token.map(str::to_string),
|
|
account_id: account_id.map(str::to_string),
|
|
}
|
|
}
|
|
}
|
|
|
|
impl ApiAuthProvider for CoreAuthProvider {
|
|
fn bearer_token(&self) -> Option<String> {
|
|
self.token.clone()
|
|
}
|
|
|
|
fn account_id(&self) -> Option<String> {
|
|
self.account_id.clone()
|
|
}
|
|
}
|