Skip to content

Fix chatgpt oauth#187

Merged
jamiepine merged 7 commits intospacedriveapp:mainfrom
marijnvdwerf:codex/draft-pr
Feb 24, 2026
Merged

Fix chatgpt oauth#187
jamiepine merged 7 commits intospacedriveapp:mainfrom
marijnvdwerf:codex/draft-pr

Conversation

@marijnvdwerf
Copy link
Contributor

@marijnvdwerf marijnvdwerf commented Feb 24, 2026
edited by tembo bot
Loading

Fix ChatGPT Plus OAuth: switch to device code flow

The browser-based PKCE OAuth flow broke because the callback URL changed during cleanup — a localhost redirect doesn't work for non-localhost instances. This switches to the device code flow instead, which is simpler and avoids popup blockers entirely.

How it works now: user copies a device code, opens OpenAI's verification page, pastes the code, and we poll until they approve.

Changes

Backend (openai_auth.rs, providers.rs)

  • Replace PKCE browser flow with device code flow (request_device_codepoll_device_authorizationexchange_device_code)
  • Remove popup/callback endpoint, PKCE verifier handling
  • Support DELETE /api/providers/openai-chatgpt to remove OAuth credentials
  • Increase session TTL from 15 to 30 minutes

Frontend (Settings.tsx)

  • Redesign OAuth dialog with a stepped UI (copy code → open login page)
  • Handle completed states properly (success → "Done", error → "Try again")
  • Cancel polling on dialog close via AbortController
  • Show Remove button on the provider card when configured

Summary

This PR migrates OpenAI ChatGPT Plus OAuth from a browser-based PKCE flow to a device code flow. The core change eliminates the need for popup windows and redirect callbacks, replacing them with a simpler device code authorization pattern where users enter a code on a verification page.

Key changes:

  • Frontend — Updated Settings component to display device code and verification URL instead of opening a popup. Added state management for device code info and increased polling timeout from 180 to 360 attempts.

  • Backend OAuth flow — Completely rewrote /providers/openai/oauth/browser/* endpoints to use device code flow. Removed browser popup logic, PKCE verifier handling, and the callback endpoint. Spawns background task to poll for authorization and exchange tokens.

  • New device code functions — Added three new async functions in openai_auth.rs:

    • request_device_code() — requests device code from OpenAI
    • poll_device_authorization() — polls until user approves on OpenAI's device auth page
    • exchange_device_code() — exchanges authorization code for OAuth tokens

  • Session management — Renamed session types from BrowserOAuthSession to DeviceOAuthSession, simplified session data (removed PKCE and redirect URI), increased TTL from 15 to 30 minutes.

  • API responses — Updated OpenAiOAuthBrowserStartResponse to return user_code and verification_url instead of authorization_url.

Note

This changes the OAuth flow from browser-based to device code based. The device code pattern is simpler and avoids popup blockers. Users now enter a code directly on OpenAI's site instead of a redirect flow. Polling is now triggered automatically when the OAuth dialog opens and is cancelled when the dialog closes.
Written by Tembo for commit fb9114a. This will update automatically on new commits.

@marijnvdwerf marijnvdwerf changed the title Draft: working changes [Draft] Fix chatgpt oauth Feb 24, 2026
marijnvdwerf and others added 6 commits February 24, 2026 05:11
@marijnvdwerf
Add OpenAI device OAuth flow
8f9bfa3
@marijnvdwerf
cargo fmt
6b835b1
@marijnvdwerf @claude
Redesign ChatGPT OAuth device code dialog
8285b33 
- Stepped UI with numbered badges for copy/paste flow
- Proper completed state: success shows Done, error shows Try again
- Cancel polling on dialog close via AbortController
- Consistent message styling with bordered pill pattern
- Copy button shows "Copied" feedback

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marijnvdwerf
Fix device OAuth poll error handling
c532b8b
@marijnvdwerf
Fix clippy guard
5e55804
@marijnvdwerf @claude
Support removing ChatGPT OAuth credentials
fb9114a 
The DELETE /api/providers/openai-chatgpt endpoint now removes the
OAuth JSON credentials file instead of trying to look up a TOML key.
Re-enable the Remove button in the UI for the ChatGPT Plus card.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marijnvdwerf marijnvdwerf marked this pull request as ready for review February 24, 2026 04:11
@marijnvdwerf marijnvdwerf changed the title [Draft] Fix chatgpt oauth Fix chatgpt oauth Feb 24, 2026
tembo[bot]
tembo bot reviewed Feb 24, 2026
View reviewed changes
@marijnvdwerf @claude
Address review feedback from Tembo
024dd7e 
- Remove response body from device-code parse error to avoid leaking
  user_code into logs
- Clean up abort listener on timeout to prevent accumulation during
  long polls
- Clear in-memory OAuth credentials when removing openai-chatgpt
  provider, not just the file on disk

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jamiepine jamiepine merged commit 7170ca0 into spacedriveapp:main Feb 24, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tembo tembo[bot] tembo[bot] left review comments

@jamiepine jamiepine jamiepine approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marijnvdwerf @jamiepine