Merge pull request #4 from icebear0828/feat/native-oauth

feat: native OAuth PKCE login with localhost:1455 redirect

config/default.yaml

@@ -19,9 +19,12 @@ auth:
   refresh_margin_seconds: 300
   rotation_strategy: "least_used"
   rate_limit_backoff_seconds: 60
+  oauth_client_id: "app_EMoamEEZ73f0CkXaXp7hrann"
+  oauth_auth_endpoint: "https://auth.openai.com/oauth/authorize"
+  oauth_token_endpoint: "https://auth.openai.com/oauth/token"
 
 server:
-  host: "0.0.0.0"
+  host: "::"
   port: 8080
   proxy_api_key: null
 

public/dashboard.html

@@ -233,6 +233,78 @@
       font-size: 0.8rem;
       margin-top: 0.5rem;
     }
+    .paste-section {
+      display: none;
+      margin-top: 1rem;
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 1rem;
+    }
+    .paste-section label {
+      display: block;
+      font-size: 0.82rem;
+      color: #8b949e;
+      margin-bottom: 0.5rem;
+    }
+    .paste-section textarea {
+      width: 100%;
+      padding: 8px;
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #c9d1d9;
+      font-family: monospace;
+      font-size: 0.8rem;
+      resize: vertical;
+      min-height: 60px;
+      margin-bottom: 0.5rem;
+    }
+    .paste-section textarea:focus {
+      outline: none;
+      border-color: #58a6ff;
+    }
+    .paste-section .hint {
+      font-size: 0.75rem;
+      color: #484f58;
+      margin-bottom: 0.75rem;
+      line-height: 1.4;
+    }
+    .btn-device {
+      display: inline-flex;
+      align-items: center;
+      gap: 0.5rem;
+      padding: 8px 16px;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      color: #c9d1d9;
+      cursor: pointer;
+      font-size: 0.85rem;
+      font-weight: 500;
+      margin-top: 0.5rem;
+    }
+    .btn-device:hover { background: #30363d; }
+    .btn-device:disabled { opacity: 0.5; cursor: not-allowed; }
+    .device-code-panel {
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 1.25rem;
+      text-align: center;
+      margin-top: 0.75rem;
+      display: none;
+    }
+    .device-code-panel .code-display {
+      font-family: monospace;
+      font-size: 1.6rem;
+      font-weight: 700;
+      color: #58a6ff;
+      letter-spacing: 0.1em;
+      margin: 0.5rem 0;
+    }
+    .device-code-panel a { color: #3fb950; font-size: 0.85rem; }
+    .device-code-panel .wait-text { color: #8b949e; font-size: 0.8rem; margin-top: 0.5rem; }
     .spinner {
       display: inline-block;
       width: 14px;
@@ -266,9 +338,33 @@
       <h2>Accounts</h2>
       <div id="accountList" class="loading">Loading accounts...</div>
       <div class="add-account-section">
-        <button class="btn-login" id="loginBtn" onclick="startLogin()">Add Account via ChatGPT Login</button>
-        <div class="login-info" id="loginInfo" style="display:none"></div>
-        <div class="login-error" id="loginError" style="display:none"></div>
+        <button class="btn-login" id="addAccountBtn" onclick="startAddAccount()">Add Account via ChatGPT Login</button>
+        <div class="login-info" id="addInfo" style="display:none"></div>
+        <div class="login-error" id="addError" style="display:none"></div>
+        <div class="paste-section" id="addPasteSection">
+          <div class="hint">
+            If the popup shows an error or you're on a different machine,
+            copy the full URL from the popup's address bar and paste it here.
+          </div>
+          <label>Paste the callback URL</label>
+          <textarea id="addCallbackInput" placeholder="http://localhost:54321/auth/callback?code=...&state=..."></textarea>
+          <button class="btn-login" id="addRelayBtn" onclick="submitAddRelay()" style="font-size:0.8rem;padding:6px 14px">Submit</button>
+        </div>
+
+        <div style="display:flex;gap:0.5rem;flex-wrap:wrap;margin-top:0.75rem">
+          <button class="btn-device" id="dashDeviceBtn" onclick="dashStartDeviceCode()">Device Code Login</button>
+          <button class="btn-device" id="dashCliBtn" onclick="dashImportCli()">Import CLI Token</button>
+        </div>
+        <div class="device-code-panel" id="dashDevicePanel">
+          <div style="color:#8b949e;font-size:0.82rem">Enter this code at:</div>
+          <a id="dashVerifyLink" href="#" target="_blank" rel="noopener"></a>
+          <div class="code-display" id="dashUserCode"></div>
+          <div class="wait-text" id="dashDeviceStatus"><span class="spinner"></span> Waiting for authorization...</div>
+          <div class="login-error" id="dashDeviceError" style="display:none"></div>
+          <div class="login-info" id="dashDeviceSuccess" style="display:none"></div>
+        </div>
+        <div class="login-error" id="dashCliError" style="display:none"></div>
+        <div class="login-info" id="dashCliSuccess" style="display:none"></div>
       </div>
     </div>
 
@@ -331,6 +427,19 @@ Loading...
   <script>
     let authData = null;
 
+    // Listen for postMessage from OAuth callback popup (cross-port communication)
+    window.addEventListener('message', async (event) => {
+      if (event.data?.type === 'oauth-callback-success') {
+        if (addPollTimer) clearInterval(addPollTimer);
+        document.getElementById('addPasteSection').style.display = 'none';
+        const infoEl = document.getElementById('addInfo');
+        infoEl.textContent = 'Account added successfully!';
+        infoEl.style.display = 'block';
+        await loadAccounts();
+        await loadStatus();
+      }
+    });
+
     function statusClass(status) {
       const map = {
         active: 'status-ok',
@@ -403,98 +512,6 @@ Loading...
       container.innerHTML = html;
     }
 
-    let loginPolling = false;
-    let knownAccountIds = new Set();
-
-    async function startLogin() {
-      const btn = document.getElementById('loginBtn');
-      const infoEl = document.getElementById('loginInfo');
-      const errorEl = document.getElementById('loginError');
-
-      btn.disabled = true;
-      btn.innerHTML = '<span class="spinner"></span> Connecting to Codex CLI...';
-      infoEl.style.display = 'none';
-      errorEl.style.display = 'none';
-
-      // Snapshot current account IDs so we can detect the new one
-      try {
-        const resp = await fetch('/auth/accounts');
-        const data = await resp.json();
-        knownAccountIds = new Set((data.accounts || []).map(a => a.id));
-      } catch {}
-
-      try {
-        const resp = await fetch('/auth/accounts/login');
-        const data = await resp.json();
-
-        if (data.error) {
-          errorEl.textContent = data.error;
-          errorEl.style.display = 'block';
-          btn.disabled = false;
-          btn.innerHTML = 'Add Account via ChatGPT Login';
-          return;
-        }
-
-        if (data.authUrl) {
-          window.open(data.authUrl, '_blank');
-          btn.innerHTML = '<span class="spinner"></span> Waiting for login...';
-          infoEl.textContent = 'A new tab has been opened. Complete the ChatGPT login there.';
-          infoEl.style.display = 'block';
-          startLoginPolling();
-        }
-      } catch (err) {
-        errorEl.textContent = 'Network error: ' + err.message;
-        errorEl.style.display = 'block';
-        btn.disabled = false;
-        btn.innerHTML = 'Add Account via ChatGPT Login';
-      }
-    }
-
-    function startLoginPolling() {
-      if (loginPolling) return;
-      loginPolling = true;
-
-      const poll = async () => {
-        if (!loginPolling) return;
-        try {
-          const resp = await fetch('/auth/accounts');
-          const data = await resp.json();
-          const accounts = data.accounts || [];
-          const newAccount = accounts.find(a => !knownAccountIds.has(a.id));
-
-          if (newAccount) {
-            loginPolling = false;
-            const btn = document.getElementById('loginBtn');
-            const infoEl = document.getElementById('loginInfo');
-            btn.disabled = false;
-            btn.innerHTML = 'Add Account via ChatGPT Login';
-            infoEl.textContent = 'Account added: ' + (newAccount.email || newAccount.id);
-            infoEl.style.display = 'block';
-            await loadAccounts();
-            await loadStatus();
-            setTimeout(() => { infoEl.style.display = 'none'; }, 4000);
-            return;
-          }
-        } catch {}
-        if (loginPolling) setTimeout(poll, 2000);
-      };
-
-      poll();
-
-      // Timeout after 5 minutes
-      setTimeout(() => {
-        if (loginPolling) {
-          loginPolling = false;
-          const btn = document.getElementById('loginBtn');
-          btn.disabled = false;
-          btn.innerHTML = 'Add Account via ChatGPT Login';
-          document.getElementById('loginInfo').style.display = 'none';
-          document.getElementById('loginError').textContent = 'Login timed out. Please try again.';
-          document.getElementById('loginError').style.display = 'block';
-        }
-      }, 5 * 60 * 1000);
-    }
-
     async function deleteAccount(id) {
       if (!confirm('Remove this account?')) return;
 
@@ -644,6 +661,210 @@ for await (const chunk of stream) {
       window.location.href = '/';
     }
 
+    let addPollTimer = null;
+
+    async function startAddAccount() {
+      const btn = document.getElementById('addAccountBtn');
+      const infoEl = document.getElementById('addInfo');
+      const errEl = document.getElementById('addError');
+      infoEl.style.display = 'none';
+      errEl.style.display = 'none';
+      btn.disabled = true;
+      btn.textContent = 'Opening login...';
+
+      try {
+        const resp = await fetch('/auth/login-start', { method: 'POST' });
+        const data = await resp.json();
+
+        if (!resp.ok || !data.authUrl) {
+          throw new Error(data.error || 'Failed to start login');
+        }
+
+        window.open(data.authUrl, 'oauth_add', 'width=600,height=700,scrollbars=yes');
+
+        document.getElementById('addPasteSection').style.display = 'block';
+        btn.textContent = 'Add Account via ChatGPT Login';
+        btn.disabled = false;
+
+        // Poll for new account (callback server handles same-machine)
+        if (addPollTimer) clearInterval(addPollTimer);
+        const prevCount = (await fetch('/auth/accounts').then(r => r.json())).accounts?.length || 0;
+        addPollTimer = setInterval(async () => {
+          try {
+            const r = await fetch('/auth/accounts');
+            const d = await r.json();
+            if ((d.accounts?.length || 0) > prevCount) {
+              clearInterval(addPollTimer);
+              document.getElementById('addPasteSection').style.display = 'none';
+              infoEl.textContent = 'Account added successfully!';
+              infoEl.style.display = 'block';
+              await loadAccounts();
+              await loadStatus();
+            }
+          } catch {}
+        }, 2000);
+        setTimeout(() => { if (addPollTimer) clearInterval(addPollTimer); }, 5 * 60 * 1000);
+
+      } catch (err) {
+        btn.textContent = 'Add Account via ChatGPT Login';
+        btn.disabled = false;
+        errEl.textContent = err.message;
+        errEl.style.display = 'block';
+      }
+    }
+
+    async function submitAddRelay() {
+      const callbackUrl = document.getElementById('addCallbackInput').value.trim();
+      const infoEl = document.getElementById('addInfo');
+      const errEl = document.getElementById('addError');
+      infoEl.style.display = 'none';
+      errEl.style.display = 'none';
+
+      if (!callbackUrl) {
+        errEl.textContent = 'Please paste the callback URL';
+        errEl.style.display = 'block';
+        return;
+      }
+
+      const btn = document.getElementById('addRelayBtn');
+      btn.disabled = true;
+      btn.textContent = 'Exchanging...';
+
+      try {
+        const resp = await fetch('/auth/code-relay', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ callbackUrl }),
+        });
+        const data = await resp.json();
+
+        if (resp.ok && data.success) {
+          if (addPollTimer) clearInterval(addPollTimer);
+          document.getElementById('addPasteSection').style.display = 'none';
+          document.getElementById('addCallbackInput').value = '';
+          infoEl.textContent = 'Account added successfully!';
+          infoEl.style.display = 'block';
+          await loadAccounts();
+          await loadStatus();
+        } else {
+          errEl.textContent = data.error || 'Failed to exchange code';
+          errEl.style.display = 'block';
+        }
+      } catch (err) {
+        errEl.textContent = 'Network error: ' + err.message;
+        errEl.style.display = 'block';
+      } finally {
+        btn.textContent = 'Submit';
+        btn.disabled = false;
+      }
+    }
+
+    // ── Device Code Flow (dashboard) ─────────────────
+    let dashDevicePollTimer = null;
+
+    async function dashStartDeviceCode() {
+      const btn = document.getElementById('dashDeviceBtn');
+      const panel = document.getElementById('dashDevicePanel');
+      const errEl = document.getElementById('dashDeviceError');
+      const successEl = document.getElementById('dashDeviceSuccess');
+      const statusEl = document.getElementById('dashDeviceStatus');
+      errEl.style.display = 'none';
+      successEl.style.display = 'none';
+
+      btn.disabled = true;
+      btn.textContent = 'Requesting code...';
+
+      try {
+        const resp = await fetch('/auth/device-login', { method: 'POST' });
+        const data = await resp.json();
+
+        if (!resp.ok || !data.userCode) {
+          throw new Error(data.error || 'Failed to request device code');
+        }
+
+        panel.style.display = 'block';
+        document.getElementById('dashUserCode').textContent = data.userCode;
+        const link = document.getElementById('dashVerifyLink');
+        link.href = data.verificationUriComplete || data.verificationUri;
+        link.textContent = data.verificationUri;
+        statusEl.innerHTML = '<span class="spinner"></span> Waiting for authorization...';
+
+        btn.textContent = 'Device Code Login';
+        btn.disabled = false;
+
+        const interval = (data.interval || 5) * 1000;
+        const deviceCode = data.deviceCode;
+        if (dashDevicePollTimer) clearInterval(dashDevicePollTimer);
+
+        dashDevicePollTimer = setInterval(async () => {
+          try {
+            const pollResp = await fetch('/auth/device-poll/' + encodeURIComponent(deviceCode));
+            const pollData = await pollResp.json();
+
+            if (pollData.success) {
+              clearInterval(dashDevicePollTimer);
+              statusEl.innerHTML = '';
+              successEl.textContent = 'Account added successfully!';
+              successEl.style.display = 'block';
+              panel.style.display = 'none';
+              await loadAccounts();
+              await loadStatus();
+            } else if (pollData.error) {
+              clearInterval(dashDevicePollTimer);
+              statusEl.innerHTML = '';
+              errEl.textContent = pollData.error;
+              errEl.style.display = 'block';
+            }
+          } catch {}
+        }, interval);
+
+        setTimeout(() => {
+          if (dashDevicePollTimer) {
+            clearInterval(dashDevicePollTimer);
+            statusEl.textContent = 'Code expired. Please try again.';
+          }
+        }, (data.expiresIn || 900) * 1000);
+
+      } catch (err) {
+        btn.textContent = 'Device Code Login';
+        btn.disabled = false;
+        errEl.textContent = err.message;
+        errEl.style.display = 'block';
+      }
+    }
+
+    // ── CLI Token Import (dashboard) ─────────────────
+    async function dashImportCli() {
+      const btn = document.getElementById('dashCliBtn');
+      const errEl = document.getElementById('dashCliError');
+      const successEl = document.getElementById('dashCliSuccess');
+      errEl.style.display = 'none';
+      successEl.style.display = 'none';
+      btn.disabled = true;
+      btn.textContent = 'Importing...';
+
+      try {
+        const resp = await fetch('/auth/import-cli', { method: 'POST' });
+        const data = await resp.json();
+
+        if (resp.ok && data.success) {
+          successEl.textContent = 'CLI token imported!';
+          successEl.style.display = 'block';
+          await loadAccounts();
+          await loadStatus();
+        } else {
+          errEl.textContent = data.error || 'Failed to import CLI token';
+          errEl.style.display = 'block';
+        }
+      } catch (err) {
+        errEl.textContent = 'Network error: ' + err.message;
+        errEl.style.display = 'block';
+      } finally {
+        btn.textContent = 'Import CLI Token';
+        btn.disabled = false;
+      }
+    }
+
     loadStatus();
     loadAccounts();
   </script>

public/login.html

@@ -61,9 +61,8 @@
       background: #2ea043;
     }
     .btn-primary:disabled {
-      background: #1a5e28;
+      opacity: 0.5;
       cursor: not-allowed;
-      opacity: 0.7;
     }
     .divider {
       text-align: center;
@@ -117,18 +116,75 @@
       margin-top: 0.5rem;
       display: none;
     }
-    .info {
-      color: #58a6ff;
-      font-size: 0.85rem;
-      margin-top: 0.5rem;
-      display: none;
-    }
     .help {
       margin-top: 1rem;
       font-size: 0.8rem;
       color: #484f58;
       line-height: 1.5;
     }
+    #pasteSection {
+      display: none;
+    }
+    .paste-instructions {
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      padding: 0.75rem;
+      margin-bottom: 1rem;
+      font-size: 0.82rem;
+      line-height: 1.5;
+      color: #8b949e;
+    }
+    .paste-instructions strong {
+      color: #c9d1d9;
+    }
+    .paste-instructions ol {
+      margin: 0.5rem 0 0 1.2rem;
+    }
+    .btn-secondary {
+      display: block;
+      width: 100%;
+      padding: 12px 16px;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      background: #21262d;
+      color: #c9d1d9;
+      font-size: 1rem;
+      font-weight: 500;
+      cursor: pointer;
+      text-align: center;
+      transition: background 0.2s;
+    }
+    .btn-secondary:hover { background: #30363d; }
+    .btn-secondary:disabled { opacity: 0.5; cursor: not-allowed; }
+    .device-code-box {
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 1.5rem;
+      text-align: center;
+      margin-top: 1rem;
+      display: none;
+    }
+    .device-code-box .user-code {
+      font-family: monospace;
+      font-size: 2rem;
+      font-weight: 700;
+      color: #58a6ff;
+      letter-spacing: 0.15em;
+      margin: 0.75rem 0;
+    }
+    .device-code-box .verify-link {
+      color: #3fb950;
+      text-decoration: none;
+      font-size: 0.9rem;
+    }
+    .device-code-box .verify-link:hover { text-decoration: underline; }
+    .device-code-box .status-text {
+      color: #8b949e;
+      font-size: 0.82rem;
+      margin-top: 0.75rem;
+    }
     .spinner {
       display: inline-block;
       width: 14px;
@@ -140,9 +196,7 @@
       vertical-align: middle;
       margin-right: 6px;
     }
-    @keyframes spin {
-      to { transform: rotate(360deg); }
-    }
+    @keyframes spin { to { transform: rotate(360deg); } }
   </style>
 </head>
 <body>
@@ -152,11 +206,51 @@
       <p>OpenAI-compatible API for Codex Desktop</p>
     </div>
     <div class="card">
-      <button class="btn btn-primary" id="oauthBtn" onclick="startOAuth()">
+      <button class="btn btn-primary" id="loginBtn" onclick="startLogin()">
         Login with ChatGPT
       </button>
-      <div class="info" id="oauthInfo"></div>
-      <div class="error" id="oauthError"></div>
+
+      <div id="pasteSection">
+        <div class="paste-instructions">
+          <strong>Remote login:</strong> If the popup shows an error or you're on a different machine:
+          <ol>
+            <li>Complete login in the popup</li>
+            <li>Copy the full URL from the popup's address bar<br>(starts with <code>http://localhost:...</code>)</li>
+            <li>Paste it below and click Submit</li>
+          </ol>
+        </div>
+        <div class="input-group">
+          <label>Paste the callback URL here</label>
+          <textarea id="callbackInput" placeholder="http://localhost:54321/auth/callback?code=...&state=..."></textarea>
+        </div>
+        <button class="btn btn-primary" id="relayBtn" onclick="submitRelay()">
+          Submit Callback URL
+        </button>
+        <div class="error" id="relayError"></div>
+        <div class="success" id="relaySuccess"></div>
+      </div>
+
+      <div class="divider">or</div>
+
+      <button class="btn btn-primary" id="deviceCodeBtn" onclick="startDeviceCode()">
+        Sign in with Device Code
+      </button>
+      <div class="device-code-box" id="deviceCodeBox">
+        <div style="color:#8b949e;font-size:0.85rem">Enter this code at:</div>
+        <a class="verify-link" id="deviceVerifyLink" href="#" target="_blank" rel="noopener"></a>
+        <div class="user-code" id="deviceUserCode"></div>
+        <div class="status-text" id="deviceStatus"><span class="spinner"></span> Waiting for authorization...</div>
+        <div class="error" id="deviceError"></div>
+        <div class="success" id="deviceSuccess"></div>
+      </div>
+
+      <div style="margin-top:0.75rem">
+        <button class="btn-secondary" id="cliImportBtn" onclick="importCli()">
+          Import CLI Token (~/.codex/auth.json)
+        </button>
+        <div class="error" id="cliError"></div>
+        <div class="success" id="cliSuccess"></div>
+      </div>
 
       <div class="divider">or</div>
 
@@ -180,92 +274,219 @@
   </div>
 
   <script>
-    let polling = false;
+    let pollTimer = null;
 
-    async function startOAuth() {
-      const btn = document.getElementById('oauthBtn');
-      const infoEl = document.getElementById('oauthInfo');
-      const errorEl = document.getElementById('oauthError');
+    // Listen for postMessage from OAuth callback popup (cross-port communication)
+    window.addEventListener('message', (event) => {
+      if (event.data?.type === 'oauth-callback-success') {
+        if (pollTimer) clearInterval(pollTimer);
+        window.location.href = '/';
+      }
+    });
 
+    async function startLogin() {
+      const btn = document.getElementById('loginBtn');
       btn.disabled = true;
-      btn.innerHTML = '<span class="spinner"></span>Connecting to Codex CLI...';
-      infoEl.style.display = 'none';
-      errorEl.style.display = 'none';
+      btn.innerHTML = '<span class="spinner"></span> Opening login...';
 
       try {
-        const resp = await fetch('/auth/login');
+        const resp = await fetch('/auth/login-start', { method: 'POST' });
         const data = await resp.json();
 
-        if (data.authenticated) {
-          window.location.href = '/';
-          return;
+        if (!resp.ok || !data.authUrl) {
+          throw new Error(data.error || 'Failed to start login');
         }
 
-        if (data.error) {
-          errorEl.textContent = data.error;
-          errorEl.style.display = 'block';
-          btn.disabled = false;
-          btn.textContent = 'Login with ChatGPT';
-          return;
-        }
+        // Open Auth0 in popup
+        const popup = window.open(data.authUrl, 'oauth_login', 'width=600,height=700,scrollbars=yes');
 
-        if (data.authUrl) {
-          // Open Auth0 login in new tab
-          window.open(data.authUrl, '_blank');
+        // Show paste section
+        document.getElementById('pasteSection').style.display = 'block';
+        btn.innerHTML = 'Login with ChatGPT';
+        btn.disabled = false;
 
-          btn.innerHTML = '<span class="spinner"></span>Waiting for login...';
-          infoEl.textContent = 'A new tab has been opened for ChatGPT login. Complete the login there, then this page will update automatically.';
-          infoEl.style.display = 'block';
+        // Poll auth status — if callback server handles it, we auto-redirect
+        startPolling();
 
-          // Start polling for auth completion
-          startPolling();
-        }
       } catch (err) {
-        errorEl.textContent = 'Network error: ' + err.message;
-        errorEl.style.display = 'block';
+        btn.innerHTML = 'Login with ChatGPT';
         btn.disabled = false;
-        btn.textContent = 'Login with ChatGPT';
+        const errEl = document.getElementById('relayError');
+        errEl.textContent = err.message;
+        errEl.style.display = 'block';
+        document.getElementById('pasteSection').style.display = 'block';
       }
     }
 
     function startPolling() {
-      if (polling) return;
-      polling = true;
-
-      const poll = async () => {
-        if (!polling) return;
+      if (pollTimer) clearInterval(pollTimer);
+      pollTimer = setInterval(async () => {
         try {
           const resp = await fetch('/auth/status');
           const data = await resp.json();
           if (data.authenticated) {
-            polling = false;
-            document.getElementById('oauthInfo').textContent = 'Login successful! Redirecting...';
-            document.getElementById('oauthInfo').style.display = 'block';
-            setTimeout(() => window.location.href = '/', 500);
-            return;
+            clearInterval(pollTimer);
+            window.location.href = '/';
           }
-        } catch {
-          // ignore polling errors
+        } catch {}
+      }, 2000);
+
+      // Stop polling after 5 minutes
+      setTimeout(() => {
+        if (pollTimer) clearInterval(pollTimer);
+      }, 5 * 60 * 1000);
+    }
+
+    async function submitRelay() {
+      const callbackUrl = document.getElementById('callbackInput').value.trim();
+      const errEl = document.getElementById('relayError');
+      const successEl = document.getElementById('relaySuccess');
+      errEl.style.display = 'none';
+      successEl.style.display = 'none';
+
+      if (!callbackUrl) {
+        errEl.textContent = 'Please paste the callback URL';
+        errEl.style.display = 'block';
+        return;
+      }
+
+      const btn = document.getElementById('relayBtn');
+      btn.disabled = true;
+      btn.innerHTML = '<span class="spinner"></span> Exchanging...';
+
+      try {
+        const resp = await fetch('/auth/code-relay', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ callbackUrl }),
+        });
+        const data = await resp.json();
+
+        if (resp.ok && data.success) {
+          successEl.textContent = 'Login successful! Redirecting...';
+          successEl.style.display = 'block';
+          if (pollTimer) clearInterval(pollTimer);
+          setTimeout(() => window.location.href = '/', 1000);
+        } else {
+          errEl.textContent = data.error || 'Failed to exchange code';
+          errEl.style.display = 'block';
         }
-        if (polling) {
-          setTimeout(poll, 2000);
+      } catch (err) {
+        errEl.textContent = 'Network error: ' + err.message;
+        errEl.style.display = 'block';
+      } finally {
+        btn.innerHTML = 'Submit Callback URL';
+        btn.disabled = false;
+      }
+    }
+
+    // ── Device Code Flow ──────────────────────────────
+    let devicePollTimer = null;
+
+    async function startDeviceCode() {
+      const btn = document.getElementById('deviceCodeBtn');
+      const box = document.getElementById('deviceCodeBox');
+      const errEl = document.getElementById('deviceError');
+      const successEl = document.getElementById('deviceSuccess');
+      const statusEl = document.getElementById('deviceStatus');
+      errEl.style.display = 'none';
+      successEl.style.display = 'none';
+
+      btn.disabled = true;
+      btn.innerHTML = '<span class="spinner"></span> Requesting code...';
+
+      try {
+        const resp = await fetch('/auth/device-login', { method: 'POST' });
+        const data = await resp.json();
+
+        if (!resp.ok || !data.userCode) {
+          throw new Error(data.error || 'Failed to request device code');
         }
-      };
 
-      poll();
+        // Show the code box
+        box.style.display = 'block';
+        document.getElementById('deviceUserCode').textContent = data.userCode;
+        const link = document.getElementById('deviceVerifyLink');
+        link.href = data.verificationUriComplete || data.verificationUri;
+        link.textContent = data.verificationUri;
+        statusEl.innerHTML = '<span class="spinner"></span> Waiting for authorization...';
 
-      // Stop polling after 5 minutes
-      setTimeout(() => {
-        if (polling) {
-          polling = false;
-          const btn = document.getElementById('oauthBtn');
-          btn.disabled = false;
-          btn.textContent = 'Login with ChatGPT';
-          document.getElementById('oauthInfo').style.display = 'none';
-          document.getElementById('oauthError').textContent = 'Login timed out. Please try again.';
-          document.getElementById('oauthError').style.display = 'block';
+        btn.innerHTML = 'Sign in with Device Code';
+        btn.disabled = false;
+
+        // Start polling
+        const interval = (data.interval || 5) * 1000;
+        const deviceCode = data.deviceCode;
+        if (devicePollTimer) clearInterval(devicePollTimer);
+
+        devicePollTimer = setInterval(async () => {
+          try {
+            const pollResp = await fetch('/auth/device-poll/' + encodeURIComponent(deviceCode));
+            const pollData = await pollResp.json();
+
+            if (pollData.success) {
+              clearInterval(devicePollTimer);
+              statusEl.innerHTML = '';
+              successEl.textContent = 'Login successful! Redirecting...';
+              successEl.style.display = 'block';
+              if (pollTimer) clearInterval(pollTimer);
+              setTimeout(() => window.location.href = '/', 1000);
+            } else if (pollData.error) {
+              clearInterval(devicePollTimer);
+              statusEl.innerHTML = '';
+              errEl.textContent = pollData.error;
+              errEl.style.display = 'block';
+            }
+            // if pollData.pending, keep polling
+          } catch {}
+        }, interval);
+
+        // Stop after expiry
+        setTimeout(() => {
+          if (devicePollTimer) {
+            clearInterval(devicePollTimer);
+            statusEl.textContent = 'Code expired. Please try again.';
+          }
+        }, (data.expiresIn || 900) * 1000);
+
+      } catch (err) {
+        btn.innerHTML = 'Sign in with Device Code';
+        btn.disabled = false;
+        errEl.textContent = err.message;
+        errEl.style.display = 'block';
+      }
+    }
+
+    // ── CLI Token Import ─────────────────────────────
+    async function importCli() {
+      const btn = document.getElementById('cliImportBtn');
+      const errEl = document.getElementById('cliError');
+      const successEl = document.getElementById('cliSuccess');
+      errEl.style.display = 'none';
+      successEl.style.display = 'none';
+      btn.disabled = true;
+      btn.textContent = 'Importing...';
+
+      try {
+        const resp = await fetch('/auth/import-cli', { method: 'POST' });
+        const data = await resp.json();
+
+        if (resp.ok && data.success) {
+          successEl.textContent = 'CLI token imported! Redirecting...';
+          successEl.style.display = 'block';
+          if (pollTimer) clearInterval(pollTimer);
+          setTimeout(() => window.location.href = '/', 1000);
+        } else {
+          errEl.textContent = data.error || 'Failed to import CLI token';
+          errEl.style.display = 'block';
         }
-      }, 5 * 60 * 1000);
+      } catch (err) {
+        errEl.textContent = 'Network error: ' + err.message;
+        errEl.style.display = 'block';
+      } finally {
+        btn.textContent = 'Import CLI Token (~/.codex/auth.json)';
+        btn.disabled = false;
+      }
     }
 
     async function submitToken() {

src/auth/account-pool.ts

@@ -141,7 +141,7 @@ export class AccountPool {
    * Add an account from a raw JWT token. Returns the entry ID.
    * Deduplicates by accountId.
    */
-  addAccount(token: string): string {
+  addAccount(token: string, refreshToken?: string | null): string {
     const accountId = extractChatGptAccountId(token);
     const profile = extractUserProfile(token);
 
@@ -151,6 +151,9 @@ export class AccountPool {
         if (existing.accountId === accountId) {
           // Update the existing entry's token
           existing.token = token;
+          if (refreshToken !== undefined) {
+            existing.refreshToken = refreshToken ?? null;
+          }
           existing.email = profile?.email ?? existing.email;
           existing.planType = profile?.chatgpt_plan_type ?? existing.planType;
           existing.status = isTokenExpired(token) ? "expired" : "active";
@@ -164,6 +167,7 @@ export class AccountPool {
     const entry: AccountEntry = {
       id,
       token,
+      refreshToken: refreshToken ?? null,
       email: profile?.email ?? null,
       accountId,
       planType: profile?.chatgpt_plan_type ?? null,
@@ -194,11 +198,14 @@ export class AccountPool {
   /**
    * Update an account's token (used by refresh scheduler).
    */
-  updateToken(entryId: string, newToken: string): void {
+  updateToken(entryId: string, newToken: string, refreshToken?: string | null): void {
     const entry = this.accounts.get(entryId);
     if (!entry) return;
 
     entry.token = newToken;
+    if (refreshToken !== undefined) {
+      entry.refreshToken = refreshToken ?? null;
+    }
     const profile = extractUserProfile(newToken);
     entry.email = profile?.email ?? entry.email;
     entry.planType = profile?.chatgpt_plan_type ?? entry.planType;
@@ -436,6 +443,7 @@ export class AccountPool {
       const entry: AccountEntry = {
         id,
         token: data.token,
+        refreshToken: null,
         email: data.userInfo?.email ?? null,
         accountId: accountId,
         planType: data.userInfo?.planType ?? null,

src/auth/chatgpt-oauth.ts

@@ -1,404 +1,11 @@
-import { spawn, type ChildProcess } from "child_process";
-import { getConfig } from "../config.js";
 import {
   decodeJwtPayload,
   extractChatGptAccountId,
   isTokenExpired,
 } from "./jwt-utils.js";
 
-export interface OAuthResult {
-  success: boolean;
-  token?: string;
-  error?: string;
-}
-
-const INIT_REQUEST_ID = "__codex-desktop_initialize__";
-
-/**
- * Approach 1: Login via Codex CLI subprocess (JSON-RPC over stdio).
- * Spawns `codex app-server` and uses JSON-RPC to initiate OAuth.
- *
- * Flow:
- *   1. Spawn `codex app-server`
- *   2. Send `initialize` handshake (required before any other request)
- *   3. Send `account/login/start` with type "chatgpt"
- *   4. CLI returns an Auth0 authUrl and starts a local callback server
- *   5. User completes OAuth in browser
- *   6. CLI sends `account/login/completed` notification with token
- */
-export async function loginViaCli(): Promise<{
-  authUrl: string;
-  waitForCompletion: () => Promise<OAuthResult>;
-}> {
-  const { command, args } = await resolveCliCommand();
-
-  return new Promise((resolveOuter, rejectOuter) => {
-    const child = spawn(command, args, {
-      stdio: ["pipe", "pipe", "pipe"],
-      ...SPAWN_OPTS,
-    });
-
-    let buffer = "";
-    let rpcId = 1;
-    let authUrl = "";
-    let initialized = false;
-    let outerResolved = false;
-    let awaitingAuthStatus = false;
-    const AUTH_STATUS_ID = "__get_auth_status__";
-
-    // Resolvers for the completion promise (token received)
-    let resolveCompletion: (result: OAuthResult) => void;
-    const completionPromise = new Promise<OAuthResult>((res) => {
-      resolveCompletion = res;
-    });
-
-    const sendRpc = (
-      method: string,
-      params: Record<string, unknown> = {},
-      id?: string | number,
-    ) => {
-      const msgId = id ?? rpcId++;
-      const msg = JSON.stringify({
-        jsonrpc: "2.0",
-        id: msgId,
-        method,
-        params,
-      });
-      child.stdin.write(msg + "\n");
-    };
-
-    // Kill child on completion timeout (5 minutes)
-    const killTimer = setTimeout(() => {
-      if (!outerResolved) {
-        rejectOuter(new Error("OAuth flow timed out (5 minutes)"));
-      }
-      resolveCompletion({
-        success: false,
-        error: "OAuth flow timed out",
-      });
-      child.kill();
-    }, 5 * 60 * 1000);
-
-    const cleanup = () => {
-      clearTimeout(killTimer);
-    };
-
-    child.stdout.on("data", (chunk: Buffer) => {
-      buffer += chunk.toString("utf8");
-      const lines = buffer.split("\n");
-      buffer = lines.pop()!;
-
-      for (const line of lines) {
-        if (!line.trim()) continue;
-        try {
-          const msg = JSON.parse(line);
-
-          // Response to initialize request
-          if (msg.id === INIT_REQUEST_ID && !initialized) {
-            if (msg.error) {
-              const errMsg =
-                msg.error.message ?? "Failed to initialize app-server";
-              cleanup();
-              rejectOuter(new Error(errMsg));
-              resolveCompletion({ success: false, error: errMsg });
-              child.kill();
-              return;
-            }
-            initialized = true;
-            console.log(
-              "[OAuth] Codex app-server initialized:",
-              msg.result?.userAgent ?? "unknown",
-            );
-            // Now send the login request
-            sendRpc("account/login/start", { type: "chatgpt" });
-            continue;
-          }
-
-          // Response to account/login/start
-          if (msg.result && msg.result.authUrl && !outerResolved) {
-            authUrl = msg.result.authUrl;
-            outerResolved = true;
-            console.log(
-              "[OAuth] Auth URL received, loginId:",
-              msg.result.loginId,
-            );
-            resolveOuter({
-              authUrl,
-              waitForCompletion: () => completionPromise,
-            });
-            continue;
-          }
-
-          // Notification: login completed — need to fetch token via getAuthStatus
-          if (msg.method === "account/login/completed" && msg.params) {
-            const { success, error: loginError } = msg.params;
-            console.log("[OAuth] Login completed, success:", success);
-            if (success) {
-              // Login succeeded but the notification doesn't include the token.
-              // We must request it via getAuthStatus.
-              awaitingAuthStatus = true;
-              sendRpc(
-                "getAuthStatus",
-                { includeToken: true, refreshToken: false },
-                AUTH_STATUS_ID,
-              );
-            } else {
-              cleanup();
-              resolveCompletion({
-                success: false,
-                error: loginError ?? "Login failed",
-              });
-              child.kill();
-            }
-            continue;
-          }
-
-          // Response to getAuthStatus — extract the token
-          if (msg.id === AUTH_STATUS_ID && awaitingAuthStatus) {
-            awaitingAuthStatus = false;
-            cleanup();
-            if (msg.error) {
-              resolveCompletion({
-                success: false,
-                error: msg.error.message ?? "Failed to get auth status",
-              });
-            } else {
-              const authToken = msg.result?.authToken ?? null;
-              if (typeof authToken === "string") {
-                console.log("[OAuth] Token received successfully");
-                resolveCompletion({ success: true, token: authToken });
-              } else {
-                resolveCompletion({
-                  success: false,
-                  error: "getAuthStatus returned no token",
-                });
-              }
-            }
-            // Give CLI a moment to clean up, then kill
-            setTimeout(() => child.kill(), 1000);
-            continue;
-          }
-
-          // Notification: account/updated (auth status changed)
-          if (msg.method === "account/updated" && msg.params) {
-            console.log("[OAuth] Account updated:", msg.params.authMode);
-            // If we haven't requested auth status yet and auth mode is set,
-            // this might be our signal to fetch the token
-            if (!awaitingAuthStatus && msg.params.authMode === "chatgpt") {
-              awaitingAuthStatus = true;
-              sendRpc(
-                "getAuthStatus",
-                { includeToken: true, refreshToken: false },
-                AUTH_STATUS_ID,
-              );
-            }
-            continue;
-          }
-
-          // Error response (to our login request)
-          if (msg.error && msg.id !== INIT_REQUEST_ID) {
-            const errMsg = msg.error.message ?? "Unknown JSON-RPC error";
-            cleanup();
-            if (!outerResolved) {
-              outerResolved = true;
-              rejectOuter(new Error(errMsg));
-            }
-            resolveCompletion({ success: false, error: errMsg });
-            child.kill();
-          }
-        } catch {
-          // Skip non-JSON lines (stderr leak, log output, etc.)
-        }
-      }
-    });
-
-    child.stderr?.on("data", (chunk: Buffer) => {
-      const text = chunk.toString("utf8").trim();
-      if (text) {
-        console.log("[OAuth CLI stderr]", text);
-      }
-    });
-
-    child.on("error", (err) => {
-      const msg = `Failed to spawn Codex CLI: ${err.message}`;
-      cleanup();
-      if (!outerResolved) {
-        outerResolved = true;
-        rejectOuter(new Error(msg));
-      }
-      resolveCompletion({ success: false, error: msg });
-    });
-
-    child.on("close", (code) => {
-      cleanup();
-      if (!outerResolved) {
-        outerResolved = true;
-        rejectOuter(
-          new Error(
-            `Codex CLI exited with code ${code} before returning authUrl`,
-          ),
-        );
-      }
-      resolveCompletion({
-        success: false,
-        error: `Codex CLI exited with code ${code}`,
-      });
-    });
-
-    // Step 1: Send the initialize handshake
-    const config = getConfig();
-    const originator = config.client.originator;
-    sendRpc(
-      "initialize",
-      {
-        clientInfo: {
-          name: originator,
-          title: originator,
-          version: config.client.app_version,
-        },
-      },
-      INIT_REQUEST_ID,
-    );
-  });
-}
-
-/**
- * Refresh an existing token via Codex CLI (JSON-RPC).
- * Spawns `codex app-server`, sends `initialize`, then `getAuthStatus` with refreshToken: true.
- * Returns the new token string, or throws on failure.
- */
-export async function refreshTokenViaCli(): Promise<string> {
-  const { command, args } = await resolveCliCommand();
-
-  return new Promise((resolve, reject) => {
-    const child = spawn(command, args, {
-      stdio: ["pipe", "pipe", "pipe"],
-      ...SPAWN_OPTS,
-    });
-
-    let buffer = "";
-    const AUTH_STATUS_ID = "__refresh_auth_status__";
-    let initialized = false;
-    let settled = false;
-
-    const killTimer = setTimeout(() => {
-      if (!settled) {
-        settled = true;
-        reject(new Error("Token refresh timed out (30s)"));
-      }
-      child.kill();
-    }, 30_000);
-
-    const cleanup = () => {
-      clearTimeout(killTimer);
-    };
-
-    const sendRpc = (
-      method: string,
-      params: Record<string, unknown> = {},
-      id?: string | number,
-    ) => {
-      const msg = JSON.stringify({
-        jsonrpc: "2.0",
-        id: id ?? 1,
-        method,
-        params,
-      });
-      child.stdin.write(msg + "\n");
-    };
-
-    child.stdout.on("data", (chunk: Buffer) => {
-      buffer += chunk.toString("utf8");
-      const lines = buffer.split("\n");
-      buffer = lines.pop()!;
-
-      for (const line of lines) {
-        if (!line.trim()) continue;
-        try {
-          const msg = JSON.parse(line);
-
-          // Response to initialize
-          if (msg.id === INIT_REQUEST_ID && !initialized) {
-            if (msg.error) {
-              cleanup();
-              settled = true;
-              reject(new Error(msg.error.message ?? "Init failed"));
-              child.kill();
-              return;
-            }
-            initialized = true;
-            // Request auth status with refresh
-            sendRpc(
-              "getAuthStatus",
-              { includeToken: true, refreshToken: true },
-              AUTH_STATUS_ID,
-            );
-            continue;
-          }
-
-          // Response to getAuthStatus
-          if (msg.id === AUTH_STATUS_ID) {
-            cleanup();
-            if (msg.error) {
-              settled = true;
-              reject(new Error(msg.error.message ?? "getAuthStatus failed"));
-            } else {
-              const authToken = msg.result?.authToken ?? null;
-              if (typeof authToken === "string") {
-                settled = true;
-                resolve(authToken);
-              } else {
-                settled = true;
-                reject(new Error("getAuthStatus returned no token"));
-              }
-            }
-            setTimeout(() => child.kill(), 500);
-            continue;
-          }
-        } catch {
-          // skip non-JSON
-        }
-      }
-    });
-
-    child.stderr?.on("data", () => {});
-
-    child.on("error", (err) => {
-      cleanup();
-      if (!settled) {
-        settled = true;
-        reject(new Error(`Failed to spawn Codex CLI: ${err.message}`));
-      }
-    });
-
-    child.on("close", (code) => {
-      cleanup();
-      if (!settled) {
-        settled = true;
-        reject(new Error(`Codex CLI exited with code ${code} during refresh`));
-      }
-    });
-
-    // Send initialize
-    const config = getConfig();
-    const originator = config.client.originator;
-    sendRpc(
-      "initialize",
-      {
-        clientInfo: {
-          name: originator,
-          title: originator,
-          version: config.client.app_version,
-        },
-      },
-      INIT_REQUEST_ID,
-    );
-  });
-}
-
 /**
- * Approach 2: Manual token paste (fallback).
- * Validates a JWT token provided directly by the user.
+ * Validate a manually-pasted JWT token.
  */
 export function validateManualToken(token: string): {
   valid: boolean;
@@ -428,46 +35,3 @@ export function validateManualToken(token: string): {
 
   return { valid: true };
 }
-
-/**
- * Check if the Codex CLI is available on the system.
- */
-export async function isCodexCliAvailable(): Promise<boolean> {
-  try {
-    await resolveCliCommand();
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// --- private helpers ---
-
-// On Windows, npm-installed binaries (.cmd scripts) require shell: true
-const IS_WINDOWS = process.platform === "win32";
-const SPAWN_OPTS = IS_WINDOWS ? { shell: true as const } : {};
-
-interface CliCommand {
-  command: string;
-  args: string[];
-}
-
-async function resolveCliCommand(): Promise<CliCommand> {
-  // Try `codex` directly first
-  if (await testCli("codex", ["--version"])) {
-    return { command: "codex", args: ["app-server"] };
-  }
-  // Fall back to `npx codex`
-  if (await testCli("npx", ["codex", "--version"])) {
-    return { command: "npx", args: ["codex", "app-server"] };
-  }
-  throw new Error("Neither 'codex' nor 'npx codex' found in PATH");
-}
-
-function testCli(command: string, args: string[]): Promise<boolean> {
-  return new Promise((resolve) => {
-    const child = spawn(command, args, { stdio: "ignore", ...SPAWN_OPTS });
-    child.on("error", () => resolve(false));
-    child.on("close", (code) => resolve(code === 0));
-  });
-}

src/auth/oauth-pkce.ts

@@ -0,0 +1,444 @@
+/**
+ * Native OAuth PKCE flow for Auth0/OpenAI authentication.
+ * Replaces the Codex CLI dependency for login and token refresh.
+ */
+
+import { randomBytes, createHash } from "crypto";
+import { createServer, type Server } from "http";
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+import { homedir } from "os";
+import { getConfig } from "../config.js";
+
+export interface PKCEChallenge {
+  codeVerifier: string;
+  codeChallenge: string;
+}
+
+export interface TokenResponse {
+  access_token: string;
+  refresh_token?: string;
+  id_token?: string;
+  token_type: string;
+  expires_in?: number;
+}
+
+export interface DeviceCodeResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete: string;
+  expires_in: number;
+  interval: number;
+}
+
+interface PendingSession {
+  codeVerifier: string;
+  redirectUri: string;
+  returnHost: string;
+  source: "login" | "dashboard";
+  createdAt: number;
+}
+
+/** In-memory store for pending OAuth sessions, keyed by `state`. */
+const pendingSessions = new Map<string, PendingSession>();
+
+// Clean up expired sessions every 60 seconds
+const SESSION_TTL_MS = 5 * 60 * 1000; // 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [state, session] of pendingSessions) {
+    if (now - session.createdAt > SESSION_TTL_MS) {
+      pendingSessions.delete(state);
+    }
+  }
+}, 60_000).unref();
+
+/**
+ * Generate a PKCE code_verifier + code_challenge (S256).
+ */
+export function generatePKCE(): PKCEChallenge {
+  const codeVerifier = randomBytes(32)
+    .toString("base64url")
+    .replace(/[^a-zA-Z0-9\-._~]/g, "")
+    .slice(0, 128);
+
+  const codeChallenge = createHash("sha256")
+    .update(codeVerifier)
+    .digest("base64url");
+
+  return { codeVerifier, codeChallenge };
+}
+
+/**
+ * Build the Auth0 authorization URL for the PKCE flow.
+ */
+export function buildAuthUrl(
+  redirectUri: string,
+  state: string,
+  codeChallenge: string,
+): string {
+  const config = getConfig();
+  // Build query string manually — OpenAI's auth server requires %20 for spaces,
+  // but URLSearchParams encodes spaces as '+' which causes AuthApiFailure.
+  const params: Record<string, string> = {
+    response_type: "code",
+    client_id: config.auth.oauth_client_id,
+    redirect_uri: redirectUri,
+    scope: "openid profile email offline_access",
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    id_token_add_organizations: "true",
+    codex_cli_simplified_flow: "true",
+    state,
+    originator: "codex_cli_rs",
+  };
+  const qs = Object.entries(params)
+    .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+    .join("&");
+
+  const url = `${config.auth.oauth_auth_endpoint}?${qs}`;
+  console.log(`[OAuth] Auth URL: ${url}`);
+  return url;
+}
+
+/**
+ * Exchange an authorization code for tokens.
+ */
+export async function exchangeCode(
+  code: string,
+  codeVerifier: string,
+  redirectUri: string,
+): Promise<TokenResponse> {
+  const config = getConfig();
+
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: config.auth.oauth_client_id,
+    code,
+    redirect_uri: redirectUri,
+    code_verifier: codeVerifier,
+  });
+
+  const resp = await fetch(config.auth.oauth_token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+  }
+
+  return resp.json() as Promise<TokenResponse>;
+}
+
+/**
+ * Refresh an access token using a refresh_token.
+ */
+export async function refreshAccessToken(
+  refreshToken: string,
+): Promise<TokenResponse> {
+  const config = getConfig();
+
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.auth.oauth_client_id,
+    refresh_token: refreshToken,
+  });
+
+  const resp = await fetch(config.auth.oauth_token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`Token refresh failed (${resp.status}): ${text}`);
+  }
+
+  return resp.json() as Promise<TokenResponse>;
+}
+
+// ── Pending session management ─────────────────────────────────────
+
+/**
+ * OpenAI only whitelists http://localhost:1455/auth/callback for this client_id.
+ * The Codex CLI always uses this port — no fallback to random ports.
+ */
+const OAUTH_CALLBACK_PORT = 1455;
+
+/**
+ * Create and store a new pending OAuth session.
+ *
+ * The redirect_uri is always http://localhost:1455/auth/callback to match
+ * the Codex CLI and OpenAI's whitelist. The caller must start a callback
+ * server on port 1455 via `startCallbackServer()`.
+ */
+export function createOAuthSession(
+  originalHost: string,
+  source: "login" | "dashboard" = "login",
+): { state: string; authUrl: string; port: number } {
+  const { codeVerifier, codeChallenge } = generatePKCE();
+  const state = randomBytes(16).toString("hex");
+  const port = OAUTH_CALLBACK_PORT;
+
+  const redirectUri = `http://localhost:${port}/auth/callback`;
+
+  pendingSessions.set(state, {
+    codeVerifier,
+    redirectUri,
+    returnHost: originalHost,
+    source,
+    createdAt: Date.now(),
+  });
+
+  const authUrl = buildAuthUrl(redirectUri, state, codeChallenge);
+  return { state, authUrl, port };
+}
+
+/**
+ * Retrieve and consume a pending session by state.
+ * Returns null if not found or expired.
+ */
+export function consumeSession(
+  state: string,
+): PendingSession | null {
+  const session = pendingSessions.get(state);
+  if (!session) return null;
+
+  pendingSessions.delete(state);
+
+  // Check expiry
+  if (Date.now() - session.createdAt > SESSION_TTL_MS) {
+    return null;
+  }
+
+  return session;
+}
+
+// ── Temporary callback server ──────────────────────────────────────
+
+/** Track the active callback server so we can close it before starting a new one. */
+let activeCallbackServer: Server | null = null;
+
+/**
+ * Start a temporary HTTP server on 0.0.0.0:{port} that handles the OAuth
+ * callback (`/auth/callback`). Closes any previously active callback server
+ * first (since we always reuse port 1455).
+ *
+ * Auto-closes after 5 minutes or after a successful callback.
+ *
+ * @param port      The port from createOAuthSession() (always 1455)
+ * @param onAccount Called with (accessToken, refreshToken) on success
+ */
+export function startCallbackServer(
+  port: number,
+  onAccount: (accessToken: string, refreshToken: string | undefined) => void,
+): Server {
+  // Close any existing callback server on this port
+  if (activeCallbackServer) {
+    try { activeCallbackServer.close(); } catch {}
+    activeCallbackServer = null;
+  }
+
+  const server = createServer(async (req, res) => {
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+
+    if (url.pathname !== "/auth/callback") {
+      res.writeHead(404, { "Content-Type": "text/plain" });
+      res.end("Not found");
+      return;
+    }
+
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDesc = url.searchParams.get("error_description");
+
+    if (error) {
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(callbackResultHtml(false, errorDesc || error));
+      scheduleClose();
+      return;
+    }
+
+    if (!code || !state) {
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(callbackResultHtml(false, "Missing code or state parameter"));
+      scheduleClose();
+      return;
+    }
+
+    const session = consumeSession(state);
+    if (!session) {
+      res.writeHead(400, { "Content-Type": "text/html" });
+      res.end(callbackResultHtml(false, "Invalid or expired session. Please try again."));
+      scheduleClose();
+      return;
+    }
+
+    try {
+      const tokens = await exchangeCode(code, session.codeVerifier, session.redirectUri);
+      onAccount(tokens.access_token, tokens.refresh_token);
+      console.log(`[OAuth] Callback server on port ${port} — login successful`);
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(callbackResultHtml(true));
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[OAuth] Callback server token exchange failed: ${msg}`);
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(callbackResultHtml(false, msg));
+    }
+
+    scheduleClose();
+  });
+
+  function scheduleClose() {
+    setTimeout(() => {
+      try { server.close(); } catch {}
+      if (activeCallbackServer === server) activeCallbackServer = null;
+    }, 2000);
+  }
+
+  server.on("error", (err: NodeJS.ErrnoException) => {
+    if (err.code === "EADDRINUSE") {
+      console.error(`[OAuth] Port ${port} is in use — callback server not started. Previous login session may still be active.`);
+    } else {
+      console.error(`[OAuth] Callback server error: ${err.message}`);
+    }
+  });
+
+  server.listen(port, "0.0.0.0");
+  activeCallbackServer = server;
+  console.log(`[OAuth] Temporary callback server started on port ${port}`);
+
+  // Auto-close after 5 minutes
+  const timeout = setTimeout(() => {
+    try { server.close(); } catch {}
+    if (activeCallbackServer === server) activeCallbackServer = null;
+    console.log(`[OAuth] Temporary callback server on port ${port} timed out`);
+  }, 5 * 60 * 1000);
+  timeout.unref();
+
+  server.on("close", () => {
+    clearTimeout(timeout);
+  });
+
+  return server;
+}
+
+// ── Device Code Flow (RFC 8628) ────────────────────────────────────
+
+/**
+ * Request a device code from Auth0/OpenAI.
+ */
+export async function requestDeviceCode(): Promise<DeviceCodeResponse> {
+  const config = getConfig();
+
+  const body = new URLSearchParams({
+    client_id: config.auth.oauth_client_id,
+    scope: "openid profile email offline_access",
+  });
+
+  const resp = await fetch("https://auth.openai.com/oauth/device/code", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`Device code request failed (${resp.status}): ${text}`);
+  }
+
+  return resp.json() as Promise<DeviceCodeResponse>;
+}
+
+/**
+ * Poll the token endpoint for a device code authorization.
+ * Returns tokens on success, or throws with "authorization_pending" / "slow_down" / other errors.
+ */
+export async function pollDeviceToken(deviceCode: string): Promise<TokenResponse> {
+  const config = getConfig();
+
+  const body = new URLSearchParams({
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+    device_code: deviceCode,
+    client_id: config.auth.oauth_client_id,
+  });
+
+  const resp = await fetch(config.auth.oauth_token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const data = (await resp.json()) as { error?: string; error_description?: string };
+    const err = new Error(data.error_description || data.error || `Poll failed (${resp.status})`);
+    (err as any).code = data.error;
+    throw err;
+  }
+
+  return resp.json() as Promise<TokenResponse>;
+}
+
+// ── CLI Token Import ───────────────────────────────────────────────
+
+export interface CliAuthJson {
+  access_token?: string;
+  refresh_token?: string;
+  id_token?: string;
+  expires_at?: number;
+}
+
+/**
+ * Read and parse the Codex CLI auth.json file.
+ * Path: $CODEX_HOME/auth.json (default: ~/.codex/auth.json)
+ */
+export function importCliAuth(): CliAuthJson {
+  const codexHome = process.env.CODEX_HOME || resolve(homedir(), ".codex");
+  const authPath = resolve(codexHome, "auth.json");
+
+  if (!existsSync(authPath)) {
+    throw new Error(`CLI auth file not found: ${authPath}`);
+  }
+
+  const raw = readFileSync(authPath, "utf-8");
+  const data = JSON.parse(raw) as CliAuthJson;
+
+  if (!data.access_token) {
+    throw new Error("CLI auth.json does not contain access_token");
+  }
+
+  return data;
+}
+
+function callbackResultHtml(success: boolean, error?: string): string {
+  const esc = (s: string) =>
+    s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+
+  if (success) {
+    return `<!DOCTYPE html><html><head><meta charset="UTF-8"><title>Login Successful</title>
+<style>body{font-family:-apple-system,sans-serif;background:#0d1117;color:#c9d1d9;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
+.card{background:#161b22;border:1px solid #30363d;border-radius:12px;padding:2rem;text-align:center;max-width:400px}
+h2{color:#3fb950;margin-bottom:1rem}</style></head>
+<body><div class="card"><h2>Login Successful</h2><p>You can close this window.</p></div>
+<script>
+if(window.opener){try{window.opener.postMessage({type:'oauth-callback-success'},'*')}catch(e){}}
+try{window.close()}catch{}
+</script></body></html>`;
+  }
+
+  return `<!DOCTYPE html><html><head><meta charset="UTF-8"><title>Login Failed</title>
+<style>body{font-family:-apple-system,sans-serif;background:#0d1117;color:#c9d1d9;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}
+.card{background:#161b22;border:1px solid #30363d;border-radius:12px;padding:2rem;text-align:center;max-width:400px}
+h2{color:#f85149;margin-bottom:1rem}</style></head>
+<body><div class="card"><h2>Login Failed</h2><p>${esc(error || "Unknown error")}</p></div>
+<script>
+if(window.opener){try{window.opener.postMessage({type:'oauth-callback-error',error:${JSON.stringify(error || "Unknown error")}},'*')}catch(e){}}
+</script></body></html>`;
+}

src/auth/refresh-scheduler.ts

@@ -1,11 +1,12 @@
 /**
  * RefreshScheduler — per-account JWT auto-refresh.
  * Schedules a refresh at `exp - margin` for each account.
+ * Uses OAuth refresh_token instead of Codex CLI.
  */
 
 import { getConfig } from "../config.js";
 import { decodeJwtPayload } from "./jwt-utils.js";
-import { refreshTokenViaCli } from "./chatgpt-oauth.js";
+import { refreshAccessToken } from "./oauth-pkce.js";
 import type { AccountPool } from "./account-pool.js";
 
 export class RefreshScheduler {
@@ -83,16 +84,29 @@ export class RefreshScheduler {
     const entry = this.pool.getEntry(entryId);
     if (!entry) return;
 
+    if (!entry.refreshToken) {
+      console.warn(
+        `[RefreshScheduler] Account ${entryId} has no refresh_token, cannot auto-refresh`,
+      );
+      this.pool.markStatus(entryId, "expired");
+      return;
+    }
+
     console.log(`[RefreshScheduler] Refreshing account ${entryId} (${entry.email ?? "?"})`);
     this.pool.markStatus(entryId, "refreshing");
 
     const maxAttempts = 2;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       try {
-        const newToken = await refreshTokenViaCli();
-        this.pool.updateToken(entryId, newToken);
+        const tokens = await refreshAccessToken(entry.refreshToken);
+        // Update token and refresh_token (if a new one was issued)
+        this.pool.updateToken(
+          entryId,
+          tokens.access_token,
+          tokens.refresh_token,
+        );
         console.log(`[RefreshScheduler] Account ${entryId} refreshed successfully`);
-        this.scheduleOne(entryId, newToken);
+        this.scheduleOne(entryId, tokens.access_token);
         return;
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);

src/auth/types.ts

@@ -20,6 +20,7 @@ export interface AccountUsage {
 export interface AccountEntry {
   id: string;
   token: string;
+  refreshToken: string | null;
   email: string | null;
   accountId: string | null;
   planType: string | null;

src/config.ts

@@ -25,6 +25,9 @@ const ConfigSchema = z.object({
     refresh_margin_seconds: z.number().default(300),
     rotation_strategy: z.enum(["least_used", "round_robin"]).default("least_used"),
     rate_limit_backoff_seconds: z.number().default(60),
+    oauth_client_id: z.string().default("app_EMoamEEZ73f0CkXaXp7hrann"),
+    oauth_auth_endpoint: z.string().default("https://auth.openai.com/oauth/authorize"),
+    oauth_token_endpoint: z.string().default("https://auth.openai.com/oauth/token"),
   }),
   server: z.object({
     host: z.string().default("0.0.0.0"),

src/index.ts

@@ -42,7 +42,7 @@ async function main() {
   app.use("*", errorHandler);
 
   // Mount routes
-  const authRoutes = createAuthRoutes(accountPool);
+  const authRoutes = createAuthRoutes(accountPool, refreshScheduler);
   const accountRoutes = createAccountRoutes(accountPool, refreshScheduler, cookieJar);
   const chatRoutes = createChatRoutes(accountPool, sessionManager, cookieJar);
   const webRoutes = createWebRoutes(accountPool);

src/routes/accounts.ts

@@ -16,7 +16,9 @@
 import { Hono } from "hono";
 import type { AccountPool } from "../auth/account-pool.js";
 import type { RefreshScheduler } from "../auth/refresh-scheduler.js";
-import { validateManualToken, isCodexCliAvailable, loginViaCli } from "../auth/chatgpt-oauth.js";
+import { validateManualToken } from "../auth/chatgpt-oauth.js";
+import { createOAuthSession, startCallbackServer } from "../auth/oauth-pkce.js";
+import { getConfig } from "../config.js";
 import { CodexApi } from "../proxy/codex-api.js";
 import type { CodexUsageResponse } from "../proxy/codex-api.js";
 import type { CodexQuota, AccountInfo } from "../auth/types.js";
@@ -56,36 +58,21 @@ export function createAccountRoutes(
     return new CodexApi(token, accountId, cookieJar, entryId);
   }
 
-  // Start OAuth flow to add a new account
-  app.get("/auth/accounts/login", async (c) => {
-    const cliAvailable = await isCodexCliAvailable();
-    if (!cliAvailable) {
-      return c.json(
-        { error: "Codex CLI not available. Please use manual token entry." },
-        503,
-      );
-    }
+  // Start OAuth flow to add a new account — 302 redirect to Auth0
+  app.get("/auth/accounts/login", (c) => {
+    const config = getConfig();
+    const originalHost = c.req.header("host") || `localhost:${config.server.port}`;
 
-    try {
-      const session = await loginViaCli();
-
-      // Background: wait for OAuth to complete, then add account to pool
-      session.waitForCompletion().then((result) => {
-        if (result.success && result.token) {
-          const entryId = pool.addAccount(result.token);
-          scheduler.scheduleOne(entryId, result.token);
-          console.log("[Accounts] OAuth login completed — new account added:", entryId);
-        } else {
-          console.error("[Accounts] OAuth login failed:", result.error);
-        }
-      });
+    const { authUrl, port } = createOAuthSession(originalHost, "dashboard");
 
-      return c.json({ authUrl: session.authUrl });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      console.error("[Accounts] CLI OAuth failed:", msg);
-      return c.json({ error: msg }, 500);
-    }
+    // Start temporary callback server for same-machine callback
+    startCallbackServer(port, (accessToken, refreshToken) => {
+      const entryId = pool.addAccount(accessToken, refreshToken);
+      scheduler.scheduleOne(entryId, accessToken);
+      console.log(`[Auth] OAuth via callback server — account ${entryId} added`);
+    });
+
+    return c.redirect(authUrl);
   });
 
   // List all accounts (with optional ?quota=true)

src/routes/auth.ts

@@ -1,20 +1,24 @@
 import { Hono } from "hono";
 import type { AccountPool } from "../auth/account-pool.js";
+import type { RefreshScheduler } from "../auth/refresh-scheduler.js";
+import { validateManualToken } from "../auth/chatgpt-oauth.js";
+import { getConfig } from "../config.js";
 import {
-  isCodexCliAvailable,
-  loginViaCli,
-  validateManualToken,
-} from "../auth/chatgpt-oauth.js";
+  createOAuthSession,
+  consumeSession,
+  exchangeCode,
+  startCallbackServer,
+  requestDeviceCode,
+  pollDeviceToken,
+  importCliAuth,
+} from "../auth/oauth-pkce.js";
 
-export function createAuthRoutes(pool: AccountPool): Hono {
+export function createAuthRoutes(
+  pool: AccountPool,
+  scheduler: RefreshScheduler,
+): Hono {
   const app = new Hono();
 
-  // Pending OAuth session (one at a time)
-  let pendingOAuth: {
-    authUrl: string;
-    waitForCompletion: () => Promise<{ success: boolean; token?: string; error?: string }>;
-  } | null = null;
-
   // Auth status (JSON) — pool-level summary
   app.get("/auth/status", (c) => {
     const authenticated = pool.isAuthenticated();
@@ -29,39 +33,184 @@ export function createAuthRoutes(pool: AccountPool): Hono {
     });
   });
 
-  // Start OAuth login — returns JSON with authUrl instead of redirecting
-  app.get("/auth/login", async (c) => {
-    if (pool.isAuthenticated()) {
-      return c.json({ authenticated: true });
+  // Start OAuth login — 302 redirect to Auth0 (same-machine shortcut)
+  app.get("/auth/login", (c) => {
+    const config = getConfig();
+    const originalHost = c.req.header("host") || `localhost:${config.server.port}`;
+
+    const { authUrl, port } = createOAuthSession(originalHost, "login");
+
+    // Start temporary callback server for same-machine callback
+    startCallbackServer(port, (accessToken, refreshToken) => {
+      const entryId = pool.addAccount(accessToken, refreshToken);
+      scheduler.scheduleOne(entryId, accessToken);
+      console.log(`[Auth] OAuth via callback server — account ${entryId} added`);
+    });
+
+    return c.redirect(authUrl);
+  });
+
+  // POST /auth/login-start — returns { authUrl, state } for popup flow
+  app.post("/auth/login-start", (c) => {
+    const config = getConfig();
+    const originalHost = c.req.header("host") || `localhost:${config.server.port}`;
+
+    const { authUrl, state, port } = createOAuthSession(originalHost, "login");
+
+    // Start temporary callback server for same-machine callback
+    startCallbackServer(port, (accessToken, refreshToken) => {
+      const entryId = pool.addAccount(accessToken, refreshToken);
+      scheduler.scheduleOne(entryId, accessToken);
+      console.log(`[Auth] OAuth via callback server — account ${entryId} added`);
+    });
+
+    return c.json({ authUrl, state });
+  });
+
+  // POST /auth/code-relay — accepts { callbackUrl }, parses code+state, exchanges tokens
+  app.post("/auth/code-relay", async (c) => {
+    const body = await c.req.json<{ callbackUrl: string }>();
+    const callbackUrl = body.callbackUrl?.trim();
+
+    if (!callbackUrl) {
+      return c.json({ error: "callbackUrl is required" }, 400);
+    }
+
+    let url: URL;
+    try {
+      url = new URL(callbackUrl);
+    } catch {
+      return c.json({ error: "Invalid URL" }, 400);
+    }
+
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+
+    if (error) {
+      const desc = url.searchParams.get("error_description") || error;
+      return c.json({ error: `OAuth error: ${desc}` }, 400);
+    }
+
+    if (!code || !state) {
+      return c.json({ error: "URL must contain code and state parameters" }, 400);
+    }
+
+    const session = consumeSession(state);
+    if (!session) {
+      return c.json({ error: "Invalid or expired session. Please try again." }, 400);
+    }
+
+    try {
+      const tokens = await exchangeCode(code, session.codeVerifier, session.redirectUri);
+      const entryId = pool.addAccount(tokens.access_token, tokens.refresh_token);
+      scheduler.scheduleOne(entryId, tokens.access_token);
+
+      console.log(`[Auth] OAuth via code-relay — account ${entryId} added`);
+      return c.json({ success: true });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[Auth] Code relay token exchange failed:", msg);
+      return c.json({ error: `Token exchange failed: ${msg}` }, 500);
+    }
+  });
+
+  // OAuth callback — Auth0 redirects here after user login (legacy/fallback)
+  app.get("/auth/callback", async (c) => {
+    const code = c.req.query("code");
+    const state = c.req.query("state");
+    const error = c.req.query("error");
+    const errorDescription = c.req.query("error_description");
+
+    if (error) {
+      console.error(`[Auth] OAuth error: ${error} — ${errorDescription}`);
+      return c.html(errorPage(`OAuth error: ${errorDescription || error}`));
+    }
+
+    if (!code || !state) {
+      return c.html(errorPage("Missing code or state parameter"), 400);
     }
 
-    const cliAvailable = await isCodexCliAvailable();
-    if (!cliAvailable) {
-      return c.json(
-        { error: "Codex CLI not available. Please use manual token entry." },
-        503,
-      );
+    const session = consumeSession(state);
+    if (!session) {
+      return c.html(errorPage("Invalid or expired OAuth session. Please try again."), 400);
+    }
+
+    try {
+      const tokens = await exchangeCode(code, session.codeVerifier, session.redirectUri);
+      const entryId = pool.addAccount(tokens.access_token, tokens.refresh_token);
+      scheduler.scheduleOne(entryId, tokens.access_token);
+
+      console.log(`[Auth] OAuth login completed — account ${entryId} added`);
+
+      // Redirect back to the original host the user was browsing from
+      const returnUrl = `http://${session.returnHost}/`;
+      return c.redirect(returnUrl);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[Auth] Token exchange failed:", msg);
+      return c.html(errorPage(`Token exchange failed: ${msg}`), 500);
     }
+  });
 
+  // ── Device Code Flow ────────────────────────────────────────────
+
+  // POST /auth/device-login — start device code flow
+  app.post("/auth/device-login", async (c) => {
     try {
-      const session = await loginViaCli();
-      pendingOAuth = session;
-
-      // Start background wait for completion
-      session.waitForCompletion().then((result) => {
-        if (result.success && result.token) {
-          pool.addAccount(result.token);
-          console.log("[Auth] OAuth login completed successfully");
-        } else {
-          console.error("[Auth] OAuth login failed:", result.error);
-        }
-        pendingOAuth = null;
+      const deviceResp = await requestDeviceCode();
+      console.log(`[Auth] Device code flow started — user_code: ${deviceResp.user_code}`);
+      return c.json({
+        userCode: deviceResp.user_code,
+        verificationUri: deviceResp.verification_uri,
+        verificationUriComplete: deviceResp.verification_uri_complete,
+        deviceCode: deviceResp.device_code,
+        expiresIn: deviceResp.expires_in,
+        interval: deviceResp.interval,
       });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[Auth] Device code request failed:", msg);
+      return c.json({ error: msg }, 500);
+    }
+  });
+
+  // GET /auth/device-poll/:deviceCode — poll for device code authorization
+  app.get("/auth/device-poll/:deviceCode", async (c) => {
+    const deviceCode = c.req.param("deviceCode");
+
+    try {
+      const tokens = await pollDeviceToken(deviceCode);
+      const entryId = pool.addAccount(tokens.access_token, tokens.refresh_token);
+      scheduler.scheduleOne(entryId, tokens.access_token);
+
+      console.log(`[Auth] Device code flow completed — account ${entryId} added`);
+      return c.json({ success: true });
+    } catch (err: any) {
+      const code = err.code || "unknown";
+      if (code === "authorization_pending" || code === "slow_down") {
+        return c.json({ pending: true, code });
+      }
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[Auth] Device code poll failed:", msg);
+      return c.json({ error: msg }, 400);
+    }
+  });
+
+  // ── CLI Token Import ───────────────────────────────────────────
+
+  // POST /auth/import-cli — import token from Codex CLI auth.json
+  app.post("/auth/import-cli", async (c) => {
+    try {
+      const cliAuth = importCliAuth();
+      const entryId = pool.addAccount(cliAuth.access_token!, cliAuth.refresh_token);
+      scheduler.scheduleOne(entryId, cliAuth.access_token!);
 
-      return c.json({ authUrl: session.authUrl });
+      console.log(`[Auth] CLI token imported — account ${entryId} added`);
+      return c.json({ success: true });
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
-      console.error("[Auth] CLI OAuth failed:", msg);
+      console.error("[Auth] CLI import failed:", msg);
       return c.json({ error: msg }, 500);
     }
   });
@@ -82,7 +231,8 @@ export function createAuthRoutes(pool: AccountPool): Hono {
       return c.json({ error: validation.error });
     }
 
-    pool.addAccount(token);
+    const entryId = pool.addAccount(token);
+    scheduler.scheduleOne(entryId, token);
     return c.json({ success: true });
   });
 
@@ -94,3 +244,29 @@ export function createAuthRoutes(pool: AccountPool): Hono {
 
   return app;
 }
+
+function errorPage(message: string): string {
+  return `<!DOCTYPE html>
+<html><head><meta charset="UTF-8"><title>Login Error</title>
+<style>
+  body { font-family: -apple-system, sans-serif; background: #0d1117; color: #c9d1d9;
+    display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+  .card { background: #161b22; border: 1px solid #30363d; border-radius: 12px;
+    padding: 2rem; max-width: 420px; text-align: center; }
+  h2 { color: #f85149; margin-bottom: 1rem; }
+  a { color: #58a6ff; }
+</style></head>
+<body><div class="card">
+  <h2>Login Failed</h2>
+  <p>${escapeHtml(message)}</p>
+  <p style="margin-top:1rem"><a href="/">Back to Home</a></p>
+</div></body></html>`;
+}
+
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}