Codex accounts: 6h auto-refresh, manual refresh, manual switch (#48)

Auto refresh
- New refreshCodexAccount(index) calls https://auth.openai.com/oauth/token
  with grant_type=refresh_token and persists rotated tokens back to
  ~/.codex-accounts/{N}/auth.json. JWT's subscription_active_until
  reflects the latest plan state OpenAI hands back.
- startCodexAccountRefreshLoop() runs every 6h (first run delayed 60s
  after boot to keep startup snappy). Hooked into main()/shutdown()
  alongside the existing claude token refresh loop.

Manual controls (Settings → 계정 → Codex)
- "갱신" button per row: forces an immediate refresh for that account.
- "전체 갱신" button: refreshes all codex accounts in sequence.
- "전환" button: writes data/codex-rotation-state.json so the next codex
  spawn picks the chosen account. Active account marked with a green-
  bordered card and "사용중" badge.

Endpoints
- POST /api/settings/accounts/codex/{i}/refresh
- POST /api/settings/accounts/codex/refresh-all
- PUT  /api/settings/accounts/codex/current  { index }
- GET  /api/settings/accounts now also returns codexCurrentIndex.

Why
JWTs cache subscription state at issue-time. When a Pro plan lapses or
a user upgrades/downgrades, the dashboard kept showing stale data until
the user logged in again. Periodic refresh + explicit "갱신" button
keeps the displayed state honest, and the manual switch unblocks the
user when rotation lands on a known-bad account.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eyejoker
2026-04-27 22:23:06 +09:00
committed by GitHub
parent 2f7e09e194
commit c2a6889567
7 changed files with 437 additions and 13 deletions

View File

@@ -256,6 +256,42 @@ export function getActiveCodexAuthPath(): string | null {
return getCodexAuthPath();
}
/** Currently active codex account index (after rotation). */
export function getCurrentCodexAccountIndex(): number {
return accounts.length === 0 ? 0 : currentIndex;
}
/** Manually switch the active codex account. Clears its rate-limit cooldown. */
export function setCurrentCodexAccountIndex(targetIndex: number): void {
if (accounts.length === 0) {
throw new Error('codex token rotation: no accounts loaded');
}
if (
!Number.isInteger(targetIndex) ||
targetIndex < 0 ||
targetIndex >= accounts.length
) {
throw new Error(
`codex switch: index ${targetIndex} out of range [0..${accounts.length - 1}]`,
);
}
if (targetIndex === currentIndex) return;
const previous = currentIndex;
currentIndex = targetIndex;
// Clear rate-limit on the chosen account so rotation logic doesn't bounce it.
accounts[targetIndex].rateLimitedUntil = null;
saveCodexState();
logger.info(
{
transition: 'rotation:manual-switch',
fromIndex: previous,
toIndex: currentIndex,
totalAccounts: accounts.length,
},
`Codex switched manually to account #${currentIndex + 1}/${accounts.length}`,
);
}
export function getCodexAuthPath(
accountIndex: number = currentIndex,
): string | null {

View File

@@ -59,6 +59,10 @@ import { startWebDashboardServer } from './web-dashboard-server.js';
import { Channel, NewMessage, RegisteredGroup } from './types.js';
import { logger } from './logger.js';
import { initCodexTokenRotation } from './codex-token-rotation.js';
import {
startCodexAccountRefreshLoop,
stopCodexAccountRefreshLoop,
} from './settings-store.js';
import {
hasAvailableClaudeToken,
initTokenRotation,
@@ -245,6 +249,7 @@ async function main(): Promise<void> {
initTokenRotation();
initCodexTokenRotation();
startTokenRefreshLoop();
startCodexAccountRefreshLoop();
runtimeState.loadState();
@@ -254,6 +259,7 @@ async function main(): Promise<void> {
const shutdown = async (signal: string) => {
logger.info({ signal }, 'Shutdown signal received');
stopTokenRefreshLoop();
stopCodexAccountRefreshLoop();
if (leaseRecoveryTimer) {
clearInterval(leaseRecoveryTimer);
leaseRecoveryTimer = null;

View File

@@ -277,6 +277,136 @@ export function updateModelConfig(
return getModelConfig();
}
const CODEX_OAUTH_TOKEN_URL = 'https://auth.openai.com/oauth/token';
const CODEX_OAUTH_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
interface CodexAuthFile {
auth_mode?: string;
OPENAI_API_KEY?: string | null;
tokens?: {
id_token?: string;
access_token?: string;
refresh_token?: string;
account_id?: string;
};
last_refresh?: string;
}
function readCodexAuthFile(file: string): CodexAuthFile | null {
return readJson<CodexAuthFile>(file);
}
function writeCodexAuthFile(file: string, data: CodexAuthFile): void {
const tempPath = `${file}.tmp`;
fs.writeFileSync(tempPath, `${JSON.stringify(data, null, 2)}\n`, {
mode: 0o600,
});
fs.renameSync(tempPath, file);
}
export async function refreshCodexAccount(
index: number,
): Promise<CodexAccountSummary> {
const file = codexAuthPath(index);
if (!fs.existsSync(file)) {
throw new Error(`codex auth.json not found for index ${index}`);
}
const data = readCodexAuthFile(file);
const refreshToken = data?.tokens?.refresh_token;
if (!refreshToken) {
throw new Error(`codex account #${index} has no refresh_token`);
}
const body = new URLSearchParams({
grant_type: 'refresh_token',
refresh_token: refreshToken,
client_id: CODEX_OAUTH_CLIENT_ID,
});
const res = await fetch(CODEX_OAUTH_TOKEN_URL, {
method: 'POST',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
body: body.toString(),
});
if (!res.ok) {
const text = await res.text().catch(() => '');
throw new Error(
`codex refresh failed (#${index}): ${res.status} ${text.slice(0, 200)}`,
);
}
const payload = (await res.json()) as {
access_token?: string;
id_token?: string;
refresh_token?: string;
};
const updated: CodexAuthFile = {
...(data ?? {}),
tokens: {
...(data?.tokens ?? {}),
id_token: payload.id_token ?? data?.tokens?.id_token,
access_token: payload.access_token ?? data?.tokens?.access_token,
refresh_token: payload.refresh_token ?? refreshToken,
},
last_refresh: new Date().toISOString(),
};
writeCodexAuthFile(file, updated);
const summary = readCodexAccount(index);
if (!summary)
throw new Error('failed to re-read codex account after refresh');
return summary;
}
export async function refreshAllCodexAccounts(): Promise<{
refreshed: number[];
failed: Array<{ index: number; error: string }>;
}> {
const refreshed: number[] = [];
const failed: Array<{ index: number; error: string }> = [];
const accounts = listCodexAccounts();
for (const acc of accounts) {
try {
await refreshCodexAccount(acc.index);
refreshed.push(acc.index);
} catch (err) {
failed.push({
index: acc.index,
error: err instanceof Error ? err.message : String(err),
});
}
}
return { refreshed, failed };
}
const CODEX_REFRESH_INTERVAL_MS = 6 * 60 * 60 * 1000;
let codexRefreshTimer: ReturnType<typeof setInterval> | null = null;
export function startCodexAccountRefreshLoop(): void {
if (codexRefreshTimer) return;
// Stagger first refresh so server boot isn't slowed.
setTimeout(() => {
void refreshAllCodexAccounts().catch(() => {
/* swallow; per-account errors logged inside */
});
}, 60_000).unref?.();
codexRefreshTimer = setInterval(() => {
void refreshAllCodexAccounts().catch(() => {
/* swallow */
});
}, CODEX_REFRESH_INTERVAL_MS);
codexRefreshTimer.unref?.();
}
export function stopCodexAccountRefreshLoop(): void {
if (codexRefreshTimer) {
clearInterval(codexRefreshTimer);
codexRefreshTimer = null;
}
}
function codexConfigPath(): string {
return path.join(os.homedir(), '.codex', 'config.toml');
}

View File

@@ -52,10 +52,16 @@ import {
getModelConfig,
listClaudeAccounts,
listCodexAccounts,
refreshAllCodexAccounts,
refreshCodexAccount,
removeAccountDirectory,
updateFastMode,
updateModelConfig,
} from './settings-store.js';
import {
getCurrentCodexAccountIndex,
setCurrentCodexAccountIndex,
} from './codex-token-rotation.js';
const DEFAULT_STATUS_MAX_AGE_MS = 10 * 60 * 1000;
const ROOM_MESSAGE_ID_CACHE_LIMIT = 500;
@@ -1340,6 +1346,64 @@ export function createWebDashboardHandler(
}
}
{
const refreshMatch = url.pathname.match(
/^\/api\/settings\/accounts\/codex\/(\d+)\/refresh$/,
);
if (refreshMatch && request.method === 'POST') {
const index = Number.parseInt(refreshMatch[1], 10);
try {
const updated = await refreshCodexAccount(index);
return jsonResponse({ ok: true, account: updated });
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return jsonResponse({ error: message }, { status: 400 });
}
}
}
if (
url.pathname === '/api/settings/accounts/codex/refresh-all' &&
request.method === 'POST'
) {
try {
const result = await refreshAllCodexAccounts();
return jsonResponse({ ok: true, ...result });
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return jsonResponse({ error: message }, { status: 500 });
}
}
if (
url.pathname === '/api/settings/accounts/codex/current' &&
request.method === 'PUT'
) {
let body: { index?: unknown } | null = null;
try {
body = (await request.json()) as { index?: unknown };
} catch {
return jsonResponse({ error: 'Invalid JSON body' }, { status: 400 });
}
const idx = typeof body?.index === 'number' ? body.index : Number.NaN;
if (!Number.isInteger(idx)) {
return jsonResponse(
{ error: 'index must be an integer' },
{ status: 400 },
);
}
try {
setCurrentCodexAccountIndex(idx);
return jsonResponse({
ok: true,
codexCurrentIndex: getCurrentCodexAccountIndex(),
});
} catch (err) {
const message = err instanceof Error ? err.message : String(err);
return jsonResponse({ error: message }, { status: 400 });
}
}
if (url.pathname === '/api/tasks' && request.method === 'POST') {
if (!loadRoomBindings) {
return jsonResponse(
@@ -1538,6 +1602,7 @@ export function createWebDashboardHandler(
return jsonResponse({
claude: listClaudeAccounts(),
codex: listCodexAccounts(),
codexCurrentIndex: getCurrentCodexAccountIndex(),
});
}