Source from bundle
TG Auth Setup

Free Telegram /setup command for OpenClaw Codex auth: OAuth via pasted redirect/code, token fallback, status, and safe config patching.
Костянтин@Latand
Files
Skill
1.1K
Size
21.8 KB
Entrypoint
SKILL.md
Format
folder
Open file
assets/tg-auth-setup-plugin/index.js

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
code553 linesFree
assets/tg-auth-setup-plugin/index.js
1import fs from "node:fs/promises";
2import os from "node:os";
3import path from "node:path";
4import { pathToFileURL } from "node:url";
5import { execFileSync } from "node:child_process";
6 
7const PROFILE_ID = "openai-codex:default";
8const PROVIDER_ID = "openai-codex";
9const DEFAULT_MODEL = "openai-codex/gpt-5.5";
10const OAUTH_TIMEOUT_MS = 10 * 60 * 1000;
11const QUICK_WAIT_MS = 25 * 1000;
12 
13const oauthBySender = new Map();
14 
15function normalizeText(value) {
16  return String(value || "").trim();
17}
18 
19function sleep(ms) {
20  return new Promise((resolve) => setTimeout(resolve, ms));
21}
22 
23function senderKey(ctx) {
24  const channel = String(ctx.channelId || ctx.channel || "unknown");
25  const sender = String(ctx.senderId || ctx.from || ctx.to || "unknown");
26  return `${channel}:${sender}`;
27}
28 
29function maskToken(token) {
30  const clean = String(token || "").trim();
31  if (clean.length <= 8) {
32    return "********";
33  }
34  return `${clean.slice(0, 4)}...${clean.slice(-4)}`;
35}
36 
37function sanitizeToken(raw) {
38  return String(raw || "").replace(/\s+/g, "").trim();
39}
40 
41function resolveAuthPath() {
42  const explicit = process.env.OPENCLAW_AGENT_DIR;
43  if (explicit && explicit.trim()) {
44    return path.join(explicit, "auth-profiles.json");
45  }
46  return path.join(os.homedir(), ".openclaw", "agents", "main", "agent", "auth-profiles.json");
47}
48 
49async function loadStore(authPath) {
50  try {
51    const raw = await fs.readFile(authPath, "utf8");
52    const parsed = JSON.parse(raw);
53    if (!parsed || typeof parsed !== "object") {
54      return { version: 1, profiles: {} };
55    }
56    const version =
57      Number.isFinite(parsed.version) && Number(parsed.version) > 0 ? Number(parsed.version) : 1;
58    const profiles =
59      parsed.profiles && typeof parsed.profiles === "object" ? { ...parsed.profiles } : {};
60    return {
61      ...parsed,
62      version,
63      profiles,
64    };
65  } catch {
66    return { version: 1, profiles: {} };
67  }
68}
69 
70async function writeStore(authPath, store) {
71  const dir = path.dirname(authPath);
72  await fs.mkdir(dir, { recursive: true, mode: 0o700 });
73  await fs.chmod(dir, 0o700).catch(() => {});
74  const tmp = `${authPath}.tmp-${process.pid}-${Date.now()}`;
75  const body = `${JSON.stringify(store, null, 2)}\n`;
76  await fs.writeFile(tmp, body, { mode: 0o600 });
77  await fs.rename(tmp, authPath);
78  await fs.chmod(authPath, 0o600).catch(() => {});
79}
80 
81async function saveCodexToken(token) {
82  const authPath = resolveAuthPath();
83  const store = await loadStore(authPath);
84  store.version = store.version || 1;
85  store.profiles = store.profiles || {};
86  store.profiles[PROFILE_ID] = {
87    type: "token",
88    provider: PROVIDER_ID,
89    token,
90  };
91  await writeStore(authPath, store);
92  return authPath;
93}
94 
95async function saveCodexOauth(creds) {
96  const authPath = resolveAuthPath();
97  const store = await loadStore(authPath);
98  store.version = store.version || 1;
99  store.profiles = store.profiles || {};
100  store.profiles[PROFILE_ID] = {
101    type: "oauth",
102    provider: PROVIDER_ID,
103    access: creds.access,
104    refresh: creds.refresh,
105    expires: creds.expires,
106    ...(creds.accountId ? { accountId: creds.accountId } : {}),
107  };
108  await writeStore(authPath, store);
109  return authPath;
110}
111 
112async function patchConfig(api, mode) {
113  const cfg = api.runtime.config.loadConfig();
114  const next = { ...(cfg || {}) };
115  next.auth = next.auth || {};
116  next.auth.profiles = next.auth.profiles || {};
117  next.auth.profiles[PROFILE_ID] = {
118    provider: PROVIDER_ID,
119    mode,
120  };
121 
122  next.agents = next.agents || {};
123  next.agents.defaults = next.agents.defaults || {};
124  next.agents.defaults.model = next.agents.defaults.model || {};
125  if (!next.agents.defaults.model.primary) {
126    next.agents.defaults.model.primary = DEFAULT_MODEL;
127  }
128 
129  await api.runtime.config.writeConfigFile(next);
130}
131 
132async function loadLoginOpenAICodex() {
133  const prefixes = new Set();
134  const execPrefix = path.dirname(path.dirname(process.execPath || ""));
135  if (execPrefix) {
136    prefixes.add(execPrefix);
137  }
138  prefixes.add("/usr");
139  prefixes.add("/usr/local");
140  const home = os.homedir();
141  if (home && process.version) {
142    prefixes.add(path.join(home, ".nvm", "versions", "node", process.version));
143  }
144  if (process.env.npm_config_prefix) {
145    prefixes.add(process.env.npm_config_prefix);
146  }
147 
148  const packageJsonCandidates = new Set();
149  const addOpenClawPackageCandidate = (candidate) => {
150    if (candidate && candidate.trim()) {
151      packageJsonCandidates.add(candidate);
152    }
153  };
154 
155  const addOpenClawCandidateFromBinary = (binaryPath) => {
156    if (!binaryPath) {
157      return;
158    }
159    const rootDir = path.resolve(binaryPath, "..", "..", "lib", "node_modules", "openclaw");
160    addOpenClawPackageCandidate(path.join(rootDir, "package.json"));
161  };
162 
163  for (const prefix of prefixes) {
164    addOpenClawPackageCandidate(path.join(prefix, "lib", "node_modules", "openclaw", "package.json"));
165  }
166 
167  const pathDirs = String(process.env.PATH || "")
168    .split(path.delimiter)
169    .map((value) => value.trim())
170    .filter(Boolean);
171  for (const dir of pathDirs) {
172    addOpenClawCandidateFromBinary(path.join(dir, "openclaw"));
173    addOpenClawCandidateFromBinary(path.join(dir, "openclaw-gateway"));
174  }
175 
176  try {
177    const npmRoot = execFileSync("npm", ["root", "-g"], {
178      encoding: "utf8",
179      stdio: ["ignore", "pipe", "ignore"],
180    }).trim();
181    if (npmRoot) {
182      addOpenClawPackageCandidate(path.join(npmRoot, "openclaw", "package.json"));
183    }
184  } catch {
185    // ignore npm lookup failures and fall back to static candidates
186  }
187 
188  for (const openclawPackageJson of packageJsonCandidates) {
189    try {
190      await fs.access(openclawPackageJson);
191      const openclawRoot = path.dirname(openclawPackageJson);
192      const directCandidates = [
193        path.join(openclawRoot, "node_modules", "@mariozechner", "pi-ai", "dist", "oauth.js"),
194        path.join(openclawRoot, "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"),
195      ];
196      for (const candidate of directCandidates) {
197        try {
198          await fs.access(candidate);
199          const mod = await import(pathToFileURL(candidate).toString());
200          if (mod && typeof mod.loginOpenAICodex === "function") {
201            return mod.loginOpenAICodex;
202          }
203        } catch {
204          // try next candidate
205        }
206      }
207    } catch {
208      // try next candidate
209    }
210  }
211 
212  const candidates = ["@mariozechner/pi-ai"];
213  for (const prefix of prefixes) {
214    candidates.push(
215      path.join(prefix, "lib", "node_modules", "@mariozechner", "pi-ai", "dist", "oauth.js"),
216      path.join(
217        prefix,
218        "lib",
219        "node_modules",
220        "@mariozechner",
221        "pi-ai",
222        "dist",
223        "utils",
224        "oauth",
225        "index.js",
226      ),
227      path.join(prefix, "lib", "node_modules", "@mariozechner", "pi-ai", "dist", "index.js"),
228      path.join(
229        prefix,
230        "lib",
231        "node_modules",
232        "openclaw",
233        "node_modules",
234        "@mariozechner",
235        "pi-ai",
236        "dist",
237        "oauth.js",
238      ),
239      path.join(
240        prefix,
241        "lib",
242        "node_modules",
243        "openclaw",
244        "node_modules",
245        "@mariozechner",
246        "pi-ai",
247        "dist",
248        "utils",
249        "oauth",
250        "index.js",
251      ),
252      path.join(
253        prefix,
254        "lib",
255        "node_modules",
256        "openclaw",
257        "node_modules",
258        "@mariozechner",
259        "pi-ai",
260        "dist",
261        "index.js",
262      ),
263    );
264  }
265  candidates.push(
266    "/usr/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/oauth.js",
267    "/usr/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/utils/oauth/index.js",
268    "/usr/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/index.js",
269    "/usr/local/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/oauth.js",
270    "/usr/local/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/utils/oauth/index.js",
271    "/usr/local/lib/node_modules/openclaw/node_modules/@mariozechner/pi-ai/dist/index.js",
272  );
273 
274  for (const candidate of candidates) {
275    try {
276      const spec =
277        candidate.startsWith("/") ? pathToFileURL(candidate).toString() : candidate;
278      const mod = await import(spec);
279      if (mod && typeof mod.loginOpenAICodex === "function") {
280        return mod.loginOpenAICodex;
281      }
282    } catch {
283      // try next candidate
284    }
285  }
286  throw new Error("Cannot load loginOpenAICodex from pi-ai package.");
287}
288 
289function usage() {
290  return [
291    "Usage:",
292    "/setup",
293    "/setup status",
294    "/setup oauth",
295    "/setup code <redirect_url_or_code>",
296    "/setup cancel",
297    "/cancel (while OAuth is waiting)",
298    "/setup codex <token>",
299    "/setup <token>",
300    "",
301    "OAuth flow from Telegram:",
302    "1) /setup",
303    "2) Open URL in browser, sign in",
304    "3) Copy full redirect URL (or code) and send it as a normal message",
305    "4) Optional: /setup code <value>",
306    "5) Cancel anytime with /cancel",
307  ].join("\n");
308}
309 
310function buildOauthPromptText(session) {
311  return [
312    "Відкрий це посилання у локальному браузері:",
313    session.authUrl,
314    "",
315    "Після логіну просто надішли сюди ПОВНИЙ redirect URL або code звичайним повідомленням.",
316    "Щоб скасувати, надішли /cancel",
317  ].join("\n");
318}
319 
320function getActiveOauthSession(key) {
321  const session = oauthBySender.get(key);
322  if (!session) {
323    return null;
324  }
325  if (session.status === "starting" || session.status === "waiting") {
326    return session;
327  }
328  return null;
329}
330 
331function cancelOauthSession(key) {
332  const session = oauthBySender.get(key);
333  if (!session) {
334    return { text: "Немає активної OAuth-сесії." };
335  }
336  session.status = "cancelled";
337  if (session.rejectInput) {
338    session.rejectInput(new Error("Cancelled by user."));
339  }
340  oauthBySender.delete(key);
341  return { text: "OAuth-сесію скасовано." };
342}
343 
344async function finishOauthInput(key, rawValue) {
345  const value = normalizeText(rawValue);
346  if (!value) {
347    return { text: "Надішли повний redirect URL або code." };
348  }
349 
350  const session = oauthBySender.get(key);
351  if (!session) {
352    return { text: "Немає активної OAuth-сесії. Почни з /setup" };
353  }
354 
355  if (session.resolveInput) {
356    session.resolveInput(value);
357  } else {
358    session.pendingInput = value;
359  }
360 
361  await Promise.race([session.runner, sleep(QUICK_WAIT_MS)]);
362  if (session.status === "done") {
363    const text = session.resultText || "OAuth completed.";
364    oauthBySender.delete(key);
365    return { text };
366  }
367  if (session.status === "failed") {
368    const error = session.lastError || "unknown error";
369    oauthBySender.delete(key);
370    return { text: `OAuth failed: ${error}` };
371  }
372  return { text: "Код отримала. Доробляю OAuth, перевір /setup status за кілька секунд." };
373}
374 
375async function startOauthFlow(api, key) {
376  const existing = getActiveOauthSession(key);
377  if (existing) {
378    if (existing.authUrl) {
379      return { text: buildOauthPromptText(existing) };
380    }
381    return {
382      text: "OAuth уже запускається. Якщо хочеш зупинити, надішли /cancel",
383    };
384  }
385 
386  const session = {
387    status: "starting",
388    authUrl: null,
389    instructions: null,
390    waitingPrompt: null,
391    resolveInput: null,
392    rejectInput: null,
393    pendingInput: null,
394    lastError: null,
395    runner: null,
396  };
397  oauthBySender.set(key, session);
398 
399  const loginOpenAICodex = await loadLoginOpenAICodex();
400 
401  let authReadyResolve;
402  const authReady = new Promise((resolve) => {
403    authReadyResolve = resolve;
404  });
405 
406  session.runner = (async () => {
407    try {
408      const creds = await loginOpenAICodex({
409        onAuth: (info) => {
410          session.authUrl = info?.url || null;
411          session.instructions = info?.instructions || null;
412          session.status = "waiting";
413          authReadyResolve?.();
414        },
415        onPrompt: async (prompt) => {
416          session.status = "waiting";
417          return await waitForCodeInput(session, prompt?.message || null);
418        },
419        onManualCodeInput: async () => {
420          session.status = "waiting";
421          return await waitForCodeInput(session, null);
422        },
423        onProgress: () => {},
424      });
425 
426      const authPath = await saveCodexOauth(creds);
427      await patchConfig(api, "oauth");
428      session.status = "done";
429      session.lastError = null;
430      session.resultText =
431        "OAuth completed.\n" +
432        `Profile: ${PROFILE_ID}\n` +
433        `Path: ${authPath}`;
434    } catch (err) {
435      session.status = "failed";
436      session.lastError = String(err?.message || err || "unknown error");
437    }
438  })();
439 
440  await Promise.race([authReady, sleep(5000)]);
441  if (!session.authUrl) {
442    if (session.status === "failed") {
443      const error = session.lastError || "unknown error";
444      oauthBySender.delete(key);
445      return { text: `Не вдалося запустити OAuth: ${error}` };
446    }
447    return {
448      text: "OAuth ще запускається. Якщо зависне, спробуй /setup ще раз або надішли /cancel",
449    };
450  }
451  return { text: buildOauthPromptText(session) };
452}
453 
454function extractCodeFromMessage(rawText) {
455  const text = normalizeText(rawText);
456  if (!text) {
457    return { kind: "empty" };
458  }
459  if (text === "/cancel" || text === "cancel") {
460    return { kind: "cancel" };
461  }
462  if (/^\/setup\s+cancel$/i.test(text)) {
463    return { kind: "cancel" };
464  }
465  const codeMatch = text.match(/^\/setup\s+code\s+([\s\S]+)$/i);
466  if (codeMatch) {
467    return { kind: "value", value: normalizeText(codeMatch[1]) };
468  }
469  if (/^\/setup(?:\s+oauth|\s+login)?$/i.test(text)) {
470    return { kind: "repeat-setup" };
471  }
472  if (text.startsWith("/")) {
473    return { kind: "other-command" };
474  }
475  return { kind: "value", value: text };
476}
477 
478async function handleCapturedOauthMessage(event, ctx) {
479  const key = senderKey({ channelId: ctx.channelId || event.channel, senderId: ctx.senderId });
480  const session = getActiveOauthSession(key);
481  if (!session) {
482    return null;
483  }
484 
485  const parsed = extractCodeFromMessage(event.body || event.content);
486  if (parsed.kind === "cancel") {
487    return { handled: true, text: cancelOauthSession(key).text };
488  }
489  if (parsed.kind === "repeat-setup") {
490    return {
491      handled: true,
492      text: session.authUrl
493        ? buildOauthPromptText(session)
494        : "OAuth уже запускається. Якщо хочеш скасувати, надішли /cancel",
495    };
496  }
497  if (parsed.kind === "other-command") {
498    return {
499      handled: true,
500      text:
501        "Зараз чекаю redirect URL/code для OAuth. Просто надішли його сюди звичайним повідомленням або надішли /cancel",
502    };
503  }
504  if (parsed.kind === "empty") {
505    return {
506      handled: true,
507      text: "Надішли повний redirect URL або code. Щоб скасувати, надішли /cancel",
508    };
509  }
510 
511  const result = await finishOauthInput(key, parsed.value);
512  return { handled: true, text: result.text };
513}
514 
515function waitForCodeInput(session, promptText) {
516  if (session.pendingInput) {
517    const value = session.pendingInput;
518    session.pendingInput = null;
519    return Promise.resolve(value);
520  }
521  return new Promise((resolve, reject) => {
522    session.waitingPrompt = promptText || "Paste redirect URL/code via /setup code <value>";
523    session.resolveInput = (value) => {
524      session.resolveInput = null;
525      session.rejectInput = null;
526      session.waitingPrompt = null;
527      resolve(value);
528    };
529    session.rejectInput = (err) => {
530      session.resolveInput = null;
531      session.rejectInput = null;
532      session.waitingPrompt = null;
533      reject(err);
534    };
535    setTimeout(() => {
536      if (session.rejectInput) {
537        session.rejectInput(new Error("Timed out waiting for /setup code."));
538      }
539    }, OAUTH_TIMEOUT_MS);
540  });
541}
542 
543export default function register(api) {
544  api.on("before_dispatch", async (event, ctx) => {
545    return await handleCapturedOauthMessage(event, ctx);
546  });
547 
548  api.registerCommand({
549    name: "setup",
550    description: "Owner-only setup helpers for OpenAI Codex auth.",
551    acceptsArgs: true,
552    requireAuth: true,
553    handler: a
Preparing the source view

TG Auth Setup

assets/tg-auth-setup-plugin/index.js
