fix(auth): clarify manual callback flow

ndycode · ndycode · commit 1c88c100f357 · 2026-03-20T14:11:56.000+08:00
diff --git a/lib/codex-manager.ts b/lib/codex-manager.ts
@@ -1144,7 +1144,50 @@ async function promptManualCallback(
 			console.log("");
 			console.log(stylePromptText(UI_COPY.oauth.pastePrompt, "accent"));
 		}
-		const answer = await rl.question(useInteractivePrompt ? "◆  " : "");
+		const answer = useInteractivePrompt
+			? await rl.question("◆  ")
+			: await new Promise<string | null>((resolve, reject) => {
+					if (input.readableEnded || input.destroyed) {
+						resolve(null);
+						return;
+					}
+					let settled = false;
+					const handleInputClosed = () => {
+						if (settled) return;
+						settled = true;
+						input.off("end", handleInputClosed);
+						input.off("close", handleInputClosed);
+						resolve(null);
+					};
+					const finish = (value: string) => {
+						if (settled) return;
+						settled = true;
+						input.off("end", handleInputClosed);
+						input.off("close", handleInputClosed);
+						resolve(value);
+					};
+					const fail = (error: unknown) => {
+						if (settled) return;
+						settled = true;
+						input.off("end", handleInputClosed);
+						input.off("close", handleInputClosed);
+						reject(error);
+					};
+					rl.question("")
+						.then((value) => finish(value))
+						.catch((error) => {
+							if (isAbortError(error) || isReadlineClosedError(error)) {
+								handleInputClosed();
+								return;
+							}
+							fail(error);
+						});
+					input.once("end", handleInputClosed);
+					input.once("close", handleInputClosed);
+				});
+		if (answer === null) {
+			return null;
+		}
 		if (answer.includes("\u001b")) {
 			return null;
 		}
@@ -1163,7 +1206,7 @@ async function promptManualCallback(
 		if (parsed.state && parsed.state !== state) return null;
 		return parsed.code;
 	} catch (error) {
-		if (isAbortError(error)) {
+		if (isAbortError(error) || isReadlineClosedError(error)) {
 			return null;
 		}
 		throw error;
@@ -1172,6 +1215,17 @@ async function promptManualCallback(
 	}
 }
 
+function isReadlineClosedError(error: unknown): boolean {
+	if (!(error instanceof Error)) {
+		return false;
+	}
+	const errorCode =
+		typeof error === "object" && error !== null && "code" in error
+			? String((error as { code?: unknown }).code)
+			: "";
+	return errorCode === "ERR_USE_AFTER_CLOSE" || /readline was closed/i.test(error.message);
+}
+
 type OAuthSignInMode = "browser" | "manual" | "cancel";
 
 async function promptOAuthSignInMode(): Promise<OAuthSignInMode> {
@@ -1471,28 +1525,8 @@ async function runOAuthFlow(
 ): Promise<TokenResult> {
 	const { pkce, state, url } = await createAuthorizationFlow({ forceNewLogin });
 	const preferManualMode = options.manual || isBrowserLaunchSuppressed();
-	let oauthServer: Awaited<ReturnType<typeof startLocalOAuthServer>> | null = null;
-	try {
-		oauthServer = await startLocalOAuthServer({ state });
-	} catch (serverError) {
-		log.warn(
-			"Local OAuth callback server unavailable; falling back to manual callback entry.",
-			serverError instanceof Error
-				? {
-					message: serverError.message,
-					stack: serverError.stack,
-					code:
-						typeof serverError === "object" &&
-						serverError !== null &&
-						"code" in serverError
-							? String(serverError.code)
-							: undefined,
-				}
-				: { error: String(serverError) },
-		);
-		oauthServer = null;
-	}
 	let code: string | null = null;
+	let oauthServer: Awaited<ReturnType<typeof startLocalOAuthServer>> | null = null;
 	try {
 		const signInMode = preferManualMode ? "manual" : await promptOAuthSignInMode();
 		if (signInMode === "cancel") {
@@ -1503,6 +1537,29 @@ async function runOAuthFlow(
 			};
 		}
 
+		if (signInMode === "browser") {
+			try {
+				oauthServer = await startLocalOAuthServer({ state });
+			} catch (serverError) {
+				log.warn(
+					"Local OAuth callback server unavailable; falling back to manual callback entry.",
+					serverError instanceof Error
+						? {
+							message: serverError.message,
+							stack: serverError.stack,
+							code:
+								typeof serverError === "object" &&
+								serverError !== null &&
+								"code" in serverError
+									? String(serverError.code)
+									: undefined,
+						}
+						: { error: String(serverError) },
+				);
+				oauthServer = null;
+			}
+		}
+
 		if (signInMode === "browser") {
 			const opened = openBrowserUrl(url);
 			if (opened) {
@@ -1529,7 +1586,7 @@ async function runOAuthFlow(
 			);
 		}
 
-		const waitingForCallback = signInMode === "browser" && oauthServer?.ready === true;
+		const waitingForCallback = oauthServer?.ready === true;
 		if (waitingForCallback && oauthServer) {
 			console.log(stylePromptText(UI_COPY.oauth.waitingCallback, "muted"));
 			const callbackResult = await oauthServer.waitForCode(state);
@@ -1541,7 +1598,9 @@ async function runOAuthFlow(
 				stylePromptText(
 					waitingForCallback
 						? UI_COPY.oauth.callbackMissed
-						: UI_COPY.oauth.callbackUnavailable,
+						: signInMode === "manual"
+							? UI_COPY.oauth.callbackBypassed
+							: UI_COPY.oauth.callbackUnavailable,
 					"warning",
 				),
 			);
diff --git a/lib/ui/copy.ts b/lib/ui/copy.ts
@@ -42,6 +42,7 @@ export const UI_COPY = {
 		browserOpened: "Browser opened.",
 		browserOpenFail: "Could not open browser. Use this link:",
 		waitingCallback: "Waiting for login callback on localhost:1455...",
+		callbackBypassed: "Manual mode active. Paste the callback URL manually.",
 		callbackUnavailable: "Callback listener unavailable. Paste the callback URL manually.",
 		callbackMissed: "No callback received. Paste manually.",
 		cancelled: "Sign-in cancelled.",
diff --git a/test/browser.test.ts b/test/browser.test.ts
@@ -106,21 +106,33 @@ describe("auth browser utilities", () => {
 		});
 
 		it("lets explicit false-like CODEX_AUTH_NO_BROWSER override a disabling BROWSER value", () => {
+			Object.defineProperty(process, "platform", { value: "darwin" });
+			process.env.PATH = "/usr/bin";
 			process.env.CODEX_AUTH_NO_BROWSER = "0";
 			process.env.BROWSER = "none";
 
 			expect(isBrowserLaunchSuppressed()).toBe(false);
-			expect(openBrowserUrl("https://example.com")).toBe(false);
-			expect(mockedSpawn).not.toHaveBeenCalled();
+			expect(openBrowserUrl("https://example.com")).toBe(true);
+			expect(mockedSpawn).toHaveBeenCalledWith(
+				"open",
+				["https://example.com"],
+				{ stdio: "ignore", shell: false },
+			);
 		});
 
 		it("does not treat CODEX_AUTH_NO_BROWSER=false as suppression when BROWSER is disabled", () => {
+			Object.defineProperty(process, "platform", { value: "darwin" });
+			process.env.PATH = "/usr/bin";
 			process.env.CODEX_AUTH_NO_BROWSER = "false";
 			process.env.BROWSER = "none";
 
 			expect(isBrowserLaunchSuppressed()).toBe(false);
-			expect(openBrowserUrl("https://example.com")).toBe(false);
-			expect(mockedSpawn).not.toHaveBeenCalled();
+			expect(openBrowserUrl("https://example.com")).toBe(true);
+			expect(mockedSpawn).toHaveBeenCalledWith(
+				"open",
+				["https://example.com"],
+				{ stdio: "ignore", shell: false },
+			);
 		});
 
 		it("suppresses browser launch when BROWSER is set to none", () => {
diff --git a/test/codex-manager-cli.test.ts b/test/codex-manager-cli.test.ts
@@ -3008,8 +3008,9 @@ describe("codex manager cli commands", () => {
 
 		expect(exitCode).toBe(0);
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
 		expect(waitForCodeMock).not.toHaveBeenCalled();
-		expect(renderedLogs.some((entry) => entry.includes("Callback listener unavailable"))).toBe(
+		expect(renderedLogs.some((entry) => entry.includes("Manual mode active"))).toBe(
 			true,
 		);
 		expect(renderedLogs.some((entry) => entry.includes("No callback received"))).toBe(false);
@@ -3069,8 +3070,9 @@ describe("codex manager cli commands", () => {
 		expect(exitCode).toBe(0);
 		expect(selectMock).toHaveBeenCalled();
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
 		expect(waitForCodeMock).not.toHaveBeenCalled();
-		expect(renderedLogs.some((entry) => entry.includes("Callback listener unavailable"))).toBe(
+		expect(renderedLogs.some((entry) => entry.includes("Manual mode active"))).toBe(
 			true,
 		);
 		expect(renderedLogs.some((entry) => entry.includes("No callback received"))).toBe(false);
@@ -3124,7 +3126,7 @@ describe("codex manager cli commands", () => {
 		expect(exitCode).toBe(0);
 		expect(promptQuestionMock).toHaveBeenCalled();
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
-		expect(startLocalOAuthServerMock).toHaveBeenCalledTimes(1);
+		expect(startLocalOAuthServerMock).not.toHaveBeenCalled();
 		expect(storageState.accounts).toHaveLength(1);
 	});
 
@@ -3174,6 +3176,7 @@ describe("codex manager cli commands", () => {
 		expect(exitCode).toBe(0);
 		expect(promptQuestionMock).toHaveBeenCalledWith("");
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
 		expect(storageState.accounts).toHaveLength(1);
 	});
 
@@ -3215,6 +3218,7 @@ describe("codex manager cli commands", () => {
 		expect(exitCode).toBe(0);
 		expect(promptQuestionMock).toHaveBeenCalledWith("");
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
 		expect(exchangeAuthorizationCodeMock).not.toHaveBeenCalled();
 		expect(storageState.accounts).toHaveLength(0);
 	});
@@ -3265,9 +3269,48 @@ describe("codex manager cli commands", () => {
 		expect(exitCode).toBe(0);
 		expect(promptQuestionMock).toHaveBeenCalledWith("");
 		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
 		expect(storageState.accounts).toHaveLength(1);
 	});
 
+	it("returns to the menu when stdin closes without input in non-tty manual mode", async () => {
+		setInteractiveTTY(false);
+		let storageState = {
+			version: 3 as const,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [] as Array<Record<string, unknown>>,
+		};
+		loadAccountsMock.mockImplementation(async () => structuredClone(storageState));
+		saveAccountsMock.mockImplementation(async (nextStorage) => {
+			storageState = structuredClone(nextStorage);
+		});
+		promptLoginModeMock.mockResolvedValueOnce({ mode: "cancel" });
+		promptQuestionMock.mockRejectedValueOnce(new Error("readline was closed"));
+
+		const authModule = await import("../lib/auth/auth.js");
+		vi.mocked(authModule.createAuthorizationFlow).mockResolvedValueOnce({
+			pkce: { challenge: "pkce-challenge", verifier: "pkce-verifier" },
+			state: "oauth-state",
+			url: "https://auth.openai.com/mock",
+		});
+		const exchangeAuthorizationCodeMock = vi.mocked(authModule.exchangeAuthorizationCode);
+
+		const browserModule = await import("../lib/auth/browser.js");
+		const openBrowserUrlMock = vi.mocked(browserModule.openBrowserUrl);
+		const serverModule = await import("../lib/auth/server.js");
+
+		const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+		const exitCode = await runCodexMultiAuthCli(["auth", "login", "--manual"]);
+
+		expect(exitCode).toBe(0);
+		expect(promptQuestionMock).toHaveBeenCalledWith("");
+		expect(openBrowserUrlMock).not.toHaveBeenCalled();
+		expect(vi.mocked(serverModule.startLocalOAuthServer)).not.toHaveBeenCalled();
+		expect(exchangeAuthorizationCodeMock).not.toHaveBeenCalled();
+		expect(storageState.accounts).toHaveLength(0);
+	});
+
 	it("preserves distinct same-email workspaces when oauth login reuses a refresh token", async () => {
 		const now = Date.now();
 		let storageState = {
