Merge pull request #338 from ndycode/audit/pr2-runtime-recovery-safety

fix runtime recovery token restore safety

Author: ndycode

index.ts

@@ -254,6 +254,7 @@ import {
 	saveFlaggedAccounts,
 	setStorageBackupEnabled,
 	setStoragePath,
+	withAccountAndFlaggedStorageTransaction,
 	withAccountStorageTransaction,
 } from "./lib/storage.js";
 import {
@@ -398,6 +399,26 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 		findMatchingAccountIndex,
 		modelFamilies: MODEL_FAMILIES,
 	});
+	const persistAccountPoolAndFlagged = async (
+		results: TokenSuccessWithAccount[],
+		flaggedStorage: Parameters<typeof saveFlaggedAccounts>[0],
+		replaceAll: boolean = false,
+	): Promise<void> =>
+		withAccountAndFlaggedStorageTransaction(async (loadedStorage, persist) => {
+			await persistAccountPoolResults({
+				results,
+				replaceAll,
+				modelFamilies: MODEL_FAMILIES,
+				withAccountStorageTransaction: async (handler) =>
+					handler(loadedStorage, async (storage) => {
+						await persist(storage, flaggedStorage);
+					}),
+				findMatchingAccountIndex,
+				extractAccountId,
+				extractAccountEmail,
+				sanitizeEmail,
+			});
+		});
 
 	const accountManagerCacheInvalidationDeps = {
 		setCachedAccountManager: (value: unknown) => {
@@ -2598,6 +2619,8 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 										queuedRefresh,
 										resolveTokenSuccessAccount,
 										persistAccounts: persistAccountPool,
+										persistAccountsAndFlagged:
+											persistAccountPoolAndFlagged,
 										invalidateAccountManagerCache: () =>
 											invalidateRuntimeAccountManagerCache(
 												accountManagerCacheInvalidationDeps,

lib/runtime/account-check.ts

@@ -65,6 +65,13 @@ export async function runRuntimeAccountCheck(
 			version: 1;
 			accounts: FlaggedAccountMetadataV1[];
 		}) => Promise<void>;
+		persistAccountAndFlaggedStorage?: (
+			accountStorage: AccountStorageV3,
+			flaggedStorage: {
+				version: 1;
+				accounts: FlaggedAccountMetadataV1[];
+			},
+		) => Promise<void>;
 		now?: () => number;
 		showLine: (message: string) => void;
 	},
@@ -145,14 +152,6 @@ export async function runRuntimeAccountCheck(
 				) {
 					accessToken = cached.accessToken;
 					authDetail = "OK (Codex CLI cache)";
-
-					if (
-						cached.refreshToken &&
-						cached.refreshToken !== account.refreshToken
-					) {
-						account.refreshToken = cached.refreshToken;
-						state.storageChanged = true;
-					}
 					if (
 						cached.accessToken &&
 						cached.accessToken !== account.accessToken
@@ -318,12 +317,23 @@ export async function runRuntimeAccountCheck(
 		state.storageChanged = true;
 	}
 
-	if (state.flaggedChanged) {
-		await deps.saveFlaggedAccounts(state.flaggedStorage);
-	}
-	if (state.storageChanged) {
-		await deps.saveAccounts(workingStorage);
+	const persistAccountAndFlaggedStorage =
+		deps.persistAccountAndFlaggedStorage;
+	const canPersistTogether =
+		state.flaggedChanged &&
+		state.storageChanged &&
+		typeof persistAccountAndFlaggedStorage === "function";
+	if (canPersistTogether) {
+		await persistAccountAndFlaggedStorage(workingStorage, state.flaggedStorage);
 		deps.invalidateAccountManagerCache();
+	} else {
+		if (state.flaggedChanged) {
+			await deps.saveFlaggedAccounts(state.flaggedStorage);
+		}
+		if (state.storageChanged) {
+			await deps.saveAccounts(workingStorage);
+			deps.invalidateAccountManagerCache();
+		}
 	}
 
 	deps.showLine("");

lib/runtime/verify-flagged.ts

@@ -43,6 +43,14 @@ export async function verifyRuntimeFlaggedAccounts(deps: {
 		results: Array<TokenSuccessWithAccount<SuccessfulAccountTokens>>,
 		replaceAll?: boolean,
 	) => Promise<void>;
+	persistAccountsAndFlagged?: (
+		results: Array<TokenSuccessWithAccount<SuccessfulAccountTokens>>,
+		flaggedStorage: {
+			version: 1;
+			accounts: FlaggedAccountMetadataV1[];
+		},
+		replaceAll?: boolean,
+	) => Promise<void>;
 	invalidateAccountManagerCache: () => void;
 	saveFlaggedAccounts: (storage: {
 		version: 1;
@@ -78,26 +86,28 @@ export async function verifyRuntimeFlaggedAccounts(deps: {
 				const refreshToken =
 					typeof cached.refreshToken === "string" && cached.refreshToken.trim()
 						? cached.refreshToken.trim()
-						: flagged.refreshToken;
-				const resolved = deps.resolveTokenSuccessAccount({
-					type: "success",
-					access: cached.accessToken,
-					refresh: refreshToken,
-					expires: cached.expiresAt,
-					multiAccount: true,
-				});
-				if (!resolved.accountIdOverride && flagged.accountId) {
-					resolved.accountIdOverride = flagged.accountId;
-					resolved.accountIdSource = flagged.accountIdSource ?? "manual";
+						: undefined;
+				if (refreshToken) {
+					const resolved = deps.resolveTokenSuccessAccount({
+						type: "success",
+						access: cached.accessToken,
+						refresh: refreshToken,
+						expires: cached.expiresAt,
+						multiAccount: true,
+					});
+					if (!resolved.accountIdOverride && flagged.accountId) {
+						resolved.accountIdOverride = flagged.accountId;
+						resolved.accountIdSource = flagged.accountIdSource ?? "manual";
+					}
+					if (!resolved.accountLabel && flagged.accountLabel) {
+						resolved.accountLabel = flagged.accountLabel;
+					}
+					state.restored.push(resolved);
+					deps.showLine(
+						`[${i + 1}/${flaggedStorage.accounts.length}] ${label}: RESTORED (Codex CLI cache)`,
+					);
+					continue;
 				}
-				if (!resolved.accountLabel && flagged.accountLabel) {
-					resolved.accountLabel = flagged.accountLabel;
-				}
-				state.restored.push(resolved);
-				deps.showLine(
-					`[${i + 1}/${flaggedStorage.accounts.length}] ${label}: RESTORED (Codex CLI cache)`,
-				);
-				continue;
 			}
 
 			const refreshResult = await deps.queuedRefresh(flagged.refreshToken);
@@ -134,16 +144,21 @@ export async function verifyRuntimeFlaggedAccounts(deps: {
 		}
 	}
 
-	if (state.restored.length > 0) {
-		await deps.persistAccounts(state.restored, false);
+	const nextFlaggedStorage = {
+		version: 1 as const,
+		accounts: state.remaining,
+	};
+	if (state.restored.length > 0 && deps.persistAccountsAndFlagged) {
+		await deps.persistAccountsAndFlagged(state.restored, nextFlaggedStorage, false);
 		deps.invalidateAccountManagerCache();
+	} else {
+		if (state.restored.length > 0) {
+			await deps.persistAccounts(state.restored, false);
+			deps.invalidateAccountManagerCache();
+		}
+		await deps.saveFlaggedAccounts(nextFlaggedStorage);
 	}
 
-	await deps.saveFlaggedAccounts({
-		version: 1,
-		accounts: state.remaining,
-	});
-
 	deps.showLine("");
 	deps.showLine(
 		`Results: ${state.restored.length} restored, ${state.remaining.length} still flagged`,

test/index.test.ts

@@ -156,6 +156,7 @@ vi.mock("../lib/logger.js", () => ({
 	logInfo: vi.fn(),
 	logWarn: vi.fn(),
 	logError: vi.fn(),
+	maskEmail: vi.fn((email: string) => email),
 	setCorrelationId: vi.fn(() => "test-correlation-id"),
 	clearCorrelationId: vi.fn(),
 	createLogger: vi.fn(() => ({
@@ -333,6 +334,7 @@ const withAccountStorageTransactionMock = vi.fn(
 		return nextRun;
 	},
 );
+const withAccountAndFlaggedStorageTransactionMock = vi.fn();
 
 const syncCodexCliSelectionMock = vi.fn(async (_index: number) => {});
 
@@ -343,6 +345,8 @@ vi.mock("../lib/storage.js", async () => {
 		getStoragePath: () => "/mock/path/accounts.json",
 		loadAccounts: loadAccountsMock,
 		saveAccounts: saveAccountsMock,
+		withAccountAndFlaggedStorageTransaction:
+			withAccountAndFlaggedStorageTransactionMock,
 		withAccountStorageTransaction: withAccountStorageTransactionMock,
 		clearAccounts: clearAccountsMock,
 		setStoragePath: vi.fn(),
@@ -776,6 +780,82 @@ describe("OpenAIOAuthPlugin", () => {
 				expect.stringContaining("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
 			);
 		});
+
+		it("uses combined flagged persistence when verify-flagged restores from the login menu", async () => {
+			const cliModule = await import("../lib/cli.js");
+			const refreshQueueModule = await import("../lib/refresh-queue.js");
+			const storageModule = await import("../lib/storage.js");
+			const now = Date.now();
+			const flaggedStorage = {
+				version: 1 as const,
+				accounts: [
+					{
+						refreshToken: "flagged-refresh",
+						accountId: "flagged-account",
+						email: "flagged@example.com",
+						addedAt: now - 1_000,
+						lastUsed: now - 1_000,
+						flaggedAt: now - 5_000,
+					},
+				],
+			};
+			let loadFlaggedCallCount = 0;
+
+			vi.mocked(cliModule.promptLoginMode)
+				.mockResolvedValueOnce({ mode: "verify-flagged" } as never)
+				.mockResolvedValueOnce({ mode: "cancel" } as never);
+			vi.mocked(refreshQueueModule.queuedRefresh).mockResolvedValueOnce({
+				type: "success",
+				access: "restored-access",
+				refresh: "restored-refresh",
+				expires: now + 60_000,
+			});
+			vi.mocked(storageModule.loadFlaggedAccounts).mockImplementation(async () => {
+				loadFlaggedCallCount += 1;
+				return loadFlaggedCallCount <= 2
+					? flaggedStorage
+					: { version: 1, accounts: [] };
+			});
+			withAccountAndFlaggedStorageTransactionMock.mockImplementationOnce(
+				async (handler) =>
+					handler(
+						{
+							version: 3,
+							accounts: mockStorage.accounts.map((account) =>
+								cloneMockAccount(account),
+							),
+							activeIndex: mockStorage.activeIndex,
+							activeIndexByFamily: { ...mockStorage.activeIndexByFamily },
+						},
+						async (storage, nextFlaggedStorage) => {
+							await saveAccountsMock(storage);
+							await vi.mocked(storageModule.saveFlaggedAccounts)(
+								nextFlaggedStorage,
+							);
+						},
+						flaggedStorage,
+					),
+			);
+
+			const autoMethod = plugin.auth.methods[0] as unknown as {
+				authorize: () => Promise<unknown>;
+			};
+			await autoMethod.authorize();
+
+			expect(withAccountAndFlaggedStorageTransactionMock).toHaveBeenCalledTimes(1);
+			expect(mockStorage.accounts).toEqual(
+				expect.arrayContaining([
+					expect.objectContaining({
+						refreshToken: "restored-refresh",
+						accessToken: "restored-access",
+					}),
+				]),
+			);
+			expect(vi.mocked(storageModule.saveFlaggedAccounts)).toHaveBeenCalledWith({
+				version: 1,
+				accounts: [],
+			});
+		});
 	});
 
 	describe("event handler", () => {