feat: Codex device code authorization flow

502647092 · 502647092 · commit 94ddc3aaf92d · 2026-03-13T18:27:24.000+08:00
- Device code endpoints: /api/accounts/deviceauth/usercode + /token
- User visits auth.openai.com/codex/device and enters code
- Poll every N seconds until authorized, then exchange for access token
- Tauri commands: codex_device_start, codex_device_poll
- UI: two auth options - browser OAuth or device code
- Device code displayed with copy-friendly styling
- 15 minute timeout on polling
diff --git a/src-tauri/src/ai/codex.rs b/src-tauri/src/ai/codex.rs
@@ -14,6 +14,13 @@ const CALLBACK_PATH: &str = "/auth/callback";
 const SCOPE: &str = "openid profile email offline_access";
 const API_BASE: &str = "https://api.openai.com";
 
+/// Device Code Flow 端点
+const DEVICE_CODE_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL: &str = "https://auth.openai.com/api/accounts/deviceauth/token";
+const DEVICE_REDIRECT_URI: &str = "https://auth.openai.com/deviceauth/callback";
+const DEVICE_VERIFY_URL: &str = "https://auth.openai.com/codex/device";
+const DEVICE_TIMEOUT_SECS: u64 = 900; // 15 分钟
+
 /// Codex OAuth Token
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct CodexToken {
@@ -22,6 +29,15 @@ pub struct CodexToken {
     pub expires_at: Option<u64>,
 }
 
+/// Device Code Flow 响应
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DeviceCodeResponse {
+    pub device_auth_id: String,
+    pub user_code: String,
+    pub verification_uri: String,
+    pub interval: u64,
+}
+
 /// Codex Provider - 通过 ChatGPT Plus/Pro 订阅的 OAuth 授权使用 OpenAI 模型
 pub struct CodexProvider {
     client: Client,
@@ -155,6 +171,115 @@ impl CodexProvider {
         Ok(token)
     }
 
+    /// Device Code Flow: 请求设备码
+    pub fn start_device_code_login(&self) -> Result<DeviceCodeResponse, AIError> {
+        let body = serde_json::json!({ "client_id": CLIENT_ID });
+
+        let resp = reqwest::blocking::Client::new()
+            .post(DEVICE_CODE_URL)
+            .json(&body)
+            .send()
+            .map_err(|e| AIError::Network(e.into()))?;
+
+        if !resp.status().is_success() {
+            let text = resp.text().unwrap_or_default();
+            return Err(AIError::ApiError(format!("请求设备码失败: {}", text)));
+        }
+
+        let data: serde_json::Value = resp.json()
+            .map_err(|e| AIError::Network(e.into()))?;
+
+        Ok(DeviceCodeResponse {
+            device_auth_id: data["device_auth_id"].as_str().unwrap_or("").to_string(),
+            user_code: data["user_code"].as_str()
+                .or(data["usercode"].as_str())
+                .unwrap_or("").to_string(),
+            verification_uri: DEVICE_VERIFY_URL.to_string(),
+            interval: data["interval"].as_u64()
+                .or(data["interval"].as_str().and_then(|s| s.parse().ok()))
+                .unwrap_or(5),
+        })
+    }
+
+    /// Device Code Flow: 轮询等待用户授权并换取 token
+    pub fn poll_device_code(&self, device_auth_id: &str, user_code: &str, interval: u64) -> Result<CodexToken, AIError> {
+        let client = reqwest::blocking::Client::new();
+        let start = std::time::Instant::now();
+
+        loop {
+            if start.elapsed().as_secs() > DEVICE_TIMEOUT_SECS {
+                return Err(AIError::ApiError("设备码授权超时（15分钟）".into()));
+            }
+
+            std::thread::sleep(std::time::Duration::from_secs(interval));
+
+            let resp = client
+                .post(DEVICE_TOKEN_URL)
+                .json(&serde_json::json!({
+                    "device_auth_id": device_auth_id,
+                    "user_code": user_code,
+                }))
+                .send()
+                .map_err(|e| AIError::Network(e.into()))?;
+
+            let status = resp.status();
+            if status.is_success() {
+                let data: serde_json::Value = resp.json()
+                    .map_err(|e| AIError::Network(e.into()))?;
+
+                let auth_code = data["authorization_code"].as_str()
+                    .ok_or_else(|| AIError::ApiError("响应中无 authorization_code".into()))?;
+                let code_verifier = data["code_verifier"].as_str()
+                    .ok_or_else(|| AIError::ApiError("响应中无 code_verifier".into()))?;
+
+                // 用 authorization_code 换 access_token
+                return self.exchange_device_token(auth_code, code_verifier);
+            }
+
+            // 403/404 = 用户尚未授权，继续轮询
+            if status.as_u16() == 403 || status.as_u16() == 404 {
+                tracing::debug!("设备码授权等待中...");
+                continue;
+            }
+
+            let text = resp.text().unwrap_or_default();
+            return Err(AIError::ApiError(format!("轮询失败 ({}): {}", status, text)));
+        }
+    }
+
+    fn exchange_device_token(&self, code: &str, verifier: &str) -> Result<CodexToken, AIError> {
+        let body = format!(
+            "grant_type=authorization_code&client_id={}&code={}&code_verifier={}&redirect_uri={}",
+            CLIENT_ID,
+            urlencoding::encode(code),
+            urlencoding::encode(verifier),
+            urlencoding::encode(DEVICE_REDIRECT_URI),
+        );
+
+        let resp = reqwest::blocking::Client::new()
+            .post(TOKEN_URL)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .body(body)
+            .send()
+            .map_err(|e| AIError::Network(e.into()))?;
+
+        let data: serde_json::Value = resp.json()
+            .map_err(|e| AIError::Network(e.into()))?;
+
+        let access_token = data["access_token"].as_str()
+            .ok_or_else(|| AIError::ApiError("token 响应中无 access_token".into()))?
+            .to_string();
+
+        let refresh_token = data["refresh_token"].as_str().map(|s| s.to_string());
+        let expires_in = data["expires_in"].as_u64().unwrap_or(3600);
+        let expires_at = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH).unwrap().as_secs() + expires_in;
+
+        let token = CodexToken { access_token, refresh_token, expires_at: Some(expires_at) };
+        self.set_token(token.clone());
+        Ok(token)
+    }
+
     fn exchange_code_blocking(
         &self,
         code: &str,
diff --git a/src-tauri/src/commands.rs b/src-tauri/src/commands.rs
@@ -117,6 +117,41 @@ pub fn codex_is_logged_in(router: State<'_, AIRouter>) -> bool {
     router.has_provider("codex")
 }
 
+#[tauri::command]
+pub fn codex_device_start() -> CmdResult<serde_json::Value> {
+    let provider = crate::ai::codex::CodexProvider::new();
+    let resp = provider.start_device_code_login().map_err(|e| e.to_string())?;
+
+    Ok(serde_json::json!({
+        "device_auth_id": resp.device_auth_id,
+        "user_code": resp.user_code,
+        "verification_uri": resp.verification_uri,
+        "interval": resp.interval,
+    }))
+}
+
+#[tauri::command]
+pub fn codex_device_poll(
+    router: State<'_, AIRouter>,
+    device_auth_id: String,
+    user_code: String,
+    interval: u64,
+) -> CmdResult<serde_json::Value> {
+    let provider = crate::ai::codex::CodexProvider::new();
+    let token = provider
+        .poll_device_code(&device_auth_id, &user_code, interval)
+        .map_err(|e| e.to_string())?;
+
+    // 注册到 router
+    let codex = crate::ai::codex::CodexProvider::with_token(token.clone());
+    router.register(Box::new(codex));
+
+    Ok(serde_json::json!({
+        "success": true,
+        "expires_at": token.expires_at,
+    }))
+}
+
 // ─── AI Commands ───
 
 #[tauri::command]
diff --git a/src-tauri/src/main.rs b/src-tauri/src/main.rs
@@ -34,6 +34,8 @@ fn main() {
             config_validate_provider,
             codex_login,
             codex_is_logged_in,
+            codex_device_start,
+            codex_device_poll,
             ai_send_message,
             ai_list_providers,
             channel_list,
diff --git a/src/components/Settings/AISetupWizard.tsx b/src/components/Settings/AISetupWizard.tsx
@@ -58,6 +58,13 @@ export function AISetupWizard() {
   const [formData, setFormData] = useState({ baseUrl: "", apiKey: "", model: "" });
   const [oauthLoading, setOauthLoading] = useState(false);
   const [oauthError, setOauthError] = useState("");
+  const [deviceCode, setDeviceCode] = useState<{
+    device_auth_id: string;
+    user_code: string;
+    verification_uri: string;
+    interval: number;
+  } | null>(null);
+  const [devicePolling, setDevicePolling] = useState(false);
 
   const handleSelectPreset = (index: number) => {
     setSelectedPreset(index);
@@ -86,6 +93,45 @@ export function AISetupWizard() {
     }
   };
 
+  const handleDeviceCodeStart = async () => {
+    setOauthLoading(true);
+    setOauthError("");
+    setDeviceCode(null);
+    try {
+      const resp = await codexAPI.deviceStart();
+      setDeviceCode(resp);
+    } catch (e) {
+      setOauthError(String(e));
+    } finally {
+      setOauthLoading(false);
+    }
+  };
+
+  const handleDeviceCodePoll = async () => {
+    if (!deviceCode) return;
+    setDevicePolling(true);
+    setOauthError("");
+    try {
+      const result = await codexAPI.devicePoll(
+        deviceCode.device_auth_id,
+        deviceCode.user_code,
+        deviceCode.interval,
+      );
+      if (result.success) {
+        addProvider("codex", {
+          baseUrl: "https://api.openai.com",
+          enabled: true,
+          displayName: "Codex (ChatGPT 订阅)",
+        });
+        setFirstRun(false);
+      }
+    } catch (e) {
+      setOauthError(String(e));
+    } finally {
+      setDevicePolling(false);
+    }
+  };
+
   const handleSave = () => {
     if (selectedPreset === null) return;
     const preset = PROVIDER_PRESETS[selectedPreset];
@@ -140,7 +186,7 @@ export function AISetupWizard() {
         <div className="space-y-4">
           <button
             onClick={handleCodexLogin}
-            disabled={oauthLoading}
+            disabled={oauthLoading || devicePolling}
             className="w-full py-3 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 flex items-center justify-center gap-2"
           >
             {oauthLoading ? (
@@ -149,9 +195,59 @@ export function AISetupWizard() {
                 等待浏览器授权...
               </>
             ) : (
-              "🔐 使用 ChatGPT 账号登录"
+              "🔐 浏览器授权登录"
             )}
           </button>
+
+          <div className="relative flex items-center my-2">
+            <div className="flex-grow border-t border-gray-300" />
+            <span className="mx-3 text-xs text-gray-400">或</span>
+            <div className="flex-grow border-t border-gray-300" />
+          </div>
+
+          {!deviceCode ? (
+            <button
+              onClick={handleDeviceCodeStart}
+              disabled={oauthLoading || devicePolling}
+              className="w-full py-3 bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50"
+            >
+              📱 设备码授权（适用于远程/无浏览器环境）
+            </button>
+          ) : (
+            <div className="border border-blue-200 bg-blue-50 rounded-lg p-4 space-y-3">
+              <p className="text-sm text-gray-700">
+                1. 在任意设备上访问：
+              </p>
+              <a
+                href={deviceCode.verification_uri}
+                target="_blank"
+                rel="noreferrer"
+                className="block text-center text-blue-600 font-mono text-sm underline"
+              >
+                {deviceCode.verification_uri}
+              </a>
+              <p className="text-sm text-gray-700">2. 输入以下代码：</p>
+              <div className="text-center">
+                <span className="inline-block bg-white border-2 border-blue-400 rounded-lg px-6 py-3 font-mono text-2xl font-bold tracking-widest select-all">
+                  {deviceCode.user_code}
+                </span>
+              </div>
+              {!devicePolling ? (
+                <button
+                  onClick={handleDeviceCodePoll}
+                  className="w-full py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700"
+                >
+                  ✅ 我已输入代码，开始验证
+                </button>
+              ) : (
+                <div className="flex items-center justify-center gap-2 py-2 text-sm text-blue-600">
+                  <span className="animate-spin">⏳</span>
+                  等待授权中...
+                </div>
+              )}
+            </div>
+          )}
+
           {oauthError && (
             <p className="text-red-500 text-sm">{oauthError}</p>
           )}
diff --git a/src/hooks/useAPI.ts b/src/hooks/useAPI.ts
@@ -19,4 +19,14 @@ export const aiAPI = {
 export const codexAPI = {
   login: () => invoke<{ success: boolean; expires_at?: number }>("codex_login"),
   isLoggedIn: () => invoke<boolean>("codex_is_logged_in"),
+  deviceStart: () => invoke<{
+    device_auth_id: string;
+    user_code: string;
+    verification_uri: string;
+    interval: number;
+  }>("codex_device_start"),
+  devicePoll: (deviceAuthId: string, userCode: string, interval: number) =>
+    invoke<{ success: boolean; expires_at?: number }>("codex_device_poll", {
+      deviceAuthId, userCode, interval,
+    }),
 };
diff --git a/temp_repo b/temp_repo
@@ -0,0 +1 @@
+Subproject commit f5c8d246723a5e2aa3458d4060150da1a78c8433

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Subproject commit f5c8d246723a5e2aa3458d4060150da1a78c8433`