fix: fetch models for codex with auth.json, close #1636

[looplj]

No description provided.

[greptile-apps]

Greptile Summary

This PR fixes model fetching for Codex channels that use auth.json-based OAuth credentials (issue #1636). Two coordinated changes cover the case: the frontend now passes the full OAuth JSON string to the backend when the credential value starts with {, instead of first extracting the access_token via parseOauthToken; the backend adds a fallback so that when apiKey is empty for Codex/Claudecode ("official-only") channel types, it returns the hardcoded default model list instead of an error.

• Backend (model_fetcher.go): When apiKey is empty and the channel type is Codex or Claudecode, the new isOfficialOnlyType guard returns default models rather than the generic "API key is required" error — covering new-channel creation flows where no credential has been entered yet.
• Frontend (channels-action-dialog.tsx): handleFetchModels now detects JSON credentials by a leading { and forwards the raw JSON to the backend, allowing isOAuthJSON on the server side to recognise the auth.json blob and return the correct model list.

Confidence Score: 4/5

The change is targeted and low-risk — it adds a fallback for Codex/Claudecode to return a static hardcoded model list and adjusts how the frontend forwards OAuth JSON blobs, with no changes to authentication paths.

Both changes are narrow and logically consistent with the existing design. The slight mismatch between the frontend JSON detection heuristic and the backend stricter check is the main gap — a malformed JSON blob could reach the provider API as a bearer token and silently fail rather than falling back to defaults.

frontend/src/features/channels/components/channels-action-dialog.tsx — the JSON detection heuristic on line 1158 is slightly looser than its backend counterpart.

Important Files Changed

Filename	Overview
internal/server/biz/model_fetcher.go	Adds a fallback to return default models for Codex/Claudecode when apiKey is empty; logic is correct but the empty-key shortcut bypasses the original design intent that default models should only be served to confirmed OAuth channels.
frontend/src/features/channels/components/channels-action-dialog.tsx	Sends the raw OAuth JSON blob to the backend when it starts with '{', enabling the backend's isOAuthJSON detection; detection heuristic is slightly looser than the backend counterpart.

_{Reviews (1): Last reviewed commit: "fix: fetch models for codex with auth.js..." | Re-trigger Greptile}

[greptile-apps]

The frontend detection heuristic (trimStart().startsWith('{')) is looser than the backend's isOAuthJSON, which additionally requires access_token to be present. For a credential that starts with { but lacks access_token (e.g. a partial or malformed JSON), the frontend will forward the raw JSON blob, isOAuthJSON will return false, and the backend will proceed to use the JSON string as a Bearer token value — resulting in a silent auth failure instead of the expected default-model response. Aligning the client-side check to also require access_token keeps both sides consistent.

Suggested change

	// If it's OAuth JSON, send full JSON so backend detects isOAuthJSON
	if (oauthApiKey.trimStart().startsWith('{')) {
	firstApiKey = oauthApiKey;
	} else {
	// If it's OAuth JSON (contains access_token), send full JSON so backend detects isOAuthJSON
	if (oauthApiKey.trimStart().startsWith('{') && oauthApiKey.includes('access_token')) {
	firstApiKey = oauthApiKey;
	} else {

[gemini-code-assist]

Code Review

This pull request updates the frontend to send the full OAuth JSON string to the backend when detected, ensuring proper identification of OAuth-based providers. Additionally, the backend's model fetcher now retrieves default models for official-only channel types when an API key is not provided, rather than returning an error. I have no feedback to provide as there were no review comments.