npm - @karpeleslab/teamclaude - Versions diffs - 1.0.0 → 1.0.2 - Mend

@karpeleslab/teamclaude 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@karpeleslab/teamclaude",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Multi-account Claude proxy with automatic quota-based rotation",
   "type": "module",
   "main": "src/index.js",

package/src/account-manager.js CHANGED Viewed

@@ -267,6 +267,46 @@ export class AccountManager {
     this._onTokenRefresh = callback;
   }
+  /**
+   * Capture a fresh token from a client request or intercepted token refresh.
+   * Updates the first OAuth account whose credential matches the old token,
+   * or the first expired/error OAuth account if none match.
+   *
+   * @param {string} accessToken - The new access token
+   * @param {string} [refreshToken] - New refresh token (if available from intercepted refresh)
+   * @param {number} [expiresAt] - Token expiry timestamp
+   */
+  captureClientToken(accessToken, refreshToken, expiresAt) {
+    if (!accessToken) return;
+    // Check if any account already has this exact token
+    const existing = this.accounts.find(a => a.type === 'oauth' && a.credential === accessToken);
+    if (existing) {
+      // Update expiry/refresh if we have better info
+      if (expiresAt && expiresAt > (existing.expiresAt || 0)) existing.expiresAt = expiresAt;
+      if (refreshToken) existing.refreshToken = refreshToken;
+      return;
+    }
+    // Find the best OAuth account to update: prefer expired/error accounts
+    const candidate = this.accounts.find(a =>
+      a.type === 'oauth' && (a.status === 'error' || isTokenExpiringSoon(a.expiresAt, 0))
+    ) || this.accounts.find(a => a.type === 'oauth');
+    if (!candidate) return;
+    candidate.credential = accessToken;
+    if (refreshToken) candidate.refreshToken = refreshToken;
+    candidate.expiresAt = expiresAt || Date.now() + 3600 * 1000;
+    if (candidate.status === 'error') candidate.status = 'active';
+    console.log(`[TeamClaude] Captured fresh token for account "${candidate.name}"`);
+    this._onTokenRefresh?.(candidate.index, {
+      accessToken,
+      refreshToken: candidate.refreshToken,
+      expiresAt: candidate.expiresAt,
+    });
+  }
   /**
    * Add a new account at runtime.
    */

package/src/index.js CHANGED Viewed

@@ -266,12 +266,14 @@ async function runCommand() {
   const claudeArgs = args.slice(1);
   if (claudeArgs[0] === '--') claudeArgs.shift();
+  // Only set ANTHROPIC_BASE_URL — Claude Code keeps its own OAuth token
+  // which the proxy accepts from localhost. Not setting ANTHROPIC_API_KEY
+  // lets Claude Code stay in subscription mode (full model access).
   const child = spawn('claude', claudeArgs, {
     stdio: 'inherit',
     env: {
       ...process.env,
       ANTHROPIC_BASE_URL: `http://localhost:${config.proxy.port}`,
-      ANTHROPIC_API_KEY: config.proxy.apiKey,
     },
   });
@@ -332,6 +334,7 @@ async function statusCommand() {
 async function accountsCommand() {
   const config = await loadOrCreateConfig();
+  const verbose = args.includes('-v') || args.includes('--verbose');
   if (config.accounts.length === 0) {
     console.log('No accounts configured.');
@@ -387,6 +390,17 @@ async function accountsCommand() {
     console.log(`  [${i + 1}] ${a.name} (${status}${src})`);
     if (p?.email && p.email !== a.name) console.log(`       Email: ${p.email}`);
     if (p?.orgName) console.log(`       Org:   ${p.orgName}`);
+    if (verbose && a.expiresAt) {
+      const remaining = a.expiresAt - Date.now();
+      if (remaining <= 0) {
+        console.log(`       Token: expired`);
+      } else {
+        const mins = Math.floor(remaining / 60000);
+        const hrs = Math.floor(mins / 60);
+        const expiry = hrs > 0 ? `${hrs}h ${mins % 60}m` : `${mins}m`;
+        console.log(`       Token: expires in ${expiry}`);
+      }
+    }
   }
 }

package/src/oauth.js CHANGED Viewed

@@ -28,29 +28,60 @@ const DEFAULT_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
 /**
  * Refresh an expired OAuth access token using the refresh token.
+ * Retries on 5xx and network errors with exponential backoff.
  */
 export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_ENDPOINT) {
-  const res = await fetch(endpoint, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      grant_type: 'refresh_token',
-      refresh_token: refreshToken,
-      client_id: DEFAULT_CLIENT_ID,
-    }),
-  });
+  const maxRetries = 2;
+  const baseDelayMs = 500;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      if (attempt > 0) {
+        const delay = baseDelayMs * 2 ** (attempt - 1);
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Token refresh failed (${res.status}): ${text}`);
-  }
+      const res = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Accept': 'application/json, text/plain, */*',
+          'User-Agent': 'axios/1.13.6',
+        },
+        body: JSON.stringify({
+          grant_type: 'refresh_token',
+          refresh_token: refreshToken,
+          client_id: DEFAULT_CLIENT_ID,
+        }),
+      });
+      if (!res.ok) {
+        if (res.status >= 500 && attempt < maxRetries) {
+          await res.body?.cancel();
+          continue;
+        }
+        const text = await res.text();
+        throw new Error(`Token refresh failed (${res.status}): ${text}`);
+      }
-  const data = await res.json();
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token || refreshToken,
-    expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
-  };
+      const data = await res.json();
+      return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token || refreshToken,
+        expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+      };
+    } catch (err) {
+      const isNetworkError = err instanceof Error &&
+        (err.message.includes('fetch failed') ||
+          (err.code === 'ECONNRESET' || err.code === 'ECONNREFUSED' ||
+           err.code === 'ETIMEDOUT' || err.code === 'UND_ERR_CONNECT_TIMEOUT'));
+      if (attempt < maxRetries && isNetworkError) {
+        continue;
+      }
+      throw err;
+    }
+  }
 }
 /**

package/src/server.js CHANGED Viewed

@@ -19,9 +19,11 @@ export function createProxyServer(accountManager, config, hooks = {}) {
   const server = http.createServer(async (req, res) => {
     try {
-      // Auth check
+      // Auth check — skip for localhost connections
       const clientKey = req.headers['x-api-key'];
-      if (proxyApiKey && clientKey !== proxyApiKey) {
+      const remoteAddr = req.socket.remoteAddress;
+      const isLocal = remoteAddr === '127.0.0.1' || remoteAddr === '::1' || remoteAddr === '::ffff:127.0.0.1';
+      if (proxyApiKey && clientKey !== proxyApiKey && !isLocal) {
         res.writeHead(401, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({
           type: 'error',
@@ -37,6 +39,12 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
+      // Intercept token refresh requests — forward to real endpoint and capture new tokens
+      if (req.method === 'POST' && req.url === '/v1/oauth/token') {
+        await handleTokenRefresh(req, res, accountManager, hooks);
+        return;
+      }
       // Track request
       const reqId = ++requestCounter;
       hooks.onRequestStart?.(reqId, { method: req.method, path: req.url });
@@ -70,6 +78,64 @@ export function createProxyServer(accountManager, config, hooks = {}) {
   return server;
 }
+const TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
+/**
+ * Forward a token refresh request to the real token endpoint, capture new tokens,
+ * and pass the response back to the client.
+ */
+async function handleTokenRefresh(req, res, accountManager, hooks) {
+  const bodyChunks = [];
+  for await (const chunk of req) {
+    bodyChunks.push(chunk);
+  }
+  const body = Buffer.concat(bodyChunks);
+  try {
+    // Forward to the real token endpoint
+    const upstreamRes = await fetch(TOKEN_ENDPOINT, {
+      method: 'POST',
+      headers: {
+        'Content-Type': req.headers['content-type'] || 'application/json',
+        'Accept': 'application/json, text/plain, */*',
+        'User-Agent': req.headers['user-agent'] || 'axios/1.13.6',
+      },
+      body,
+    });
+    const responseBody = await upstreamRes.text();
+    // Capture tokens from successful refresh
+    if (upstreamRes.ok) {
+      try {
+        const tokens = JSON.parse(responseBody);
+        if (tokens.access_token) {
+          accountManager.captureClientToken(tokens.access_token, tokens.refresh_token,
+            tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000));
+        }
+      } catch {}
+    }
+    // Forward response to client
+    const responseHeaders = {};
+    for (const [key, value] of upstreamRes.headers.entries()) {
+      if (key === 'transfer-encoding' || key === 'connection') continue;
+      responseHeaders[key] = value;
+    }
+    res.writeHead(upstreamRes.status, responseHeaders);
+    res.end(responseBody);
+  } catch (err) {
+    console.error('[TeamClaude] Token refresh proxy error:', err.message);
+    if (!res.headersSent) {
+      res.writeHead(502, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        type: 'error',
+        error: { type: 'proxy_error', message: `Token refresh failed: ${err.message}` },
+      }));
+    }
+  }
+}
 function logTimestamp() {
   const d = new Date();
   const pad = (n, w = 2) => String(n).padStart(w, '0');
@@ -101,6 +167,7 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   const account = accountManager.getActiveAccount();
   if (!account) {
     ctx.status = 429;
+    ctx.account = '(none available)';
     const status = accountManager.getStatus();
     const retryAfter = computeRetryAfter(status.accounts);
     res.writeHead(429, {
@@ -128,6 +195,7 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   }
   // Build upstream request headers
+  const isOAuth = account.type === 'oauth';
   const headers = {};
   for (const [key, value] of Object.entries(req.headers)) {
     const lk = key.toLowerCase();
@@ -138,7 +206,18 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     if (lk === 'accept-encoding') continue;
     headers[key] = value;
   }
-  headers['x-api-key'] = account.credential;
+  if (isOAuth) {
+    headers['authorization'] = `Bearer ${account.credential}`;
+  } else {
+    headers['x-api-key'] = account.credential;
+  }
+  // Capture fresh Bearer tokens from the client to keep stored credentials up to date
+  const clientBearer = req.headers['authorization']?.match(/^Bearer (.+)/i)?.[1];
+  if (clientBearer) {
+    accountManager.captureClientToken(clientBearer);
+  }
   const upstreamUrl = `${upstream}${req.url}`;
   const method = req.method;
@@ -147,10 +226,13 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   const logSections = [];
   if (logDir) {
     const safeHeaders = { ...headers };
-    // Mask the credential in logs
+    // Mask credentials in logs
     if (safeHeaders['x-api-key']) {
       safeHeaders['x-api-key'] = safeHeaders['x-api-key'].slice(0, 15) + '...';
     }
+    if (safeHeaders['authorization']) {
+      safeHeaders['authorization'] = safeHeaders['authorization'].slice(0, 20) + '...';
+    }
     logSections.push(
       `=== REQUEST (account: ${account.name}, retry: ${retryCount}) ===\n${method} ${upstreamUrl}\n${formatHeaders(safeHeaders)}`,
     );
@@ -185,19 +267,6 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
       logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
     }
-    // Handle 429 — retry with next account
-    if (upstreamRes.status === 429 && retryCount < maxRetries) {
-      const retryAfter = parseInt(upstreamRes.headers.get('retry-after') || '60', 10);
-      accountManager.markRateLimited(account.index, retryAfter);
-      const drainBuf = await upstreamRes.arrayBuffer();
-      if (logDir) {
-        logSections.push(`=== RESPONSE BODY (429) ===\n${Buffer.from(drainBuf).toString()}`);
-        logSections.push(`=== RETRYING with next account ===`);
-        writeRequestLog(logDir, reqId, logSections);
-      }
-      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
-    }
     ctx.status = upstreamRes.status;
     // Build response headers (skip hop-by-hop and encoding headers)