feat: implement browserless Codex API authentication flow including PKCE and Sentinel PoW.

2026-02-02 09:45:36 +08:00
parent a5407cdb25
commit 8fbafee79a
1 changed files with 19 additions and 13 deletions
--- a/backend/internal/auth/codex_api.go
+++ b/backend/internal/auth/codex_api.go
@@ -168,7 +168,11 @@ func (c *CodexAPIAuth) callSentinelReq(flow string) error {
 	body, _ := json.Marshal(payload)
 	req, _ := http.NewRequest("POST", "https://sentinel.openai.com/backend-api/sentinel/req", bytes.NewReader(body))
 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Origin", "https://auth.openai.com")
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "cross-site")

 	resp, err := c.client.Do(req)
 	if err != nil {
@@ -238,6 +242,17 @@ func (c *CodexAPIAuth) logError(step AuthStep, format string, args ...interface{
 	}
 }

+// setAPIHeaders 设置 API 请求的通用头 (模拟 XHR 请求而非页面导航)
+func (c *CodexAPIAuth) setAPIHeaders(req *http.Request, referer string) {
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Origin", "https://auth.openai.com")
+	req.Header.Set("Referer", referer)
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "same-origin")
+}
+
 // ObtainAuthorizationCode 获取授权码
 func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	c.logStep(StepNavigate, "开始 Codex API 授权流程...")
@@ -292,10 +307,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	emailBody, _ := json.Marshal(emailPayload)

 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/authorize/continue", bytes.NewReader(emailBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)
 	req.Header.Set("OpenAI-Sentinel-Token", c.getSentinelHeader("authorize_continue"))

 	resp, err = c.client.Do(req)
@@ -330,10 +342,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	pwdBody, _ := json.Marshal(pwdPayload)

 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/password/verify", bytes.NewReader(pwdBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)
 	req.Header.Set("OpenAI-Sentinel-Token", c.getSentinelHeader("password_verify"))

 	resp, err = c.client.Do(req)
@@ -362,10 +371,7 @@ func (c *CodexAPIAuth) ObtainAuthorizationCode() (string, error) {
 	wsBody, _ := json.Marshal(wsPayload)

 	req, _ = http.NewRequest("POST", "https://auth.openai.com/api/accounts/workspace/select", bytes.NewReader(wsBody))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Origin", "https://auth.openai.com")
-	req.Header.Set("Referer", referer)
+	c.setAPIHeaders(req, referer)

 	resp, err = c.client.Do(req)
 	if err != nil {