fix(identity): preserve org-scoped variants with distinct account ids

Author: ndycode

index.ts

@@ -624,7 +624,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 
 
 					type IdentityIndexes = {
-						byOrganizationId: Map<string, number>;
+						byOrganizationId: Map<string, number[]>;
 						byAccountIdNoOrg: Map<string, number>;
 						byRefreshTokenNoOrg: Map<string, number[]>;
 						byEmailNoOrg: Map<string, number>;
@@ -633,6 +633,56 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 						byRefreshTokenGlobal: Map<string, number[]>;
 					};
 
+					const resolveOrganizationMatch = (
+						indexes: IdentityIndexes,
+						organizationId: string,
+						candidateAccountId: string | undefined,
+					): number | undefined => {
+						const matches = indexes.byOrganizationId.get(organizationId);
+						if (!matches || matches.length === 0) return undefined;
+
+						const candidateId = candidateAccountId?.trim() || undefined;
+						let newestNoAccountId: number | undefined;
+						let newestExactAccountId: number | undefined;
+						let newestAnyNonEmptyAccountId: number | undefined;
+						let nonEmptyAccountIdCount = 0;
+
+						for (const index of matches) {
+							const existing = accounts[index];
+							if (!existing) continue;
+							const existingAccountId = normalizeStoredAccountId(existing);
+							if (!existingAccountId) {
+								newestNoAccountId =
+									typeof newestNoAccountId === "number"
+										? pickNewestAccountIndex(newestNoAccountId, index)
+										: index;
+								continue;
+							}
+							nonEmptyAccountIdCount += 1;
+							newestAnyNonEmptyAccountId =
+								typeof newestAnyNonEmptyAccountId === "number"
+									? pickNewestAccountIndex(newestAnyNonEmptyAccountId, index)
+									: index;
+							if (candidateId && existingAccountId === candidateId) {
+								newestExactAccountId =
+									typeof newestExactAccountId === "number"
+										? pickNewestAccountIndex(newestExactAccountId, index)
+										: index;
+							}
+						}
+
+						if (candidateId) {
+							return newestExactAccountId ?? newestNoAccountId;
+						}
+						if (typeof newestNoAccountId === "number") {
+							return newestNoAccountId;
+						}
+						if (nonEmptyAccountIdCount === 1) {
+							return newestAnyNonEmptyAccountId;
+						}
+						return undefined;
+					};
+
 					const resolveNoOrgRefreshMatch = (
 						indexes: IdentityIndexes,
 						refreshToken: string,
@@ -683,7 +733,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 					};
 
 					const buildIdentityIndexes = (): IdentityIndexes => {
-						const byOrganizationId = new Map<string, number>();
+						const byOrganizationId = new Map<string, number[]>();
 						const byAccountIdNoOrg = new Map<string, number>();
 						const byRefreshTokenNoOrg = new Map<string, number[]>();
 						const byEmailNoOrg = new Map<string, number>();
@@ -707,7 +757,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 							}
 
 							if (organizationId) {
-								byOrganizationId.set(organizationId, i);
+								pushIndex(byOrganizationId, organizationId, i);
 								if (accountId) {
 									pushIndex(byAccountIdOrgScoped, accountId, i);
 								}
@@ -755,7 +805,11 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 
 						const existingIndex = (() => {
 							if (organizationId) {
-								return identityIndexes.byOrganizationId.get(organizationId);
+								return resolveOrganizationMatch(
+									identityIndexes,
+									organizationId,
+									normalizedAccountId,
+								);
 							}
 							if (normalizedAccountId) {
 								const byAccountId = identityIndexes.byAccountIdNoOrg.get(normalizedAccountId);
@@ -859,7 +913,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 				const refreshMap = new Map<
 					string,
 					{
-						byOrg: Map<string, number>;
+						byOrg: Map<string, number[]>;
 						preferredOrgIndex?: number;
 						fallbackNoAccountIdIndex?: number;
 						fallbackByAccountId: Map<string, number>;
@@ -875,7 +929,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 				};
 
 				const collapseFallbackIntoPreferredOrg = (entry: {
-					byOrg: Map<string, number>;
+					byOrg: Map<string, number[]>;
 					preferredOrgIndex?: number;
 					fallbackNoAccountIdIndex?: number;
 					fallbackByAccountId: Map<string, number>;
@@ -929,7 +983,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 					let entry = refreshMap.get(refreshToken);
 					if (!entry) {
 						entry = {
-							byOrg: new Map<string, number>(),
+							byOrg: new Map<string, number[]>(),
 							preferredOrgIndex: undefined,
 							fallbackNoAccountIdIndex: undefined,
 							fallbackByAccountId: new Map<string, number>(),
@@ -938,18 +992,35 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 					}
 
 					if (orgKey) {
-						const existingIndex = entry.byOrg.get(orgKey);
+						const orgMatches = entry.byOrg.get(orgKey) ?? [];
+						const existingIndex = resolveOrganizationMatch(
+							{
+								byOrganizationId: new Map([[orgKey, orgMatches]]),
+								byAccountIdNoOrg: new Map(),
+								byRefreshTokenNoOrg: new Map(),
+								byEmailNoOrg: new Map(),
+								byAccountIdOrgScoped: new Map(),
+								byRefreshTokenOrgScoped: new Map(),
+								byRefreshTokenGlobal: new Map(),
+							},
+							orgKey,
+							normalizeStoredAccountId(account),
+						);
 						if (existingIndex !== undefined) {
 							const newestIndex = pickNewestAccountIndex(existingIndex, i);
 							const obsoleteIndex = newestIndex === existingIndex ? i : existingIndex;
 							mergeAccountRecords(newestIndex, obsoleteIndex);
 							indicesToRemove.add(obsoleteIndex);
-							entry.byOrg.set(orgKey, newestIndex);
+							const nextOrgMatches = orgMatches.filter(
+								(index) => index !== obsoleteIndex && index !== newestIndex,
+							);
+							nextOrgMatches.push(newestIndex);
+							entry.byOrg.set(orgKey, nextOrgMatches);
 							entry.preferredOrgIndex = pickPreferredOrgIndex(entry.preferredOrgIndex, newestIndex);
 							collapseFallbackIntoPreferredOrg(entry);
 							continue;
 						}
-						entry.byOrg.set(orgKey, i);
+						entry.byOrg.set(orgKey, [...orgMatches, i]);
 						entry.preferredOrgIndex = pickPreferredOrgIndex(entry.preferredOrgIndex, i);
 						collapseFallbackIntoPreferredOrg(entry);
 						continue;

test/index.test.ts

@@ -1916,7 +1916,7 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 		]);
 	});
 
-	it("collapses duplicate organization candidates during persistence", async () => {
+	it("preserves duplicate organization candidates when accountId differs", async () => {
 		const accountsModule = await import("../lib/accounts.js");
 		const authModule = await import("../lib/auth/auth.js");
 
@@ -1958,13 +1958,14 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 		const organizationEntries = mockStorage.accounts.filter(
 			(account) => account.organizationId === "organization-shared",
 		);
-		expect(organizationEntries).toHaveLength(1);
-		expect(organizationEntries[0]?.accountId).toBe("org-variant-b");
-		expect(mockStorage.accounts).toHaveLength(2);
+		expect(organizationEntries).toHaveLength(2);
+		const organizationAccountIds = organizationEntries.map((account) => account.accountId).sort();
+		expect(organizationAccountIds).toEqual(["org-variant-a", "org-variant-b"]);
+		expect(mockStorage.accounts).toHaveLength(3);
 		expect(mockStorage.accounts.some((account) => account.accountId === "token-personal")).toBe(true);
 	});
 
-	it("preserves entries with different accountId values even when they share the same refresh token (org-scoped vs no-org)", async () => {
+	it("preserves org/no-org shared-refresh entries with different accountId values in pre-populated storage", async () => {
 		const accountsModule = await import("../lib/accounts.js");
 		const authModule = await import("../lib/auth/auth.js");
 
@@ -2216,7 +2217,7 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 				},
 			},
 			{
-				accountId: "token-shared",
+				accountId: "org-shared",
 				organizationId: "org-keep",
 				email: "token@example.com",
 				refreshToken: "shared-refresh",
@@ -2252,11 +2253,12 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 
 		await autoMethod.authorize({ loginMode: "add", accountCount: "1" });
 
-		const mergedOrg = mockStorage.accounts.find(
+		const mergedOrgEntries = mockStorage.accounts.filter(
 			(account) => account.organizationId === "org-keep",
 		);
-		expect(mergedOrg).toBeDefined();
-		expect(mergedOrg?.accountId).toBe("token-shared");
+		expect(mergedOrgEntries).toHaveLength(1);
+		const mergedOrg = mergedOrgEntries[0];
+		expect(mergedOrg?.accountId).toBe("org-shared");
 		expect(mergedOrg?.rateLimitResetTimes?.codex).toBe(9_000);
 		expect(mergedOrg?.rateLimitResetTimes?.["codex-max"]).toBe(5_000);
 		expect(mergedOrg?.rateLimitResetTimes?.["gpt-5.1"]).toBe(8_000);
@@ -2277,7 +2279,7 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 				lastUsed: 10,
 			},
 			{
-				accountId: "token-shared",
+				accountId: "org-shared",
 				organizationId: "org-keep",
 				email: "token@example.com",
 				refreshToken: "shared-refresh",
@@ -2312,16 +2314,71 @@ describe("OpenAIOAuthPlugin persistAccountPool", () => {
 
 		await autoMethod.authorize({ loginMode: "add", accountCount: "1" });
 
-		const mergedOrg = mockStorage.accounts.find(
+		const mergedOrgEntries = mockStorage.accounts.filter(
 			(account) => account.organizationId === "org-keep",
 		);
-		expect(mergedOrg).toBeDefined();
-		expect(mergedOrg?.accountId).toBe("token-shared");
+		expect(mergedOrgEntries).toHaveLength(1);
+		const mergedOrg = mergedOrgEntries[0];
+		expect(mergedOrg?.accountId).toBe("org-shared");
 		expect(mergedOrg?.enabled).toBe(false);
 		expect(mergedOrg?.coolingDownUntil).toBe(12_000);
 		expect(mergedOrg?.cooldownReason).toBe("auth-failure");
 	});
 
+	it("preserves same-organization entries when accountId differs", async () => {
+		const accountsModule = await import("../lib/accounts.js");
+		const authModule = await import("../lib/auth/auth.js");
+
+		mockStorage.accounts = [
+			{
+				accountId: "org-shared-a",
+				organizationId: "org-keep",
+				email: "org-a@example.com",
+				refreshToken: "shared-refresh",
+				addedAt: 10,
+				lastUsed: 10,
+			},
+			{
+				accountId: "org-shared-b",
+				organizationId: "org-keep",
+				email: "org-b@example.com",
+				refreshToken: "shared-refresh",
+				addedAt: 20,
+				lastUsed: 20,
+			},
+		];
+
+		vi.mocked(authModule.exchangeAuthorizationCode).mockResolvedValueOnce({
+			type: "success",
+			access: "access-unrelated-preserve",
+			refresh: "refresh-unrelated-preserve",
+			expires: Date.now() + 300_000,
+			idToken: "id-unrelated-preserve",
+		});
+		vi.mocked(accountsModule.getAccountIdCandidates).mockReturnValueOnce([]);
+		vi.mocked(accountsModule.extractAccountId).mockImplementation((accessToken) =>
+			accessToken === "access-unrelated-preserve" ? "unrelated-preserve" : "account-1",
+		);
+
+		const mockClient = createMockClient();
+		const { OpenAIOAuthPlugin } = await import("../index.js");
+		const plugin = (await OpenAIOAuthPlugin({
+			client: mockClient,
+		} as never)) as unknown as PluginType;
+		const autoMethod = plugin.auth.methods[0] as unknown as {
+			authorize: (inputs?: Record<string, string>) => Promise<{ instructions: string }>;
+		};
+
+		await autoMethod.authorize({ loginMode: "add", accountCount: "1" });
+
+		const orgEntries = mockStorage.accounts.filter(
+			(account) => account.organizationId === "org-keep",
+		);
+		expect(orgEntries).toHaveLength(2);
+		const accountIds = orgEntries.map((account) => account.accountId).sort();
+		expect(accountIds).toEqual(["org-shared-a", "org-shared-b"]);
+	});
+
 	it("persists non-team login and updates same record via accountId/refresh fallback", async () => {
 		const accountsModule = await import("../lib/accounts.js");
 		const authModule = await import("../lib/auth/auth.js");