fix(codex): 429-transient refresh, drop broken quota fallback, uniform PKCE, bounded push#122
Merged
Conversation
…k, harden PKCE + push - refreshAccessToken no longer treats a 429/408 on the token endpoint as a fatal 'sign-in expired'. During a retry storm auth.openai.com rate-limits the token endpoint; the whole 4xx range was fatal, forcing a needless full re-auth. Retry 429/408 (and 5xx) with backoff; only a genuine 4xx reconnects. (#19) - Removed the shared-key quota fallback. On 429/403 it forwarded the ChatGPT-internal Codex model id + Codex-shaped body to api.openai.com (which doesn't know those models → 400s) under process.env.OPENAI_API_KEY, and the substring quota-match could misfire on unrelated 403s → silently charging the user's personal key. Return the 429/403 as-is instead. (#15) - generateRandomString uses rejection sampling for a uniform PKCE verifier (b % 66 biased toward the first 58 chars). (#45) - pushTokensToBackend fetch is bounded by OAUTH_HTTP_TIMEOUT_MS so a hung backend can't leave 'keys signin' spinning after the browser succeeded. (#35)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Codex reliability round 2 (from the audit):
refreshAccessTokentreated the whole 4xx range as a fatalCodexRefreshInvalidError("sign-in expired, reconnect"). A 429/408 onauth.openai.com/oauth/tokenis a rate-limit/timeout — transient — and during a retry storm this forced a needless full re-auth. Now 429/408 (and 5xx) retry with backoff; only a genuine 4xx reconnects.api.openai.com/v1/responses(which doesn't know those models → 400s) authenticated withprocess.env.OPENAI_API_KEY, and the substring quota-match (quota/rate_limit/capacity) could misfire on unrelated 403s — silently charging the user's personal key. Return the 429/403 to the caller instead; BYOKopenaiis the supported API-key path.generateRandomStringuses rejection sampling so the PKCE verifier is uniform (b % 66biased toward the first 58 chars).pushTokensToBackendis bounded byOAUTH_HTTP_TIMEOUT_MS; a hung thesis backend no longer leaveskeys signinspinning after the browser flow already succeeded.Tests
Added a 429-is-retried case to
codex-refresh.test.ts; existing refresh/device-poll/401-retry tests still pass (24 plugin tests green).