[codex] Add auth JSON paste import

[hoangduy0308]

What changed

Adds a Paste JSON flow to the Auth Files page so users can create auth files without uploading a local file.

• Added a new AuthJsonPasteModal with auth type selection, file name validation, JSON textarea input, and save/error states.
• Added sessionAuthConverter to validate CPA auth JSON directly or convert ChatGPT Web session JSON into CPA Codex auth format.
• Added public-behavior tests for CPA passthrough, session conversion, invalid access token rejection, and safe default file names.
• Added localized UI strings for English, Russian, Simplified Chinese, and Traditional Chinese.
• Hardened auth file text saving so upload failures raise an error instead of being treated as success.

Why

Users may only have auth/session JSON copied from another source and should not need to create a temporary local file before importing it into CPA Manager.

Impact

The Auth Files page now has a Paste JSON action next to upload. CPA JSON is saved as-is after object validation. ChatGPT Web session JSON is converted into the CPA Codex auth shape before upload, including account identity, token fields, expiration, and a safe generated file name when the default name is used.

Validation

• npm test -- --run src/features/authFiles/sessionAuthConverter.test.ts
• npm run build

[seakee]

Thanks for the PR. The feature direction looks good, and the paste-based JSON import flow is useful.

I’d suggest a few changes before merging:

1. Please don’t synthesize an unsigned id_token with alg: none. If no real idToken exists, either omit id_token or reject the import with a clear error.

2. expired should not prefer the access token exp, since access tokens are often short-lived. Explicit session expiration fields should take priority.

3. Session detection seems a bit strict. Real session JSON may split token and user/profile data across different nested fields, so a root-level aggregation path would make this more robust.

4. CPA JSON passthrough should have minimal validation. Right now any object like { "foo": "bar" } could be saved as an auth file.

5. Please add a few edge-case tests for missing idToken, expiration priority, nested session/user structures, invalid CPA JSON, and malformed JWTs.

Also, GitHub flags hidden/bidirectional Unicode in some changed files, so please clean those up before merging.

Overall, I support the feature, but I’d request changes before merging.

[hoangduy0308]

Hi, I addressed the requested auth JSON paste/import fixes and updated the PR branch.

What changed:

• Removed unsigned/synthetic id_token generation.
• Explicit expiration fields now take precedence over JWT exp.
• Session import now supports split/nested token + user/account data.
• CPA passthrough validation is provider-aware, including recursive/nested credential containers.
• Malformed/unsafe auth JSON is rejected more defensively.
• Hidden/bidi Unicode is blocked for changed sources and pasted auth JSON.
• Save/upload now fails closed on backend reject, zero-upload, or partial failure responses.
• Paste UI prevents duplicate saves and blocks save while disconnected/disabled.

Verification run after squashing to one commit:

• npm test -- --run src/features/authFiles/sessionAuthConverter.test.ts src/features/authFiles/components/AuthJsonPasteModal.test.tsx src/features/authFiles/hooks/useAuthFilesData.test.ts src/pages/AuthFilesPage.authJsonPaste.test.tsx src/pages/AuthFilesPage.pasteIntegration.test.tsx src/services/api/authFiles.test.ts tests/repoSourceIntegrity.test.mjs
  • 7 files passed, 106 tests passed
• npm run type-check passed
• npm run lint passed
• npm run build passed

I also squashed the branch down to a single commit for easier review:
4234271 fix(auth-files): harden auth JSON import

Please review again. From my side, there are no known blocking issues for merge.

[seakee]

Thanks for the update. I rechecked the latest commit, and the implementation now addresses the main review points from my previous comment: no synthetic unsigned id_token, explicit expiration fields take priority, nested/split session JSON is handled, CPA JSON passthrough has validation, and the paste/save flow now has better failure handling and duplicate-save protection.

There are still two items to fix before merge:

1. The current Frontend CI failure is a package-lock.json sync issue, not a workflow issue. It fails at npm ci, before type-check/lint/build run:

Missing: @emnapi/core@1.10.0 from lock file
Missing: @emnapi/runtime@1.10.0 from lock file

Please regenerate/fix the lockfile, ideally with the CI Node/npm version, and push the updated package-lock.json.

Suggested validation:

npm ci
npm run type-check
npm run lint
npm run build

2. tests/repoSourceIntegrity.test.mjs currently scans origin/main...HEAD and asserts that changed files are non-empty. That works on a PR branch, but after merging into main, the diff can be empty and a plain npm test on main may fail. Please either skip this check when the changed-file list is empty, or gate it to PR-only usage.

Once these are addressed and the Frontend check passes, I think this PR is close from the feature side.

[seakee]

Thanks, all configured checks are green now.

The implementation looks good to me, and the previous auth-conversion concerns have been addressed. Since the current CI passes and there are no merge conflicts, I’m okay with merging this PR.

One non-blocking follow-up: the frontend PR workflow currently runs type-check, lint, and build, but not npm test. Since this PR adds useful regression tests, it would be good to add npm test to CI in a follow-up.

[hoangduy0308]

Thanks for the review and merge. I’ll keep the npm test CI addition as a follow-up item.