Restrict Codex OAuth CLI fallback#876
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9137b6417c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| case .networkError, .invalidResponse, .none: | ||
| return false |
There was a problem hiding this comment.
When a stale auth.json triggers a token refresh and the OAuth server rejects it with a non-401 status (for example the common HTTP 400 invalid_grant/revoked-token response), CodexTokenRefresher.refresh maps that to RefreshError.invalidResponse at CodexTokenRefresher.swift:69-70. Returning false for .invalidResponse here stops the auto pipeline instead of trying the CLI fallback, even though this is still an invalid-auth state that codex app-server can repair; users in that refresh-failure path will see the OAuth error rather than their CLI usage.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Good catch. I updated the refresh failure classification instead of broadly allowing all invalidResponse errors to fall back.
Non-401 OAuth refresh failures with invalid_grant now map to .revoked, so auto mode still falls back to CLI for stale/revoked refresh tokens. Other non-auth refresh failures, such as invalid_request, remain .invalidResponse and do not trigger CLI fallback.
ViperThanks
force-pushed
the
codex-oauth-restrict-cli-fallback
branch
from
9137b64 to
190f10e
Compare
|
Good catch. I updated the refresh failure classification instead of broadly allowing all invalidResponse errors to fall back. Non-401 OAuth refresh failures with |
steipete
force-pushed
the
codex-oauth-restrict-cli-fallback
branch
from
48c3fae to
d69ac14
Compare
steipete
force-pushed
the
codex-oauth-restrict-cli-fallback
branch
from
d69ac14 to
421f81f
Compare
2 participants
Summary
Fixes #874.
Validation
swift build --target CodexBarCoregit diff --checkNote:
swift test --filter CodexOAuthTestscould not run in this environment because only Command Line Tools are active and the KeyboardShortcuts dependency fails to compile SwiftUI#Previewmacros without full Xcode (PreviewsMacrosnot found).