@karpeleslab/teamclaude 1.0.1 → 1.0.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@karpeleslab/teamclaude",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Multi-account Claude proxy with automatic quota-based rotation",
   "type": "module",
   "main": "src/index.js",

package/src/account-manager.js

@@ -267,6 +267,46 @@ export class AccountManager {
     this._onTokenRefresh = callback;
   }
 
+  /**
+   * Capture a fresh token from a client request or intercepted token refresh.
+   * Updates the first OAuth account whose credential matches the old token,
+   * or the first expired/error OAuth account if none match.
+   *
+   * @param {string} accessToken - The new access token
+   * @param {string} [refreshToken] - New refresh token (if available from intercepted refresh)
+   * @param {number} [expiresAt] - Token expiry timestamp
+   */
+  captureClientToken(accessToken, refreshToken, expiresAt) {
+    if (!accessToken) return;
+
+    // Check if any account already has this exact token
+    const existing = this.accounts.find(a => a.type === 'oauth' && a.credential === accessToken);
+    if (existing) {
+      // Update expiry/refresh if we have better info
+      if (expiresAt && expiresAt > (existing.expiresAt || 0)) existing.expiresAt = expiresAt;
+      if (refreshToken) existing.refreshToken = refreshToken;
+      return;
+    }
+
+    // Find the best OAuth account to update: prefer expired/error accounts
+    const candidate = this.accounts.find(a =>
+      a.type === 'oauth' && (a.status === 'error' || isTokenExpiringSoon(a.expiresAt, 0))
+    ) || this.accounts.find(a => a.type === 'oauth');
+
+    if (!candidate) return;
+
+    candidate.credential = accessToken;
+    if (refreshToken) candidate.refreshToken = refreshToken;
+    candidate.expiresAt = expiresAt || Date.now() + 3600 * 1000;
+    if (candidate.status === 'error') candidate.status = 'active';
+    console.log(`[TeamClaude] Captured fresh token for account "${candidate.name}"`);
+    this._onTokenRefresh?.(candidate.index, {
+      accessToken,
+      refreshToken: candidate.refreshToken,
+      expiresAt: candidate.expiresAt,
+    });
+  }
+
   /**
    * Add a new account at runtime.
    */

package/src/oauth.js

@@ -28,29 +28,60 @@ const DEFAULT_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
 
 /**
  * Refresh an expired OAuth access token using the refresh token.
+ * Retries on 5xx and network errors with exponential backoff.
  */
 export async function refreshAccessToken(refreshToken, endpoint = DEFAULT_TOKEN_ENDPOINT) {
-  const res = await fetch(endpoint, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      grant_type: 'refresh_token',
-      refresh_token: refreshToken,
-      client_id: DEFAULT_CLIENT_ID,
-    }),
-  });
+  const maxRetries = 2;
+  const baseDelayMs = 500;
+
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      if (attempt > 0) {
+        const delay = baseDelayMs * 2 ** (attempt - 1);
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
 
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Token refresh failed (${res.status}): ${text}`);
-  }
+      const res = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Accept': 'application/json, text/plain, */*',
+          'User-Agent': 'axios/1.13.6',
+        },
+        body: JSON.stringify({
+          grant_type: 'refresh_token',
+          refresh_token: refreshToken,
+          client_id: DEFAULT_CLIENT_ID,
+        }),
+      });
+
+      if (!res.ok) {
+        if (res.status >= 500 && attempt < maxRetries) {
+          await res.body?.cancel();
+          continue;
+        }
+        const text = await res.text();
+        throw new Error(`Token refresh failed (${res.status}): ${text}`);
+      }
 
-  const data = await res.json();
-  return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token || refreshToken,
-    expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
-  };
+      const data = await res.json();
+      return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token || refreshToken,
+        expiresAt: data.expires_at || (Date.now() + (data.expires_in || 3600) * 1000),
+      };
+    } catch (err) {
+      const isNetworkError = err instanceof Error &&
+        (err.message.includes('fetch failed') ||
+          (err.code === 'ECONNRESET' || err.code === 'ECONNREFUSED' ||
+           err.code === 'ETIMEDOUT' || err.code === 'UND_ERR_CONNECT_TIMEOUT'));
+
+      if (attempt < maxRetries && isNetworkError) {
+        continue;
+      }
+      throw err;
+    }
+  }
 }
 
 /**

package/src/server.js

@@ -39,6 +39,12 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
 
+      // Intercept token refresh requests — forward to real endpoint and capture new tokens
+      if (req.method === 'POST' && req.url === '/v1/oauth/token') {
+        await handleTokenRefresh(req, res, accountManager, hooks);
+        return;
+      }
+
       // Track request
       const reqId = ++requestCounter;
       hooks.onRequestStart?.(reqId, { method: req.method, path: req.url });
@@ -72,6 +78,77 @@ export function createProxyServer(accountManager, config, hooks = {}) {
   return server;
 }
 
+const TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
+
+/**
+ * Forward a token refresh request to the real token endpoint, capture new tokens,
+ * and pass the response back to the client.
+ */
+async function handleTokenRefresh(req, res, accountManager, hooks) {
+  const bodyChunks = [];
+  for await (const chunk of req) {
+    bodyChunks.push(chunk);
+  }
+  const rawBody = Buffer.concat(bodyChunks);
+
+  // Replace the refresh token in the request with the current account's refresh token
+  // so the renewal happens for the active account, not just the one the client knows about
+  let body = rawBody;
+  try {
+    const parsed = JSON.parse(rawBody.toString());
+    const currentAccount = accountManager.accounts[accountManager.currentIndex];
+    if (parsed.grant_type === 'refresh_token' && currentAccount?.type === 'oauth' && currentAccount.refreshToken) {
+      parsed.refresh_token = currentAccount.refreshToken;
+      body = JSON.stringify(parsed);
+      console.log(`[TeamClaude] Token refresh: substituted refresh token for account "${currentAccount.name}"`);
+    }
+  } catch {}
+
+  try {
+    // Forward to the real token endpoint
+    const upstreamRes = await fetch(TOKEN_ENDPOINT, {
+      method: 'POST',
+      headers: {
+        'Content-Type': req.headers['content-type'] || 'application/json',
+        'Accept': 'application/json, text/plain, */*',
+        'User-Agent': req.headers['user-agent'] || 'axios/1.13.6',
+      },
+      body,
+    });
+
+    const responseBody = await upstreamRes.text();
+
+    // Capture tokens from successful refresh
+    if (upstreamRes.ok) {
+      try {
+        const tokens = JSON.parse(responseBody);
+        if (tokens.access_token) {
+          accountManager.captureClientToken(tokens.access_token, tokens.refresh_token,
+            tokens.expires_at || (Date.now() + (tokens.expires_in || 3600) * 1000));
+        }
+      } catch {}
+    }
+
+    // Forward response to client
+    const responseHeaders = {};
+    for (const [key, value] of upstreamRes.headers.entries()) {
+      if (key === 'transfer-encoding' || key === 'connection') continue;
+      responseHeaders[key] = value;
+    }
+    res.writeHead(upstreamRes.status, responseHeaders);
+    res.end(responseBody);
+  } catch (err) {
+    console.error('[TeamClaude] Token refresh proxy error:', err.message);
+    if (!res.headersSent) {
+      res.writeHead(502, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        type: 'error',
+        error: { type: 'proxy_error', message: `Token refresh failed: ${err.message}` },
+      }));
+    }
+  }
+}
+
 function logTimestamp() {
   const d = new Date();
   const pad = (n, w = 2) => String(n).padStart(w, '0');
@@ -131,6 +208,7 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   }
 
   // Build upstream request headers
+  const isOAuth = account.type === 'oauth';
   const headers = {};
   for (const [key, value] of Object.entries(req.headers)) {
     const lk = key.toLowerCase();
@@ -141,7 +219,18 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     if (lk === 'accept-encoding') continue;
     headers[key] = value;
   }
-  headers['x-api-key'] = account.credential;
+
+  if (isOAuth) {
+    headers['authorization'] = `Bearer ${account.credential}`;
+  } else {
+    headers['x-api-key'] = account.credential;
+  }
+
+  // Capture fresh Bearer tokens from the client to keep stored credentials up to date
+  const clientBearer = req.headers['authorization']?.match(/^Bearer (.+)/i)?.[1];
+  if (clientBearer) {
+    accountManager.captureClientToken(clientBearer);
+  }
 
   const upstreamUrl = `${upstream}${req.url}`;
   const method = req.method;
@@ -150,10 +239,13 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   const logSections = [];
   if (logDir) {
     const safeHeaders = { ...headers };
-    // Mask the credential in logs
+    // Mask credentials in logs
     if (safeHeaders['x-api-key']) {
       safeHeaders['x-api-key'] = safeHeaders['x-api-key'].slice(0, 15) + '...';
     }
+    if (safeHeaders['authorization']) {
+      safeHeaders['authorization'] = safeHeaders['authorization'].slice(0, 20) + '...';
+    }
     logSections.push(
       `=== REQUEST (account: ${account.name}, retry: ${retryCount}) ===\n${method} ${upstreamUrl}\n${formatHeaders(safeHeaders)}`,
     );