Support Codex custom provider authentication#984
Conversation
📝 WalkthroughWalkthroughCodex credential handling moves into a shared resolver that supports official auth files, custom provider configuration, process environment variables, and ChangesCodex credentials
Sequence Diagram(s)sequenceDiagram
participant queryCodex
participant resolveCodexCredentials
participant CodexHome
participant Codex
queryCodex->>resolveCodexCredentials: resolve credential status
resolveCodexCredentials->>CodexHome: read auth.json, config.toml, or .env
CodexHome-->>resolveCodexCredentials: credential status and environment values
queryCodex->>Codex: create client with optional environment
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@server/modules/providers/list/codex/codex-credentials.ts`:
- Around line 187-203: Update resolveCodexCredentials to resolve and inspect the
active provider configuration before returning officialCredentials; when the
configured provider declares an env_key, load and validate the corresponding
custom-provider credential first, even if auth.json is authenticated. Preserve
existing fallback behavior for official-only setups, and add a regression test
covering auth.json alongside custom config.toml and .env credentials to verify
the custom provider takes precedence.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: abb954e5-bc57-4eaa-895a-3b4d2d22b231
📒 Files selected for processing (4)
server/modules/providers/list/codex/codex-auth.provider.tsserver/modules/providers/list/codex/codex-credentials.tsserver/modules/providers/tests/codex-credentials.test.tsserver/openai-codex.js
| export async function resolveCodexCredentials(): Promise<CodexCredentialsStatus> { | ||
| const codexHome = resolveCodexHome(); | ||
| const officialCredentials = await readOfficialCredentials(codexHome); | ||
| if (officialCredentials?.authenticated) { | ||
| return officialCredentials; | ||
| } | ||
|
|
||
| const customProviderCredentials = await readCustomProviderCredentials(codexHome); | ||
| if (customProviderCredentials.authenticated) { | ||
| return customProviderCredentials; | ||
| } | ||
|
|
||
| if (customProviderCredentials.error !== 'Codex not configured') { | ||
| return customProviderCredentials; | ||
| } | ||
|
|
||
| return officialCredentials ?? customProviderCredentials; |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Honor the configured custom provider before accepting auth.json.
Lines 189-191 return immediately for any valid official login without inspecting model_provider. If an existing auth.json coexists with a custom provider whose key is only in CODEX_HOME/.env, the CLI receives no custom environment and status incorrectly reports official authentication.
Resolve the active provider first; when it declares an env_key, that credential must take precedence. Add a regression test covering auth.json plus custom config.toml and .env.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@server/modules/providers/list/codex/codex-credentials.ts` around lines 187 -
203, Update resolveCodexCredentials to resolve and inspect the active provider
configuration before returning officialCredentials; when the configured provider
declares an env_key, load and validate the corresponding custom-provider
credential first, even if auth.json is authenticated. Preserve existing fallback
behavior for official-only setups, and add a regression test covering auth.json
alongside custom config.toml and .env credentials to verify the custom provider
takes precedence.
Summary
auth.jsonOAuth/API-key behavior.config.tomlviamodel_providerand providerenv_key.CODEX_HOME/.env, and pass it only to the Codex CLI environment for execution.Tests
npm run typechecknpm run build:server && node --test dist-server/server/modules/providers/tests/codex-credentials.test.jsnpx eslint server/modules/providers/list/codex/codex-auth.provider.ts server/modules/providers/list/codex/codex-credentials.ts server/modules/providers/tests/codex-credentials.test.ts server/openai-codex.jsSummary by CodeRabbit
.envfiles.