@karpeleslab/teamclaude 1.0.0

package/src/oauth.js

@@ -0,0 +1,220 @@
+import { readFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { randomBytes, createHash } from 'node:crypto';
+import { exec } from 'node:child_process';
+import http from 'node:http';
+
+/**
+ * Import OAuth credentials from a Claude Code credentials file.
+ */
+export async function importCredentials(filePath) {
+  const resolvedPath = filePath.replace(/^~/, homedir());
+  const raw = JSON.parse(await readFile(resolvedPath, 'utf-8'));
+
+  // Claude Code stores credentials nested under "claudeAiOauth"
+  const data = raw.claudeAiOauth || raw;
+  return {
+    accessToken: data.accessToken,
+    refreshToken: data.refreshToken,
+    expiresAt: data.expiresAt,
+    subscriptionType: data.subscriptionType,
+    rateLimitTier: data.rateLimitTier,
+  };
+}
+
+const PROFILE_URL = 'https://api.anthropic.com/api/oauth/profile';
+const DEFAULT_TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
+const DEFAULT_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+
+/**
+ * Refresh an expired OAuth access token using the refresh token.
+ */
+export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_ENDPOINT) {
+  const res = await fetch(endpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      grant_type: 'refresh_token',
+      refresh_token: refreshToken,
+      client_id: DEFAULT_CLIENT_ID,
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token refresh failed (${res.status}): ${text}`);
+  }
+
+  const data = await res.json();
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token || refreshToken,
+    expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+  };
+}
+
+/**
+ * Check if an OAuth token is expiring within the given threshold.
+ */
+export function isTokenExpiringSoon(expiresAt, thresholdMs = 5 * 60 * 1000) {
+  if (!expiresAt) return false;
+  return Date.now() + thresholdMs >= expiresAt;
+}
+
+/**
+ * Fetch account profile for an OAuth token.
+ * Returns { email, name, orgName, orgType } or null on failure.
+ */
+export async function fetchProfile(accessToken) {
+  try {
+    const res = await fetch(PROFILE_URL, {
+      headers: { 'Authorization': `Bearer ${accessToken}` },
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    return {
+      accountUuid: data.account?.uuid,
+      email: data.account?.email,
+      name: data.account?.display_name,
+      orgName: data.organization?.name,
+      orgType: data.organization?.organization_type,
+      hasClaudeMax: data.account?.has_claude_max,
+      hasClaudePro: data.account?.has_claude_pro,
+    };
+  } catch {
+    return null;
+  }
+}
+
+// OAuth config (extracted from Claude Code)
+const OAUTH_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const OAUTH_AUTHORIZE = 'https://claude.ai/oauth/authorize';
+const OAUTH_TOKEN = 'https://platform.claude.com/v1/oauth/token';
+const OAUTH_SCOPES = 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
+
+/**
+ * Perform OAuth login via browser with PKCE flow.
+ * Opens the user's browser, waits for the callback, exchanges the code for tokens.
+ */
+export async function loginOAuth() {
+  // Generate PKCE
+  const codeVerifier = randomBytes(32).toString('base64url');
+  const codeChallenge = createHash('sha256').update(codeVerifier).digest('base64url');
+  const state = randomBytes(32).toString('base64url');
+
+  // Start local callback server on a random port
+  const { port, codePromise, server } = await startCallbackServer(state);
+  const redirectUri = `http://localhost:${port}/callback`;
+
+  // Build authorization URL
+  const authUrl = new URL(OAUTH_AUTHORIZE);
+  authUrl.searchParams.set('code', 'true');
+  authUrl.searchParams.set('client_id', OAUTH_CLIENT_ID);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('scope', OAUTH_SCOPES);
+  authUrl.searchParams.set('code_challenge', codeChallenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+  authUrl.searchParams.set('state', state);
+
+  // Open browser
+  console.log('Opening browser for authentication...');
+  console.log(`If it doesn't open, visit:\n  ${authUrl.toString()}\n`);
+  openBrowser(authUrl.toString());
+
+  // Wait for the authorization code
+  let code;
+  try {
+    code = await codePromise;
+  } finally {
+    server.close();
+  }
+
+  // Exchange code for tokens
+  console.log('Exchanging authorization code for tokens...');
+  const tokenRes = await fetch(OAUTH_TOKEN, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      code,
+      state,
+      grant_type: 'authorization_code',
+      client_id: OAUTH_CLIENT_ID,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier,
+    }),
+  });
+
+  if (!tokenRes.ok) {
+    const text = await tokenRes.text();
+    throw new Error(`Token exchange failed (${tokenRes.status}): ${text}`);
+  }
+
+  const tokens = await tokenRes.json();
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token,
+    expiresAt: tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000),
+  };
+}
+
+function startCallbackServer(expectedState) {
+  return new Promise((resolve, reject) => {
+    let resolveCode, rejectCode;
+    const codePromise = new Promise((res, rej) => { resolveCode = res; rejectCode = rej; });
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost`);
+
+      if (url.pathname === '/callback') {
+        const code = url.searchParams.get('code');
+        const error = url.searchParams.get('error');
+        const state = url.searchParams.get('state');
+
+        if (error) {
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end('<html><body><h2>Authentication failed</h2><p>You can close this tab.</p></body></html>');
+          rejectCode(new Error(`OAuth error: ${error} - ${url.searchParams.get('error_description') || ''}`));
+          return;
+        }
+
+        if (expectedState && state !== expectedState) {
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end('<html><body><h2>Authentication failed</h2><p>State mismatch. You can close this tab.</p></body></html>');
+          rejectCode(new Error('OAuth state mismatch'));
+          return;
+        }
+
+        if (code) {
+          res.writeHead(302, { 'Location': 'https://platform.claude.com/oauth/code/success?app=claude-code' });
+          res.end();
+          resolveCode(code);
+          return;
+        }
+      }
+
+      res.writeHead(404);
+      res.end('Not found');
+    });
+
+    server.listen(0, () => {
+      resolve({ port: server.address().port, codePromise, server });
+    });
+    server.on('error', reject);
+
+    // Timeout after 2 minutes (unref so it doesn't keep the process alive)
+    const timer = setTimeout(() => {
+      rejectCode(new Error('Login timed out after 2 minutes'));
+      server.close();
+    }, 120_000);
+    timer.unref();
+  });
+}
+
+function openBrowser(url) {
+  const platform = process.platform;
+  const cmd = platform === 'darwin' ? 'open'
+    : platform === 'win32' ? 'start'
+    : 'xdg-open';
+  exec(`${cmd} ${JSON.stringify(url)}`, () => {});
+}

package/src/server.js

@@ -0,0 +1,351 @@
+import http from 'node:http';
+import { writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+
+const HOP_BY_HOP_HEADERS = new Set([
+  'host', 'connection', 'keep-alive', 'transfer-encoding',
+  'te', 'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate',
+]);
+
+export function createProxyServer(accountManager, config, hooks = {}) {
+  const upstream = config.upstream || 'https://api.anthropic.com';
+  const proxyApiKey = config.proxy?.apiKey;
+  const logDir = config.logDir || null;
+  let requestCounter = 0;
+
+  if (logDir) {
+    mkdir(logDir, { recursive: true }).catch(() => {});
+  }
+
+  const server = http.createServer(async (req, res) => {
+    try {
+      // Auth check
+      const clientKey = req.headers['x-api-key'];
+      if (proxyApiKey && clientKey !== proxyApiKey) {
+        res.writeHead(401, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+          type: 'error',
+          error: { type: 'authentication_error', message: 'Invalid proxy API key' },
+        }));
+        return;
+      }
+
+      // Status endpoint
+      if (req.method === 'GET' && req.url === '/teamclaude/status') {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(accountManager.getStatus(), null, 2));
+        return;
+      }
+
+      // Track request
+      const reqId = ++requestCounter;
+      hooks.onRequestStart?.(reqId, { method: req.method, path: req.url });
+
+      // Buffer request body (needed for retry on 429)
+      const bodyChunks = [];
+      for await (const chunk of req) {
+        bodyChunks.push(chunk);
+      }
+      const body = Buffer.concat(bodyChunks);
+
+      const ctx = { account: null, status: null };
+      await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
+
+      hooks.onRequestEnd?.(reqId, {
+        method: req.method, path: req.url,
+        account: ctx.account, status: ctx.status,
+      });
+    } catch (err) {
+      console.error('[TeamClaude] Unhandled error:', err);
+      if (!res.headersSent) {
+        res.writeHead(502, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+          type: 'error',
+          error: { type: 'proxy_error', message: 'Internal proxy error' },
+        }));
+      }
+    }
+  });
+
+  return server;
+}
+
+function logTimestamp() {
+  const d = new Date();
+  const pad = (n, w = 2) => String(n).padStart(w, '0');
+  return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}_${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}.${pad(d.getMilliseconds(), 3)}`;
+}
+
+async function writeRequestLog(logDir, reqId, sections) {
+  if (!logDir) return;
+  const ts = logTimestamp();
+  const filename = `${ts}_${String(reqId).padStart(5, '0')}.log`;
+  try {
+    await writeFile(join(logDir, filename), sections.join('\n\n'), 'utf-8');
+  } catch (err) {
+    console.error(`[TeamClaude] Failed to write log: ${err.message}`);
+  }
+}
+
+function formatHeaders(headers) {
+  if (headers.entries) {
+    return [...headers.entries()].map(([k, v]) => `  ${k}: ${v}`).join('\n');
+  }
+  return Object.entries(headers).map(([k, v]) => `  ${k}: ${v}`).join('\n');
+}
+
+async function forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir) {
+  const maxRetries = accountManager.accounts.length;
+
+  // Select account
+  const account = accountManager.getActiveAccount();
+  if (!account) {
+    ctx.status = 429;
+    const status = accountManager.getStatus();
+    const retryAfter = computeRetryAfter(status.accounts);
+    res.writeHead(429, {
+      'Content-Type': 'application/json',
+      'retry-after': String(retryAfter),
+    });
+    res.end(JSON.stringify({
+      type: 'error',
+      error: {
+        type: 'rate_limit_error',
+        message: `All ${accountManager.accounts.length} accounts exhausted. Retry in ${retryAfter}s.`,
+      },
+    }));
+    return;
+  }
+
+  // Track which account handles this request
+  ctx.account = account.name;
+  hooks.onRequestRouted?.(reqId, { account: account.name });
+
+  // Refresh OAuth token if needed
+  await accountManager.ensureTokenFresh(account.index);
+  if (account.status === 'error' && retryCount < maxRetries) {
+    return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+  }
+
+  // Build upstream request headers
+  const headers = {};
+  for (const [key, value] of Object.entries(req.headers)) {
+    const lk = key.toLowerCase();
+    if (HOP_BY_HOP_HEADERS.has(lk)) continue;
+    if (lk === 'x-api-key') continue;
+    // Strip accept-encoding: Node fetch auto-decompresses, which would
+    // mismatch the Content-Encoding header we forward to the client
+    if (lk === 'accept-encoding') continue;
+    headers[key] = value;
+  }
+  headers['x-api-key'] = account.credential;
+
+  const upstreamUrl = `${upstream}${req.url}`;
+  const method = req.method;
+
+  // Build log sections
+  const logSections = [];
+  if (logDir) {
+    const safeHeaders = { ...headers };
+    // Mask the credential in logs
+    if (safeHeaders['x-api-key']) {
+      safeHeaders['x-api-key'] = safeHeaders['x-api-key'].slice(0, 15) + '...';
+    }
+    logSections.push(
+      `=== REQUEST (account: ${account.name}, retry: ${retryCount}) ===\n${method} ${upstreamUrl}\n${formatHeaders(safeHeaders)}`,
+    );
+    if (body.length > 0) {
+      try {
+        logSections.push(`=== REQUEST BODY ===\n${JSON.stringify(JSON.parse(body.toString()), null, 2)}`);
+      } catch {
+        logSections.push(`=== REQUEST BODY (${body.length} bytes) ===\n${body.toString().slice(0, 4096)}`);
+      }
+    }
+  }
+
+  try {
+    const upstreamRes = await fetch(upstreamUrl, {
+      method,
+      headers,
+      body: ['GET', 'HEAD'].includes(method) ? undefined : body,
+      redirect: 'manual',
+    });
+
+    // Extract rate limit headers
+    const rateLimitHeaders = {};
+    for (const [key, value] of upstreamRes.headers.entries()) {
+      if (key.startsWith('anthropic-ratelimit-')) {
+        rateLimitHeaders[key] = value;
+      }
+    }
+    accountManager.updateQuota(account.index, rateLimitHeaders);
+
+    // Log response headers
+    if (logDir) {
+      logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
+    }
+
+    // Handle 429 — retry with next account
+    if (upstreamRes.status === 429 && retryCount < maxRetries) {
+      const retryAfter = parseInt(upstreamRes.headers.get('retry-after') || '60', 10);
+      accountManager.markRateLimited(account.index, retryAfter);
+      const drainBuf = await upstreamRes.arrayBuffer();
+      if (logDir) {
+        logSections.push(`=== RESPONSE BODY (429) ===\n${Buffer.from(drainBuf).toString()}`);
+        logSections.push(`=== RETRYING with next account ===`);
+        writeRequestLog(logDir, reqId, logSections);
+      }
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+    }
+
+    ctx.status = upstreamRes.status;
+
+    // Build response headers (skip hop-by-hop and encoding headers)
+    const responseHeaders = {};
+    for (const [key, value] of upstreamRes.headers.entries()) {
+      if (key === 'transfer-encoding' || key === 'connection') continue;
+      // Strip content-encoding/content-length since fetch may auto-decompress
+      if (key === 'content-encoding' || key === 'content-length') continue;
+      responseHeaders[key] = value;
+    }
+
+    res.writeHead(upstreamRes.status, responseHeaders);
+
+    if (!upstreamRes.body) {
+      if (logDir) {
+        logSections.push(`=== RESPONSE BODY ===\n(empty)`);
+        writeRequestLog(logDir, reqId, logSections);
+      }
+      res.end();
+      return;
+    }
+
+    const isStreaming = (upstreamRes.headers.get('content-type') || '').includes('text/event-stream');
+
+    if (isStreaming) {
+      const streamLog = logDir ? [] : null;
+      await streamResponse(upstreamRes.body, res, account.index, accountManager, streamLog);
+      if (logDir) {
+        logSections.push(`=== RESPONSE BODY (streamed) ===\n${streamLog.join('')}`);
+        writeRequestLog(logDir, reqId, logSections);
+      }
+    } else {
+      const buf = Buffer.from(await upstreamRes.arrayBuffer());
+      extractUsageFromBody(buf, account.index, accountManager);
+      if (logDir) {
+        try {
+          logSections.push(`=== RESPONSE BODY ===\n${JSON.stringify(JSON.parse(buf.toString()), null, 2)}`);
+        } catch {
+          logSections.push(`=== RESPONSE BODY (${buf.length} bytes) ===\n${buf.toString().slice(0, 8192)}`);
+        }
+        writeRequestLog(logDir, reqId, logSections);
+      }
+      res.end(buf);
+    }
+  } catch (err) {
+    console.error(`[TeamClaude] Upstream error (account "${account.name}"):`, err.message);
+
+    if (logDir) {
+      logSections.push(`=== ERROR ===\n${err.stack || err.message}`);
+      writeRequestLog(logDir, reqId, logSections);
+    }
+
+    if (retryCount < maxRetries) {
+      account.status = 'error';
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+    }
+    ctx.status = 502;
+
+    if (!res.headersSent) {
+      res.writeHead(502, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        type: 'error',
+        error: { type: 'proxy_error', message: `Upstream error: ${err.message}` },
+      }));
+    }
+  }
+}
+
+/**
+ * Stream an SSE response to the client, parsing usage data along the way.
+ */
+async function streamResponse(webStream, res, accountIndex, accountManager, streamLog) {
+  const reader = webStream.getReader();
+  const decoder = new TextDecoder();
+  let sseBuffer = '';
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      // Forward chunk immediately
+      const ok = res.write(value);
+
+      const text = decoder.decode(value, { stream: true });
+
+      // Capture for logging
+      if (streamLog) streamLog.push(text);
+
+      // Parse SSE events for usage tracking
+      sseBuffer += text;
+      const events = sseBuffer.split('\n\n');
+      sseBuffer = events.pop(); // keep incomplete event
+
+      for (const event of events) {
+        parseSSEUsage(event, accountIndex, accountManager);
+      }
+
+      // Handle backpressure
+      if (!ok) {
+        await new Promise(resolve => res.once('drain', resolve));
+      }
+    }
+
+    // Parse any remaining buffer
+    if (sseBuffer.trim()) {
+      parseSSEUsage(sseBuffer, accountIndex, accountManager);
+    }
+  } finally {
+    res.end();
+  }
+}
+
+function parseSSEUsage(event, accountIndex, accountManager) {
+  const dataLine = event.split('\n').find(l => l.startsWith('data: '));
+  if (!dataLine) return;
+
+  try {
+    const data = JSON.parse(dataLine.slice(6));
+    if (data.type === 'message_start' && data.message?.usage) {
+      accountManager.updateUsage(accountIndex, data.message.usage.input_tokens, 0);
+    } else if (data.type === 'message_delta' && data.usage) {
+      accountManager.updateUsage(accountIndex, 0, data.usage.output_tokens);
+    }
+  } catch {
+    // not valid JSON, skip
+  }
+}
+
+function extractUsageFromBody(buffer, accountIndex, accountManager) {
+  try {
+    const json = JSON.parse(buffer.toString());
+    if (json.usage) {
+      accountManager.updateUsage(accountIndex, json.usage.input_tokens, json.usage.output_tokens);
+    }
+  } catch {
+    // not JSON or no usage
+  }
+}
+
+function computeRetryAfter(accounts) {
+  let soonest = Infinity;
+  for (const acct of accounts) {
+    const reset = acct.rateLimitedUntil || acct.quota.resetsAt;
+    if (reset) {
+      const ms = new Date(reset).getTime() - Date.now();
+      if (ms < soonest) soonest = ms;
+    }
+  }
+  return soonest === Infinity ? 60 : Math.max(1, Math.ceil(soonest / 1000));
+}