Merge pull request #8 from ndycode/fix/multi-account-duplicate-accountid

fix: force fresh login when adding accounts to prevent duplicate accountIDs

Author: ndycode

index.ts

@@ -162,10 +162,11 @@ export const OpenAIAuthPlugin: Plugin = async ({ client }: PluginInput) => {
                 );
         };
 
-        const runOAuthFlow = async (
-                useManualMode: boolean,
-        ): Promise<TokenResult> => {
-                const { pkce, state, url } = await createAuthorizationFlow();
+	const runOAuthFlow = async (
+		useManualMode: boolean,
+		forceNewLogin: boolean = false,
+	): Promise<TokenResult> => {
+		const { pkce, state, url } = await createAuthorizationFlow({ forceNewLogin });
                 console.log("\nOAuth URL:\n" + url + "\n");
 
                 if (useManualMode) {
@@ -797,14 +798,40 @@ export const OpenAIAuthPlugin: Plugin = async ({ client }: PluginInput) => {
                                                                 }
                                                         }
 
-                                                        while (accounts.length < ACCOUNT_LIMITS.MAX_ACCOUNTS) {
-                                                                console.log(
-                                                                        `\n=== OpenAI OAuth (Account ${
-                                                                                accounts.length + 1
-                                                                        }) ===`,
-                                                                );
-                                                                const result = await runOAuthFlow(useManualMode);
-                                                                if (result.type === "failed") {
+				while (accounts.length < ACCOUNT_LIMITS.MAX_ACCOUNTS) {
+					console.log(
+						`\n=== OpenAI OAuth (Account ${
+							accounts.length + 1
+						}) ===`,
+					);
+
+					const forceNewLogin = accounts.length > 0;
+					const result = await runOAuthFlow(useManualMode, forceNewLogin);
+
+					if (result.type === "success") {
+						const email = extractAccountEmail(result.access);
+						const accountId = extractAccountId(result.access);
+						const label = email || accountId || "Unknown account";
+						console.log(`\n✓ Authenticated as: ${label}\n`);
+
+						const isDuplicate = accounts.some(
+							(acc) =>
+								(accountId && extractAccountId(acc.access) === accountId) ||
+								(email && extractAccountEmail(acc.access) === email),
+						);
+
+						if (isDuplicate) {
+							console.warn(
+								`\n⚠️  WARNING: You authenticated with an account that is already in the list (${label}).`,
+							);
+							console.warn(
+								"This usually happens if you didn't log out or use a different browser profile.",
+							);
+							console.warn("The duplicate will update the existing entry.\n");
+						}
+					}
+
+					if (result.type === "failed") {
                                                                         if (accounts.length === 0) {
                                                                                 return {
                                                                                         url: "",

lib/auth/auth.ts

@@ -180,11 +180,20 @@ export async function refreshAccessToken(refreshToken: string): Promise<TokenRes
 	}
 }
 
+export interface AuthorizationFlowOptions {
+	/**
+	 * Force a fresh login screen instead of using cached browser session.
+	 * Use when adding multiple accounts to ensure different credentials.
+	 */
+	forceNewLogin?: boolean;
+}
+
 /**
  * Create OAuth authorization flow
+ * @param options - Optional configuration for the flow
  * @returns Authorization flow details
  */
-export async function createAuthorizationFlow(): Promise<AuthorizationFlow> {
+export async function createAuthorizationFlow(options?: AuthorizationFlowOptions): Promise<AuthorizationFlow> {
 	const pkce = (await generatePKCE()) as PKCEPair;
 	const state = createState();
 
@@ -200,5 +209,11 @@ export async function createAuthorizationFlow(): Promise<AuthorizationFlow> {
 	url.searchParams.set("codex_cli_simplified_flow", "true");
 	url.searchParams.set("originator", "codex_cli_rs");
 
+	// Force a fresh login screen when adding multiple accounts
+	// This helps prevent the browser from auto-using an existing session
+	if (options?.forceNewLogin) {
+		url.searchParams.set("prompt", "login");
+	}
+
 	return { pkce, state, url: url.toString() };
 }

lib/cli.ts

@@ -6,6 +6,9 @@ export async function promptAddAnotherAccount(
 ): Promise<boolean> {
   const rl = createInterface({ input, output });
   try {
+    console.log(
+      "\n⚠️  TIP: Use incognito/private browsing or log out of ChatGPT before adding another account.\n",
+    );
     const answer = await rl.question(
       `Add another account? (${currentCount} added) (y/n): `,
     );

test/auth.test.ts

@@ -141,6 +141,13 @@ describe('Auth Module', () => {
 			expect(url.searchParams.get('id_token_add_organizations')).toBe('true');
 			expect(url.searchParams.get('codex_cli_simplified_flow')).toBe('true');
 			expect(url.searchParams.get('originator')).toBe('codex_cli_rs');
+			expect(url.searchParams.has('prompt')).toBe(false);
+		});
+
+		it('should include prompt=login when forceNewLogin is true', async () => {
+			const flow = await createAuthorizationFlow({ forceNewLogin: true });
+			const url = new URL(flow.url);
+			expect(url.searchParams.get('prompt')).toBe('login');
 		});
 
 		it('should generate unique flows', async () => {