feat: add support for login with ChatGPT

[bolinfest]

This does not implement the full Login with ChatGPT experience, but it should unblock people.

What works

• The codex multitool now has a login subcommand, so you can run codex login, which should write CODEX_HOME/auth.json if you complete the flow successfully. The TUI will now read the OPENAI_API_KEY from auth.json.
• The TUI should refresh the token if it has expired and the necessary information is in auth.json.
• There is a LoginScreen in the TUI that tells you to run codex login if both (1) your model provider expects to use OPENAI_API_KEY as its env var, and (2) OPENAI_API_KEY is not set.

What does not work

• The LoginScreen does not support the login flow from within the TUI. Instead, it tells you to quit, run codex login, and then run codex again.
• codex exec does read from auth.json yet, nor does it direct the user to go through the login flow if OPENAI_API_KEY cannot be found.
• The maybeRedeemCredits() function from get-api-key.tsx has not been ported from TypeScript to login_with_chatgpt.py yet:

codex/codex-cli/src/utils/get-api-key.tsx

Lines 84 to 89 in a67a67f

	async function maybeRedeemCredits(
	issuer: string,
	clientId: string,
	refreshToken: string,
	idToken?: string,
	): Promise<void> {

Implementation

Currently, the OAuth flow requires running a local webserver on 127.0.0.1:1455. It seemed wasteful to incur the additional binary cost of a webserver dependency in the Rust CLI just to support login, so instead we implement this logic in Python, as Python has an http.server module as part of its standard library. Specifically, we bundle the contents of a single Python file as a string in the Rust CLI and then use it to spawn a subprocess as python3 -c {{SOURCE_FOR_PYTHON_SERVER}}.

As such, the most significant files in this PR are:

codex-rs/login/src/login_with_chatgpt.py
codex-rs/login/src/lib.rs

Now that the CLI may load OPENAI_API_KEY from the environment or CODEX_HOME/auth.json, we need a new abstraction for reading/writing this variable, so we introduce:

codex-rs/core/src/openai_api_key.rs

Note that std::env::set_var() is [rightfully] unsafe in Rust 2024, so we use a LazyLock<RwLock<Option<String>>> to store OPENAI_API_KEY so it is read in a thread-safe manner.

Ultimately, it should be possible to go through the entire login flow from the TUI. This PR introduces a placeholder LoginScreen UI for that right now, though the new codex login subcommand introduced in this PR should be a viable workaround until the UI is ready.

Testing

Because the login flow is currently implemented in a standalone Python file, you can test it without building any Rust code as follows:

rm -rf /tmp/codex_home && mkdir /tmp/codex_home
CODEX_HOME=/tmp/codex_home python3 codex-rs/login/src/login_with_chatgpt.py

For reference:

• the original TypeScript implementation was introduced in add: sign in with chatgpt #963
• support for redeeming credits was later added in add: sign in with chatgpt credits #974