fix(admin): classify codex at account identities

Author: james-6-23

admin/handler.go

@@ -567,6 +567,7 @@ type accountResponse struct {
 	CreditSkipUsageWindow    bool                       `json:"credit_skip_usage_window"`
 	SkipWarmTier             bool                       `json:"skip_warm_tier"`
 	AccountType              string                     `json:"account_type,omitempty"`
+	AccessTokenType          string                     `json:"access_token_type,omitempty"`
 	OpenAIResponsesAPI       bool                       `json:"openai_responses_api,omitempty"`
 	BaseURL                  string                     `json:"base_url,omitempty"`
 	Models                   []string                   `json:"models,omitempty"`
@@ -653,6 +654,16 @@ func accountEmailDomain(email string) string {
 	return domain
 }
 
+func accountAccessTokenType(row *database.AccountRow) string {
+	if row == nil {
+		return ""
+	}
+	if tokenType := strings.TrimSpace(row.GetCredential("access_token_type")); tokenType != "" {
+		return tokenType
+	}
+	return accessTokenTypeForToken(row.GetCredential("access_token"))
+}
+
 type schedulerBreakdownResponse struct {
 	UnauthorizedPenalty float64 `json:"unauthorized_penalty"`
 	RateLimitPenalty    float64 `json:"rate_limit_penalty"`
@@ -719,6 +730,7 @@ func (h *Handler) ListAccounts(c *gin.Context) {
 			CreditSkipUsageWindow:    row.CreditSkipUsageWindow,
 			SkipWarmTier:             row.SkipWarmTier,
 			AccountType:              row.Type,
+			AccessTokenType:          accountAccessTokenType(row),
 			OpenAIResponsesAPI:       isOpenAIResponsesAccount,
 			BaseURL:                  baseURL,
 			Models:                   row.GetCredentialStringSlice("models"),
@@ -1812,40 +1824,13 @@ func (h *Handler) AddATAccount(c *gin.Context) {
 		successCount++
 		h.db.InsertAccountEventAsync(id, "added", "manual_at")
 
-		// 解析 AT JWT 提取账号信息（email、plan_type、account_id、过期时间）
-		atInfo := auth.ParseAccessToken(at)
-
-		// 热加载到内存池（AT-only，无 RT）
-		newAcc := &auth.Account{
-			DBID:        id,
-			AccessToken: at,
-			ExpiresAt:   time.Now().Add(1 * time.Hour),
-			ProxyURL:    req.ProxyURL,
-		}
-		if atInfo != nil {
-			newAcc.Email = atInfo.Email
-			newAcc.AccountID = atInfo.ChatGPTAccountID
-			newAcc.PlanType = atInfo.PlanType
-			if !atInfo.ExpiresAt.IsZero() {
-				newAcc.ExpiresAt = atInfo.ExpiresAt
-			}
-			if !atInfo.SubscriptionExpiresAt.IsZero() {
-				newAcc.SubscriptionExpiresAt = atInfo.SubscriptionExpiresAt
-			}
-		}
+		// 热加载到内存池（AT-only，无 RT）。codex_at 不走 JWT 解码，
+		// 身份信息后续由 wham 用量查询补齐。
+		newAcc := accountFromCredentialSeed(id, req.ProxyURL, seed)
 		h.store.AddAccount(newAcc)
 
-		// 将解析到的信息持久化到数据库
-		if atInfo != nil {
-			creds := map[string]interface{}{
-				"email":      atInfo.Email,
-				"account_id": atInfo.ChatGPTAccountID,
-				"plan_type":  atInfo.PlanType,
-				"expires_at": newAcc.ExpiresAt.Format(time.RFC3339),
-			}
-			if !atInfo.SubscriptionExpiresAt.IsZero() {
-				creds["subscription_expires_at"] = atInfo.SubscriptionExpiresAt.Format(time.RFC3339)
-			}
+		// 将解析/识别到的信息持久化到数据库。
+		if creds := tokenCredentialMap(seed); len(creds) > 0 {
 			if err := h.db.UpdateCredentials(ctx, id, creds); err != nil {
 				log.Printf("AT 账号 %d 更新 credentials 失败: %v", id, err)
 			}
@@ -3242,6 +3227,7 @@ type recycleBinAccountResponse struct {
 	Email              string   `json:"email"`
 	PlanType           string   `json:"plan_type"`
 	ATOnly             bool     `json:"at_only"`
+	AccessTokenType    string   `json:"access_token_type,omitempty"`
 	OpenAIResponsesAPI bool     `json:"openai_responses_api"`
 	BaseURL            string   `json:"base_url,omitempty"`
 	Models             []string `json:"models,omitempty"`
@@ -3281,6 +3267,7 @@ func (h *Handler) ListRecycleBinAccounts(c *gin.Context) {
 			Email:              email,
 			PlanType:           planType,
 			ATOnly:             !isOpenAIResponsesAccount && row.GetCredential("refresh_token") == "" && row.GetCredential("access_token") != "",
+			AccessTokenType:    accountAccessTokenType(row),
 			OpenAIResponsesAPI: isOpenAIResponsesAccount,
 			BaseURL:            baseURL,
 			Models:             row.GetCredentialStringSlice("models"),

admin/handler_test.go

@@ -76,6 +76,20 @@ func TestAccountEmailDomain(t *testing.T) {
 	}
 }
 
+func TestAccountAccessTokenTypeInfersCodexAT(t *testing.T) {
+	row := &database.AccountRow{Credentials: map[string]interface{}{
+		"access_token": "at-opaque-codex-token",
+	}}
+	if got := accountAccessTokenType(row); got != accessTokenTypeCodexAT {
+		t.Fatalf("accountAccessTokenType() = %q, want %q", got, accessTokenTypeCodexAT)
+	}
+
+	row.Credentials["access_token_type"] = "custom"
+	if got := accountAccessTokenType(row); got != "custom" {
+		t.Fatalf("accountAccessTokenType() with stored type = %q, want custom", got)
+	}
+}
+
 func TestSummarizeDashboardAccountsMatchesAccountPageBuckets(t *testing.T) {
 	rows := []*database.AccountRow{
 		{ID: 1, Status: "error", Enabled: true},   // DB stale, runtime active

admin/token_credentials.go

@@ -12,6 +12,7 @@ type tokenCredentialSeed struct {
 	refreshToken          string
 	sessionToken          string
 	accessToken           string
+	accessTokenType       string
 	idToken               string
 	accountID             string
 	email                 string
@@ -32,6 +33,7 @@ func normalizeTokenCredentialSeed(seed tokenCredentialSeed) tokenCredentialSeed
 	seed.refreshToken = strings.TrimSpace(seed.refreshToken)
 	seed.sessionToken = strings.TrimSpace(seed.sessionToken)
 	seed.accessToken = strings.TrimSpace(seed.accessToken)
+	seed.accessTokenType = strings.TrimSpace(seed.accessTokenType)
 	seed.idToken = strings.TrimSpace(seed.idToken)
 	seed.accountID = strings.TrimSpace(seed.accountID)
 	seed.email = strings.TrimSpace(seed.email)
@@ -43,8 +45,15 @@ func normalizeTokenCredentialSeed(seed tokenCredentialSeed) tokenCredentialSeed
 	seed.codex5HResetAt = strings.TrimSpace(seed.codex5HResetAt)
 	seed.codex5HUsageUpdatedAt = strings.TrimSpace(seed.codex5HUsageUpdatedAt)
 	seed.codexUsageUpdatedAt = strings.TrimSpace(seed.codexUsageUpdatedAt)
+	if seed.accessTokenType == "" {
+		seed.accessTokenType = accessTokenTypeForToken(seed.accessToken)
+	}
 
-	if info := accountInfoFromTokens(seed.idToken, seed.accessToken); info != nil {
+	accessTokenForJWT := seed.accessToken
+	if seed.accessTokenType == accessTokenTypeCodexAT {
+		accessTokenForJWT = ""
+	}
+	if info := accountInfoFromTokens(seed.idToken, accessTokenForJWT); info != nil {
 		if seed.accountID == "" {
 			seed.accountID = info.ChatGPTAccountID
 		}
@@ -62,7 +71,7 @@ func normalizeTokenCredentialSeed(seed tokenCredentialSeed) tokenCredentialSeed
 	if seed.expiresAt.IsZero() && seed.expiresIn > 0 {
 		seed.expiresAt = time.Now().Add(time.Duration(seed.expiresIn) * time.Second)
 	}
-	if seed.expiresAt.IsZero() && seed.accessToken != "" {
+	if seed.expiresAt.IsZero() && seed.accessToken != "" && seed.accessTokenType != accessTokenTypeCodexAT {
 		if info := auth.ParseAccessToken(seed.accessToken); info != nil && !info.ExpiresAt.IsZero() {
 			seed.expiresAt = info.ExpiresAt
 		}
@@ -77,6 +86,15 @@ func normalizeTokenCredentialSeed(seed tokenCredentialSeed) tokenCredentialSeed
 	return seed
 }
 
+const accessTokenTypeCodexAT = "codex_at"
+
+func accessTokenTypeForToken(accessToken string) string {
+	if strings.HasPrefix(strings.TrimSpace(accessToken), "at-") {
+		return accessTokenTypeCodexAT
+	}
+	return ""
+}
+
 func accountInfoFromTokens(idToken, accessToken string) *auth.AccountInfo {
 	info := auth.ParseIDToken(strings.TrimSpace(idToken))
 	if info == nil {
@@ -111,6 +129,9 @@ func tokenCredentialMap(seed tokenCredentialSeed) map[string]interface{} {
 	if seed.accessToken != "" {
 		credentials["access_token"] = seed.accessToken
 	}
+	if seed.accessTokenType != "" {
+		credentials["access_token_type"] = seed.accessTokenType
+	}
 	if seed.idToken != "" {
 		credentials["id_token"] = seed.idToken
 	}

admin/token_credentials_test.go

@@ -32,3 +32,42 @@ func TestNormalizeTokenCredentialSeedPrefersAccessTokenExpiry(t *testing.T) {
 		t.Fatalf("expiresAt = %s, want access token expiry %s", seed.expiresAt, accessExpiresAt)
 	}
 }
+
+func TestNormalizeTokenCredentialSeedTreatsCodexATAsOpaque(t *testing.T) {
+	accessExpiresAt := time.Now().Add(2 * time.Hour).Truncate(time.Second)
+	rawJWT := makeAdminTestJWT(t, map[string]interface{}{
+		"exp": accessExpiresAt.Unix(),
+		"https://api.openai.com/profile": map[string]interface{}{
+			"email": "jwt@example.com",
+		},
+		"https://api.openai.com/auth": map[string]interface{}{
+			"chatgpt_account_id": "acc-from-jwt",
+			"chatgpt_plan_type":  "team",
+		},
+	})
+	codexAT := "at-" + rawJWT
+	before := time.Now()
+
+	seed := normalizeTokenCredentialSeed(tokenCredentialSeed{accessToken: codexAT})
+
+	if seed.accessTokenType != accessTokenTypeCodexAT {
+		t.Fatalf("accessTokenType = %q, want %q", seed.accessTokenType, accessTokenTypeCodexAT)
+	}
+	if seed.email != "" || seed.accountID != "" || seed.planType != "" {
+		t.Fatalf("codex_at parsed JWT fields: email=%q accountID=%q planType=%q", seed.email, seed.accountID, seed.planType)
+	}
+	if seed.expiresAt.Before(before.Add(50*time.Minute)) || seed.expiresAt.After(before.Add(70*time.Minute)) {
+		t.Fatalf("expiresAt = %s, want fallback around 1h from now", seed.expiresAt)
+	}
+
+	credentials := tokenCredentialMap(seed)
+	if got := credentials["access_token_type"]; got != accessTokenTypeCodexAT {
+		t.Fatalf("credentials access_token_type = %q, want %q", got, accessTokenTypeCodexAT)
+	}
+	if _, ok := credentials["email"]; ok {
+		t.Fatalf("credentials should not include email for opaque codex_at: %#v", credentials)
+	}
+	if _, ok := credentials["account_id"]; ok {
+		t.Fatalf("credentials should not include account_id for opaque codex_at: %#v", credentials)
+	}
+}

auth/store.go

@@ -4936,6 +4936,44 @@ func (s *Store) UpdateAccountPlanType(acc *Account, planType string) bool {
 	return changed
 }
 
+// UpdateAccountIdentity persists account identity observed from upstream usage APIs.
+func (s *Store) UpdateAccountIdentity(acc *Account, email, accountID string) bool {
+	if s == nil || acc == nil {
+		return false
+	}
+	email = strings.TrimSpace(email)
+	accountID = strings.TrimSpace(accountID)
+	if email == "" && accountID == "" {
+		return false
+	}
+
+	fields := make(map[string]interface{}, 2)
+	acc.mu.Lock()
+	changed := false
+	if email != "" && acc.Email != email {
+		acc.Email = email
+		fields["email"] = email
+		changed = true
+	}
+	if accountID != "" && acc.AccountID != accountID {
+		acc.AccountID = accountID
+		fields["account_id"] = accountID
+		changed = true
+	}
+	acc.mu.Unlock()
+
+	if s.db == nil || len(fields) == 0 {
+		return changed
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	if err := s.db.UpdateCredentials(ctx, acc.DBID, fields); err != nil {
+		log.Printf("[账号 %d] 持久化账号身份失败: %v", acc.DBID, err)
+	}
+	return changed
+}
+
 // ApplyUsageLimitMetadata applies metadata returned by Codex usage_limit_reached errors.
 func (s *Store) ApplyUsageLimitMetadata(acc *Account, planType string, resetAt time.Time) {
 	if acc == nil {

frontend/src/pages/Accounts.tsx

@@ -252,6 +252,10 @@ function formatAccountListEmail(account: AccountRow): string {
   return account.email?.trim() || account.name || `ID ${account.id}`;
 }
 
+function formatAccessTokenBadge(account: AccountRow): string {
+  return account.access_token_type === "codex_at" ? "codex_at" : "AT";
+}
+
 function getInitialAnalysisVisibility(): boolean {
   try {
     return (
@@ -3927,7 +3931,7 @@ export default function Accounts() {
                                     <div className="flex flex-wrap gap-1">
                                       {account.at_only && (
                                         <span className="inline-flex items-center rounded-md bg-amber-50 px-1.5 py-0.5 text-[10px] font-medium text-amber-700 ring-1 ring-inset ring-amber-600/20 dark:bg-amber-950 dark:text-amber-400 dark:ring-amber-400/20">
-                                          AT
+                                          {formatAccessTokenBadge(account)}
                                         </span>
                                       )}
                                       {account.openai_responses_api && (
@@ -8364,7 +8368,7 @@ function AccountMobileCard({
               <div className="mt-3 flex min-h-6 min-w-0 flex-wrap items-center gap-1.5">
                 {account.at_only && (
                   <span className="inline-flex items-center rounded-md bg-amber-50 px-1.5 py-0.5 text-[10px] font-medium text-amber-700 ring-1 ring-inset ring-amber-600/20 dark:bg-amber-950 dark:text-amber-400 dark:ring-amber-400/20">
-                    AT
+                    {formatAccessTokenBadge(account)}
                   </span>
                 )}
                 {account.openai_responses_api && (
@@ -8690,7 +8694,7 @@ function AccountMobileCard({
           <div className="mt-2 flex min-h-6 min-w-0 flex-wrap items-center gap-1.5">
             {account.at_only && (
               <span className="inline-flex items-center rounded-md bg-amber-50 px-1.5 py-0.5 text-[10px] font-medium text-amber-700 ring-1 ring-inset ring-amber-600/20 dark:bg-amber-950 dark:text-amber-400 dark:ring-amber-400/20">
-                AT
+                {formatAccessTokenBadge(account)}
               </span>
             )}
             {account.openai_responses_api && (

frontend/src/types.ts

@@ -34,6 +34,7 @@ export interface AccountRow {
   status: AccountStatus
   error_message?: string
   at_only?: boolean
+  access_token_type?: string
   account_type?: string
   openai_responses_api?: boolean
   base_url?: string
@@ -154,6 +155,7 @@ export interface RecycleBinAccountRow {
   email: string
   plan_type: string
   at_only?: boolean
+  access_token_type?: string
   openai_responses_api?: boolean
   base_url?: string
   models?: string[]

proxy/usage_wham.go

@@ -302,6 +302,11 @@ func ApplyWhamUsage(store *auth.Store, account *auth.Account, usage *WhamUsage)
 		store.UpdateAccountPlanType(account, usage.PlanType)
 	}
 	if store != nil {
+		accountID := strings.TrimSpace(usage.AccountID)
+		if accountID == "" {
+			accountID = strings.TrimSpace(usage.UserID)
+		}
+		store.UpdateAccountIdentity(account, usage.Email, accountID)
 		store.UpdateAccountSubscriptionExpiresAt(account, usage.SubscriptionExpiresAt())
 	}
 

proxy/usage_wham_test.go

@@ -148,6 +148,50 @@ func TestApplyWhamUsage_PersistsPlanAnd5h7d(t *testing.T) {
 	}
 }
 
+func TestApplyWhamUsage_PersistsIdentity(t *testing.T) {
+	ctx := context.Background()
+	dbPath := filepath.Join(t.TempDir(), "codex2api.db")
+	db, err := database.New("sqlite", dbPath)
+	if err != nil {
+		t.Fatalf("database.New: %v", err)
+	}
+	defer db.Close()
+
+	id, err := db.InsertAccountWithCredentials(ctx, "at-only", map[string]interface{}{"access_token": "at"}, "")
+	if err != nil {
+		t.Fatalf("InsertAccountWithCredentials: %v", err)
+	}
+
+	store := auth.NewStore(db, nil, &database.SystemSettings{MaxConcurrency: 2, TestConcurrency: 1, TestModel: "gpt-5.4"})
+	account := &auth.Account{DBID: id, AccessToken: "at"}
+	usage := &WhamUsage{
+		UserID:    "user-from-wham",
+		AccountID: "account-from-wham",
+		Email:     "wham@example.com",
+		PlanType:  "team",
+	}
+
+	ApplyWhamUsage(store, account, usage)
+
+	if account.Email != "wham@example.com" {
+		t.Fatalf("account.Email = %q, want wham@example.com", account.Email)
+	}
+	if account.AccountID != "account-from-wham" {
+		t.Fatalf("account.AccountID = %q, want account-from-wham", account.AccountID)
+	}
+
+	row, err := db.GetAccountByID(ctx, id)
+	if err != nil {
+		t.Fatalf("GetAccountByID: %v", err)
+	}
+	if got := row.GetCredential("email"); got != "wham@example.com" {
+		t.Fatalf("credentials.email = %q, want wham@example.com", got)
+	}
+	if got := row.GetCredential("account_id"); got != "account-from-wham" {
+		t.Fatalf("credentials.account_id = %q, want account-from-wham", got)
+	}
+}
+
 func TestApplyWhamUsage_PersistsSubscriptionExpiresAtWhenMemoryAlreadyMatches(t *testing.T) {
 	ctx := context.Background()
 	dbPath := filepath.Join(t.TempDir(), "codex2api.db")