fix: accept RT-exchanged tokens missing chatgpt_account_id claim

[xiaoliu10]

Summary

修复 Refresh Token 换取的 access token 缺少 chatgpt_account_id claim 时导入失败的问题。OpenAI RT exchange 返回的 access token 有时不携带 chatgpt_account_id，导致 validateManualToken 拒绝该 token，RT-only 导入无法完成。

Changes

• src/auth/jwt-utils.ts：新增 extractCodexTokenMetadata() 从 access_token + id_token 中提取 accountId / userId / email / planType，兼容 claim 在任一 token 中的情况
• src/services/account-import.ts：RT exchange 后用 extractCodexTokenMetadata 提取元数据传给 pool；新增 canAcceptRtExchangeToken() 允许缺少 chatgpt_account_id 但未过期的 RT 换取 token 通过验证；ImportDeps.refreshToken 返回类型增加 id_token
• src/auth/account-registry.ts：addAccount() 新增可选 metadata 参数，当 extractChatGptAccountId 返回 null 时回退到 metadata.accountId，email/planType 同理
• src/auth/account-pool.ts：透传 metadata 参数到 registry
• src/auth/oauth-pkce.ts：refreshAccessToken 返回类型增加 id_token 字段
• CHANGELOG.md：[Unreleased] → Fixed 补充条目
• 测试：jwt-utils.test.ts 补充 extractCodexTokenMetadata 用例；account-import.test.ts 补充 RT exchange 缺 claim 场景；accounts-import-export.test.ts / rt-reuse-race.test.ts 补齐 extractCodexTokenMetadata mock

Test Plan

• npm test — 251 files, 2452 passed, 1 skipped
• npx tsc --noEmit — zero errors

[xiaoliu10]

Closed because this PR was accidentally opened against the fork. Reopening against the upstream repository.

[Copilot]

Pull request overview

This PR improves RT-only account import robustness by tolerating RT-exchanged access tokens that sometimes omit the chatgpt_account_id claim, extracting needed metadata from either access_token or an accompanying id_token, and plumbing that metadata through the account creation flow.

Changes:

• Add extractCodexTokenMetadata() to derive accountId/userId/email/planType from access_token + optional id_token.
• Update RT-only import to use extracted metadata and to allow “missing chatgpt_account_id” validation failures when the exchanged token is still fresh.
• Extend account pool/registry APIs to accept optional metadata and add/adjust unit tests + changelog entry.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/unit/services/account-import.test.ts	Adds RT-exchange scenarios covering missing chatgpt_account_id in access_token, including fallback to id_token.
tests/unit/routes/accounts-import-export.test.ts	Updates jwt-utils mocks to include extractCodexTokenMetadata.
tests/unit/auth/rt-reuse-race.test.ts	Updates jwt-utils mocks to include extractCodexTokenMetadata.
tests/unit/auth/jwt-utils.test.ts	Adds unit test for extractCodexTokenMetadata fallback behavior.
src/services/account-import.ts	Extracts metadata from RT exchange results, passes it through to the pool, and relaxes validation for fresh RT-exchanged tokens missing chatgpt_account_id.
src/auth/oauth-pkce.ts	Adds explicit scope on refresh to encourage id_token return (openid).
src/auth/jwt-utils.ts	Introduces CodexTokenMetadata and extractCodexTokenMetadata() helper.
src/auth/account-registry.ts	Accepts optional metadata in addAccount() and uses it as fallback for account/user/email/plan fields.
src/auth/account-pool.ts	Plumbs optional metadata through to the registry.
CHANGELOG.md	Adds an “Unreleased → Fixed” entry for the RT-only import compatibility fix.

Comments suppressed due to low confidence (1)

src/services/account-import.ts:83

• The warmup hook still derives accountId only from extractChatGptAccountId(resolved.token). For RT-exchanged tokens missing chatgpt_account_id, you now have resolved.metadata?.accountId (possibly from id_token), but it won’t be used, so warmup (if enabled) will be called with a null accountId even when it’s known.

      const entryId = this.pool.addAccount(resolved.token, resolved.rt, resolved.metadata);
      this.scheduler.scheduleOne(entryId, resolved.token);

      if (entry.label) {
        this.pool.setLabel(entryId, entry.label);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.