fix(management): preserve auth metadata and Codex priority

Author: drwpls

internal/api/handlers/management/auth_files.go

@@ -1214,8 +1214,11 @@ func (h *Handler) PatchAuthFileStatus(c *gin.Context) {
 	}
 
 	var req struct {
-		Name     string `json:"name"`
-		Disabled *bool  `json:"disabled"`
+		Name     string         `json:"name"`
+		Disabled *bool          `json:"disabled"`
+		Metadata map[string]any `json:"metadata"`
+		Type     string         `json:"type"`
+		Provider string         `json:"provider"`
 	}
 	if err := c.ShouldBindJSON(&req); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
@@ -1253,8 +1256,17 @@ func (h *Handler) PatchAuthFileStatus(c *gin.Context) {
 		return
 	}
 
+	if err := h.mergeAuthFileStatusMetadata(targetAuth, req.Metadata, req.Type, req.Provider); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to merge auth metadata: %v", err)})
+		return
+	}
+
 	// Update disabled state
 	targetAuth.Disabled = *req.Disabled
+	if targetAuth.Metadata == nil {
+		targetAuth.Metadata = make(map[string]any)
+	}
+	targetAuth.Metadata["disabled"] = *req.Disabled
 	if *req.Disabled {
 		targetAuth.Status = coreauth.StatusDisabled
 		targetAuth.StatusMessage = "disabled via management API"
@@ -1272,6 +1284,84 @@ func (h *Handler) PatchAuthFileStatus(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"status": "ok", "disabled": *req.Disabled})
 }
 
+func (h *Handler) mergeAuthFileStatusMetadata(auth *coreauth.Auth, requestMetadata map[string]any, requestType, requestProvider string) error {
+	if auth == nil {
+		return nil
+	}
+	merged := make(map[string]any)
+	diskFound := false
+	if diskMetadata, errRead := h.readAuthMetadataForStatusPatch(auth); errRead == nil {
+		for key, value := range diskMetadata {
+			merged[key] = value
+		}
+		diskFound = true
+	} else if !errors.Is(errRead, os.ErrNotExist) {
+		return errRead
+	}
+	if !diskFound {
+		for key, value := range auth.Metadata {
+			merged[key] = value
+		}
+	}
+	for key, value := range requestMetadata {
+		merged[key] = value
+	}
+
+	provider := strings.TrimSpace(requestType)
+	if provider == "" {
+		provider = strings.TrimSpace(requestProvider)
+	}
+	if provider == "" {
+		provider = strings.TrimSpace(valueAsString(merged["type"]))
+	}
+	if provider == "" {
+		provider = strings.TrimSpace(auth.Provider)
+	}
+	if provider != "" && !strings.EqualFold(provider, "unknown") {
+		merged["type"] = provider
+		auth.Provider = provider
+	}
+	auth.Metadata = merged
+	return nil
+}
+
+func (h *Handler) readAuthMetadataForStatusPatch(auth *coreauth.Auth) (map[string]any, error) {
+	path := strings.TrimSpace(authAttribute(auth, "path"))
+	if path == "" {
+		path = strings.TrimSpace(authAttribute(auth, "source"))
+	}
+	if path == "" {
+		fileName := strings.TrimSpace(auth.FileName)
+		if fileName == "" {
+			fileName = strings.TrimSpace(auth.ID)
+		}
+		if fileName != "" && h != nil && h.cfg != nil {
+			authDir := strings.TrimSpace(h.cfg.AuthDir)
+			if resolvedAuthDir, errResolve := util.ResolveAuthDir(authDir); errResolve == nil && resolvedAuthDir != "" {
+				authDir = resolvedAuthDir
+			}
+			if authDir != "" {
+				path = filepath.Join(authDir, fileName)
+			}
+		}
+	}
+	if path == "" {
+		return nil, os.ErrNotExist
+	}
+	raw, errRead := os.ReadFile(path)
+	if errRead != nil {
+		return nil, errRead
+	}
+	if len(raw) == 0 {
+		return nil, os.ErrNotExist
+	}
+	metadata := make(map[string]any)
+	if errUnmarshal := json.Unmarshal(raw, &metadata); errUnmarshal != nil {
+		return nil, errUnmarshal
+	}
+	return metadata, nil
+}
+
 // PatchAuthFileFields updates arbitrary metadata fields of an auth file.
 func (h *Handler) PatchAuthFileFields(c *gin.Context) {
 	if h.authManager == nil {

internal/api/handlers/management/auth_files_status_test.go

@@ -0,0 +1,153 @@
+package management
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/router-for-me/CLIProxyAPI/v7/internal/config"
+	fileauth "github.com/router-for-me/CLIProxyAPI/v7/sdk/auth"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v7/sdk/cliproxy/auth"
+)
+
+func TestPatchAuthFileStatus_MergesDiskMetadataBeforePersist(t *testing.T) {
+	t.Setenv("MANAGEMENT_PASSWORD", "")
+	gin.SetMode(gin.TestMode)
+
+	authDir := t.TempDir()
+	fileName := "codex.json"
+	filePath := filepath.Join(authDir, fileName)
+	original := `{"type":"codex","access_token":"access","refresh_token":"refresh","email":"u@example.com","nested":{"keep":true}}`
+	if errWrite := os.WriteFile(filePath, []byte(original), 0o600); errWrite != nil {
+		t.Fatalf("failed to write auth file: %v", errWrite)
+	}
+
+	store := fileauth.NewFileTokenStore()
+	store.SetBaseDir(authDir)
+	manager := coreauth.NewManager(store, nil, nil)
+	record := &coreauth.Auth{
+		ID:       fileName,
+		FileName: fileName,
+		Provider: "codex",
+		Attributes: map[string]string{
+			"path": filePath,
+		},
+		Metadata: map[string]any{
+			"name": fileName,
+		},
+	}
+	if _, errRegister := manager.Register(context.Background(), record); errRegister != nil {
+		t.Fatalf("failed to register auth record: %v", errRegister)
+	}
+	if errWrite := os.WriteFile(filePath, []byte(original), 0o600); errWrite != nil {
+		t.Fatalf("failed to restore full auth file after registration: %v", errWrite)
+	}
+
+	h := NewHandlerWithoutConfigFilePath(&config.Config{AuthDir: authDir}, manager)
+	rec := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(rec)
+	req := httptest.NewRequest(http.MethodPost, "/v0/management/auth-files?name="+fileName, strings.NewReader(`{"name":"codex.json","disabled":true}`))
+	req.Header.Set("Content-Type", "application/json")
+	ctx.Request = req
+
+	h.PatchAuthFileStatus(ctx)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d with body %s", http.StatusOK, rec.Code, rec.Body.String())
+	}
+	raw, errRead := os.ReadFile(filePath)
+	if errRead != nil {
+		t.Fatalf("failed to read auth file: %v", errRead)
+	}
+	var data map[string]any
+	if errUnmarshal := json.Unmarshal(raw, &data); errUnmarshal != nil {
+		t.Fatalf("failed to unmarshal auth file: %v; raw=%s", errUnmarshal, string(raw))
+	}
+	if got := data["type"]; got != "codex" {
+		t.Fatalf("type = %#v, want codex; raw=%s", got, string(raw))
+	}
+	if got := data["access_token"]; got != "access" {
+		t.Fatalf("access_token = %#v, want preserved access; raw=%s", got, string(raw))
+	}
+	if got := data["refresh_token"]; got != "refresh" {
+		t.Fatalf("refresh_token = %#v, want preserved refresh; raw=%s", got, string(raw))
+	}
+	if got := data["disabled"]; got != true {
+		t.Fatalf("disabled = %#v, want true; raw=%s", got, string(raw))
+	}
+}
+
+func TestPatchAuthFileStatus_AcceptsMetadataAndTypeFromRequest(t *testing.T) {
+	t.Setenv("MANAGEMENT_PASSWORD", "")
+	gin.SetMode(gin.TestMode)
+
+	authDir := t.TempDir()
+	fileName := "partial.json"
+	filePath := filepath.Join(authDir, fileName)
+	if errWrite := os.WriteFile(filePath, []byte(`{"name":"partial.json"}`), 0o600); errWrite != nil {
+		t.Fatalf("failed to write auth file: %v", errWrite)
+	}
+
+	store := fileauth.NewFileTokenStore()
+	store.SetBaseDir(authDir)
+	manager := coreauth.NewManager(store, nil, nil)
+	record := &coreauth.Auth{
+		ID:       fileName,
+		FileName: fileName,
+		Provider: "unknown",
+		Attributes: map[string]string{
+			"path": filePath,
+		},
+		Metadata: map[string]any{
+			"name": fileName,
+		},
+	}
+	if _, errRegister := manager.Register(context.Background(), record); errRegister != nil {
+		t.Fatalf("failed to register auth record: %v", errRegister)
+	}
+
+	h := NewHandlerWithoutConfigFilePath(&config.Config{AuthDir: authDir}, manager)
+	body := `{"name":"partial.json","disabled":false,"type":"codex","metadata":{"access_token":"access","refresh_token":"refresh","email":"u@example.com"}}`
+	rec := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(rec)
+	req := httptest.NewRequest(http.MethodPost, "/v0/management/auth-files?name="+fileName, strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	ctx.Request = req
+
+	h.PatchAuthFileStatus(ctx)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d with body %s", http.StatusOK, rec.Code, rec.Body.String())
+	}
+	raw, errRead := os.ReadFile(filePath)
+	if errRead != nil {
+		t.Fatalf("failed to read auth file: %v", errRead)
+	}
+	var data map[string]any
+	if errUnmarshal := json.Unmarshal(raw, &data); errUnmarshal != nil {
+		t.Fatalf("failed to unmarshal auth file: %v; raw=%s", errUnmarshal, string(raw))
+	}
+	if got := data["type"]; got != "codex" {
+		t.Fatalf("type = %#v, want codex; raw=%s", got, string(raw))
+	}
+	if got := data["access_token"]; got != "access" {
+		t.Fatalf("access_token = %#v, want request metadata access; raw=%s", got, string(raw))
+	}
+	if got := data["disabled"]; got != false {
+		t.Fatalf("disabled = %#v, want false; raw=%s", got, string(raw))
+	}
+
+	updated, ok := manager.GetByID(fileName)
+	if !ok || updated == nil {
+		t.Fatalf("expected updated auth")
+	}
+	if got := updated.Provider; got != "codex" {
+		t.Fatalf("updated.Provider = %q, want codex", got)
+	}
+}

internal/api/handlers/management/config_lists.go

@@ -962,6 +962,7 @@ func (h *Handler) PatchCodexKey(c *gin.Context) {
 		Models         *[]config.CodexModel `json:"models"`
 		Headers        *map[string]string   `json:"headers"`
 		ExcludedModels *[]string            `json:"excluded-models"`
+		Priority       *int                 `json:"priority"`
 	}
 	var body struct {
 		Index *int           `json:"index"`
@@ -1022,6 +1023,9 @@ func (h *Handler) PatchCodexKey(c *gin.Context) {
 	if body.Value.ExcludedModels != nil {
 		entry.ExcludedModels = config.NormalizeExcludedModels(*body.Value.ExcludedModels)
 	}
+	if body.Value.Priority != nil {
+		entry.Priority = *body.Value.Priority
+	}
 	normalizeCodexKey(&entry)
 	h.cfg.CodexKey[targetIndex] = entry
 	h.cfg.SanitizeCodexKeys()

internal/api/handlers/management/config_lists_delete_keys_test.go

@@ -5,6 +5,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -22,6 +23,35 @@ func writeTestConfigFile(t *testing.T) string {
 	return path
 }
 
+func TestPatchCodexKey_UpdatesPriority(t *testing.T) {
+	t.Parallel()
+	gin.SetMode(gin.TestMode)
+
+	h := &Handler{
+		cfg: &config.Config{
+			CodexKey: []config.CodexKey{
+				{APIKey: "codex-key", BaseURL: "https://api.openai.com", Priority: 1},
+			},
+		},
+		configFilePath: writeTestConfigFile(t),
+	}
+
+	rec := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(rec)
+	body := `{"match":"codex-key","value":{"priority":42}}`
+	c.Request = httptest.NewRequest(http.MethodPatch, "/v0/management/codex-api-key", strings.NewReader(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	h.PatchCodexKey(c)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d; body=%s", rec.Code, http.StatusOK, rec.Body.String())
+	}
+	if got := h.cfg.CodexKey[0].Priority; got != 42 {
+		t.Fatalf("priority = %d, want 42", got)
+	}
+}
+
 func TestDeleteGeminiKey_RequiresBaseURLWhenAPIKeyDuplicated(t *testing.T) {
 	t.Parallel()
 	gin.SetMode(gin.TestMode)

sdk/auth/filestore.go

@@ -113,7 +113,7 @@ func (s *FileTokenStore) Save(ctx context.Context, auth *cliproxyauth.Auth) (str
 			return "", err
 		}
 	case auth.Metadata != nil:
-		auth.Metadata["disabled"] = auth.Disabled
+		auth.Metadata = mergeAuthMetadataForSave(path, auth.Metadata, auth.Provider, auth.Disabled)
 		raw, errMarshal := json.Marshal(auth.Metadata)
 		if errMarshal != nil {
 			return "", fmt.Errorf("auth filestore: marshal metadata failed: %w", errMarshal)
@@ -156,6 +156,28 @@ func (s *FileTokenStore) Save(ctx context.Context, auth *cliproxyauth.Auth) (str
 	return path, nil
 }
 
+func mergeAuthMetadataForSave(path string, metadata map[string]any, provider string, disabled bool) map[string]any {
+	merged := make(map[string]any)
+	if existing, errRead := os.ReadFile(path); errRead == nil && len(existing) > 0 {
+		var diskMetadata map[string]any
+		if errUnmarshal := json.Unmarshal(existing, &diskMetadata); errUnmarshal == nil {
+			for key, value := range diskMetadata {
+				merged[key] = value
+			}
+		}
+	}
+	for key, value := range metadata {
+		merged[key] = value
+	}
+	if provider = strings.TrimSpace(provider); provider != "" && !strings.EqualFold(provider, "unknown") {
+		if rawType, _ := merged["type"].(string); strings.TrimSpace(rawType) == "" || strings.EqualFold(strings.TrimSpace(rawType), "unknown") {
+			merged["type"] = provider
+		}
+	}
+	merged["disabled"] = disabled
+	return merged
+}
+
 // List enumerates all auth JSON files under the configured directory.
 func (s *FileTokenStore) List(ctx context.Context) ([]*cliproxyauth.Auth, error) {
 	dir := s.baseDirSnapshot()