Skip to content

fix(agents-login): codex login --device-auth + parse its one-time code#738

Merged
ExtraToast merged 1 commit into
mainfrom
fix/codex-login-device-auth
Jun 26, 2026
Merged

fix(agents-login): codex login --device-auth + parse its one-time code#738
ExtraToast merged 1 commit into
mainfrom
fix/codex-login-device-auth

Conversation

@ExtraToast

Copy link
Copy Markdown
Owner

What was broken

Codex sign-in on the credentials page failed immediately with "CLI reported a login failure". Worker logs showed the Codex PTY exiting with code 2 ~130 ms after spawn.

Root cause

The worker spawned codex login --device. Codex 0.141.0 (the version pinned in the worker image) renamed that flag to --device-auth; clap rejected the unknown argument, printed error: unexpected argument '--device' and exited 2. The worker's failure detector (error:) matched and reported the login failure.

Correcting the flag surfaced a second mismatch. codex login --device-auth prints:

2. Enter this one-time code (expires in 15 minutes)
   8PGY-109RY

The keyword ("one-time code") and the code are on separate lines with prose between them. The device-code parser expected the code immediately after a device code / user code / code: keyword, so it would not have extracted the code even with the right flag — the card would show the verification URL but never the code, and the flow would stall in starting.

Fix

  • codex login --device-auth (verified against @openai/codex@0.141.0 login --help).
  • DEVICE_CODE_PATTERN now recognises the "one-time code" wording, spans prose/newlines between the keyword and the code (bounded), and uses a digit lookahead (hyphen-aware) so it locks onto the real code (8PGY-109RY) rather than nearby words like "expires". The verification-URL pattern already matched auth.openai.com.

Codex device-auth writes auth.json and exits 0 on approval, which the worker's clean-exit path already finalizes.

Validation

Captured the real --device-auth output from @openai/codex@0.141.0 and added a parse test for it; the existing WXYZ-1234 / AB12CD device-code tests still pass. Worker suite green (92/92), typecheck clean.

…me code

Codex sign-in failed instantly with "CLI reported a login failure". The
worker spawned `codex login --device`, but Codex 0.141.0 renamed the flag to
`--device-auth`; clap rejected the unknown argument and exited 2, and the
worker's failure detector matched the "error:" output.

Correcting the flag exposed a second mismatch: 0.141 prints "Enter this
one-time code (expires in 15 minutes)" with the code on the following line,
so the device-code parser — which expected the code immediately after a
"device code"/"code:" keyword — never extracted it. The pattern now spans
prose and newlines between the keyword and the code, recognises the
"one-time code" wording, and uses a digit lookahead so it locks onto the
real code rather than surrounding words.
@ExtraToast ExtraToast added the bug Something isn't working label Jun 26, 2026
@ExtraToast ExtraToast self-assigned this Jun 26, 2026
@ExtraToast ExtraToast merged commit 5ad1336 into main Jun 26, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant