Merge pull request #94 from ndycode/refactor/login-finalization

refactor: unify login finalization across auth flows

Author: ndycode

index.ts

@@ -38,7 +38,10 @@ import {
 	createDeviceCodeSession,
 } from "./lib/auth/device-code.js";
 import {
+	applyAccountSelectionFallbacks,
+	persistResolvedAccountSelection,
 	persistAccountPool,
+	resolveAndPersistAccountSelection,
 	resolveAccountSelection,
 	type AccountSelectionResult,
 	type TokenSuccessWithAccount,
@@ -617,7 +620,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 			pkce: { verifier: string },
 			url: string,
 			expectedState: string,
-			onSuccess?: (selection: AccountSelectionResult) => Promise<void>,
+			replaceAll: boolean,
 		) => ({
                 url,
                 method: "code" as const,
@@ -657,10 +660,10 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 				REDIRECT_URI,
 			);
 			if (tokens?.type === "success") {
-								const resolved = resolveAccountSelection(tokens);
-								if (onSuccess) {
-										await onSuccess(resolved);
-								}
+								const resolved = await resolveAndPersistAccountSelection(tokens, {
+									persistSelections: persistAuthenticatedSelections,
+									replaceAll,
+								});
 								return resolved.primary;
 						}
                         return tokens?.type === "failed"
@@ -3095,24 +3098,21 @@ while (attempted.size < Math.max(1, accountCount)) {
 												typeof cached.refreshToken === "string" && cached.refreshToken.trim()
 													? cached.refreshToken.trim()
 													: flagged.refreshToken;
-											const resolved = resolveAccountSelection({
+										const resolved = applyAccountSelectionFallbacks(
+											resolveAccountSelection({
 												type: "success",
 												access: cached.accessToken,
 												refresh: refreshToken,
 												expires: cached.expiresAt,
-											multiAccount: true,
-										});
-										if (!resolved.primary.accountIdOverride && flagged.accountId) {
-											resolved.primary.accountIdOverride = flagged.accountId;
-											resolved.primary.accountIdSource = flagged.accountIdSource ?? "manual";
-											resolved.variantsForPersistence = [resolved.primary];
-										}
-										if (!resolved.primary.organizationIdOverride && flagged.organizationId) {
-											resolved.primary.organizationIdOverride = flagged.organizationId;
-										}
-										if (!resolved.primary.accountLabel && flagged.accountLabel) {
-											resolved.primary.accountLabel = flagged.accountLabel;
-										}
+												multiAccount: true,
+											}),
+											{
+												accountIdOverride: flagged.accountId,
+												accountIdSource: flagged.accountIdSource ?? "manual",
+												organizationIdOverride: flagged.organizationId,
+												accountLabel: flagged.accountLabel,
+											},
+										);
 										restored.push(...resolved.variantsForPersistence);
 										console.log(
 												`[${i + 1}/${flaggedStorage.accounts.length}] ${label}: RESTORED (Codex CLI cache)`,
@@ -3129,18 +3129,15 @@ while (attempted.size < Math.max(1, accountCount)) {
 											continue;
 										}
 
-									const resolved = resolveAccountSelection(refreshResult);
-									if (!resolved.primary.accountIdOverride && flagged.accountId) {
-										resolved.primary.accountIdOverride = flagged.accountId;
-										resolved.primary.accountIdSource = flagged.accountIdSource ?? "manual";
-										resolved.variantsForPersistence = [resolved.primary];
-									}
-									if (!resolved.primary.organizationIdOverride && flagged.organizationId) {
-										resolved.primary.organizationIdOverride = flagged.organizationId;
-									}
-									if (!resolved.primary.accountLabel && flagged.accountLabel) {
-										resolved.primary.accountLabel = flagged.accountLabel;
-									}
+									const resolved = applyAccountSelectionFallbacks(
+										resolveAccountSelection(refreshResult),
+										{
+											accountIdOverride: flagged.accountId,
+											accountIdSource: flagged.accountIdSource ?? "manual",
+											organizationIdOverride: flagged.organizationId,
+											accountLabel: flagged.accountLabel,
+										},
+									);
 									restored.push(...resolved.variantsForPersistence);
 									console.log(`[${i + 1}/${flaggedStorage.accounts.length}] ${label}: RESTORED`);
 									} catch (error) {
@@ -3342,12 +3339,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 
 							if (useManualMode) {
 								const { pkce, state, url } = await createAuthorizationFlow();
-								return buildManualOAuthFlow(pkce, url, state, async (selection) => {
-									await persistAuthenticatedSelections(
-										selection.variantsForPersistence,
-										startFresh,
-									);
-								});
+								return buildManualOAuthFlow(pkce, url, state, startFresh);
 							}
 
 							const explicitCountProvided =
@@ -3358,12 +3350,11 @@ while (attempted.size < Math.max(1, accountCount)) {
 								const forceNewLogin = accounts.length > 0 || refreshAccountIndex !== undefined;
 								const result = await runOAuthFlow(forceNewLogin);
 
+								let selection: AccountSelectionResult | null = null;
 								let resolved: TokenSuccessWithAccount | null = null;
-								let variantsForPersistence: TokenSuccessWithAccount[] = [];
 								if (result.type === "success") {
-									const selection = resolveAccountSelection(result);
+									selection = resolveAccountSelection(result);
 									resolved = selection.primary;
-									variantsForPersistence = selection.variantsForPersistence;
 									const email = extractAccountEmail(resolved.access, resolved.idToken);
 									const accountId = resolved.accountIdOverride ?? extractAccountId(resolved.access);
 									const label = resolved.accountLabel ?? email ?? accountId ?? "Unknown account";
@@ -3394,20 +3385,18 @@ while (attempted.size < Math.max(1, accountCount)) {
 									break;
 								}
 
-								if (!resolved) {
+								if (!selection || !resolved) {
 									continue;
 								}
 
 								accounts.push(resolved);
 								await showToast(`Account ${accounts.length} authenticated`, "success");
 
 								const isFirstAccount = accounts.length === 1;
-								const entriesToPersist =
-									variantsForPersistence.length > 0 ? variantsForPersistence : [resolved];
-								await persistAuthenticatedSelections(
-									entriesToPersist,
-									isFirstAccount && startFresh,
-								);
+								await persistResolvedAccountSelection(selection, {
+									persistSelections: persistAuthenticatedSelections,
+									replaceAll: isFirstAccount && startFresh,
+								});
 
 								if (accounts.length >= ACCOUNT_LIMITS.MAX_ACCOUNTS) {
 									break;
@@ -3490,11 +3479,10 @@ while (attempted.size < Math.max(1, accountCount)) {
 										return result;
 									}
 
-									const selection = resolveAccountSelection(result);
-									await persistAuthenticatedSelections(
-										selection.variantsForPersistence,
-										false,
-									);
+									const selection = await resolveAndPersistAccountSelection(result, {
+										persistSelections: persistAuthenticatedSelections,
+										replaceAll: false,
+									});
 									return selection.primary;
 								},
 							};
@@ -3513,12 +3501,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 							setStoragePath(manualPerProjectAccounts ? process.cwd() : null);
 
 							const { pkce, state, url } = await createAuthorizationFlow();
-							return buildManualOAuthFlow(pkce, url, state, async (selection) => {
-								await persistAuthenticatedSelections(
-									selection.variantsForPersistence,
-									false,
-								);
-							});
+							return buildManualOAuthFlow(pkce, url, state, false);
                                                 },
                                         },
                         ],

lib/auth/login-runner.ts

@@ -24,6 +24,19 @@ export type AccountSelectionResult = {
 	variantsForPersistence: TokenSuccessWithAccount[];
 };
 
+export type PersistAccountSelections = (
+	results: TokenSuccessWithAccount[],
+	replaceAll: boolean,
+) => Promise<void>;
+
+export type AccountSelectionFallbacks = Pick<
+	TokenSuccessWithAccount,
+	"accountIdOverride" | "accountIdSource" | "organizationIdOverride" | "accountLabel"
+>;
+
+const PERSIST_AUTHENTICATED_SELECTIONS_ERROR =
+	"Failed to persist authenticated account selections.";
+
 const createSelectionVariant = (
 	tokens: TokenSuccess,
 	candidate: {
@@ -104,6 +117,106 @@ export function resolveAccountSelection(tokens: TokenSuccess): AccountSelectionR
 	};
 }
 
+export function applyAccountSelectionFallbacks(
+	selection: AccountSelectionResult,
+	fallbacks: AccountSelectionFallbacks,
+): AccountSelectionResult {
+	const primary = { ...selection.primary };
+	const primaryAccountId = selection.primary.accountIdOverride?.trim();
+	const primaryOrganizationId = selection.primary.organizationIdOverride?.trim();
+	const shouldReusePrimaryVariant =
+		(primaryAccountId?.length ?? 0) > 0 || (primaryOrganizationId?.length ?? 0) > 0;
+	// Callers may deep-clone `selection.primary`, so reuse the updated primary by
+	// persisted account identity instead of relying on object aliasing.
+	let variantsForPersistence = selection.variantsForPersistence.map((variant) =>
+		variant === selection.primary ||
+		(shouldReusePrimaryVariant &&
+			(variant.accountIdOverride?.trim() ?? "") === (primaryAccountId ?? "") &&
+			(variant.organizationIdOverride?.trim() ?? "") === (primaryOrganizationId ?? ""))
+			? primary
+			: { ...variant },
+	);
+
+	const accountIdOverride = fallbacks.accountIdOverride?.trim();
+	if (!primary.accountIdOverride && accountIdOverride) {
+		primary.accountIdOverride = accountIdOverride;
+		primary.accountIdSource = fallbacks.accountIdSource ?? "manual";
+		variantsForPersistence = [primary];
+	}
+
+	const organizationIdOverride = fallbacks.organizationIdOverride?.trim();
+	if (!primary.organizationIdOverride && organizationIdOverride) {
+		primary.organizationIdOverride = organizationIdOverride;
+	}
+
+	const accountLabel = fallbacks.accountLabel?.trim();
+	if (!primary.accountLabel && accountLabel) {
+		primary.accountLabel = accountLabel;
+	}
+
+	return {
+		primary,
+		variantsForPersistence,
+	};
+}
+
+/**
+ * Persists the already-resolved selection through the caller's
+ * `persistSelections` callback. Windows filesystem safety remains delegated to
+ * that callback, so callers should use `persistAccountPool` or
+ * `withAccountStorageTransaction` to keep the rename retry and serialized
+ * read-modify-write behavior covered by `test/login-runner.test.ts`.
+ * Callback failures are rethrown with a redacted message so callers can log the
+ * wrapper safely without leaking token-file paths or account identifiers.
+ */
+export async function persistResolvedAccountSelection(
+	selection: AccountSelectionResult,
+	options?: {
+		persistSelections?: PersistAccountSelections;
+		replaceAll?: boolean;
+	},
+): Promise<AccountSelectionResult> {
+	if (!options?.persistSelections) {
+		return selection;
+	}
+
+	try {
+		await options.persistSelections(
+			selection.variantsForPersistence,
+			options.replaceAll ?? false,
+		);
+	} catch (error) {
+		throw new Error(PERSIST_AUTHENTICATED_SELECTIONS_ERROR, {
+			cause: error,
+		});
+	}
+	return selection;
+}
+
+/**
+ * Finalizes a resolved selection by delegating persistence to the caller's
+ * `persistSelections` callback. Windows lock-retry and read-modify-write
+ * serialization remain the callback's responsibility, so callers should route
+ * through `persistAccountPool` or `withAccountStorageTransaction` to preserve
+ * the guarantees covered by `test/login-runner.test.ts`.
+ * Persistence callback failures are redacted inside
+ * `persistResolvedAccountSelection()` before they propagate back to callers.
+ */
+export async function resolveAndPersistAccountSelection(
+	tokens: TokenSuccess,
+	options?: {
+		fallbacks?: AccountSelectionFallbacks;
+		persistSelections?: PersistAccountSelections;
+		replaceAll?: boolean;
+	},
+): Promise<AccountSelectionResult> {
+	let selection = resolveAccountSelection(tokens);
+	if (options?.fallbacks) {
+		selection = applyAccountSelectionFallbacks(selection, options.fallbacks);
+	}
+	return persistResolvedAccountSelection(selection, options);
+}
+
 /**
  * Persists login results through the shared storage transaction so overlapping
  * login retries serialize their read-modify-write cycle instead of racing stale