@lifeaitools/clauth 1.5.13 → 1.5.14

package/cli/commands/serve.js

@@ -3029,41 +3029,23 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return "clauth";
     }
 
-    // ── MCP OAuth-protected endpoint (for claude.ai web) ──
-    // POST /mcp|/gws|/clauth — requires Bearer token; returns 401 to trigger OAuth flow
+    // ── MCP endpoint auth — log all incoming POSTs, accept with or without token ──
+    // /gws and /clauth are open (no OAuth gate) — tunnel URL is the shared secret.
+    // OAuth flow is still supported (tokens accepted when present) but not required.
     if (method === "POST" && isMcpPath) {
       const authHeader = req.headers.authorization;
-      // Detailed auth logging — helps diagnose claude.ai post-token failures
       const authLogMsg = [
         `[${new Date().toISOString()}] MCP POST ${reqPath}`,
         `  Authorization: ${authHeader ? (authHeader.startsWith("Bearer ") ? `Bearer ${authHeader.slice(7, 15)}… (known=${oauthTokens.has(authHeader.slice(7))})` : authHeader.slice(0, 30) + "…") : "(none)"}`,
         `  mcp-protocol-version: ${req.headers["mcp-protocol-version"] || "(not set)"}`,
         `  accept: ${req.headers["accept"] || "(not set)"}`,
-        `  x-forwarded-for: ${req.headers["x-forwarded-for"] || "(not set)"}`,
       ].join("\n") + "\n";
       try { fs.appendFileSync(LOG_FILE, authLogMsg); } catch {}
-
-      if (!authHeader || !authHeader.startsWith("Bearer ")) {
-        const base = oauthBase();
-        // Path-specific resource metadata URL so claude.ai gets the right resource URI
-        const pathName = reqPath === "/mcp" ? "mcp" : reqPath.slice(1);
-        res.writeHead(401, {
-          "Content-Type": "application/json",
-          "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource/${pathName}"`,
-          ...CORS,
-        });
-        return res.end(JSON.stringify({ error: "unauthorized" }));
-      }
-      const token = authHeader.slice(7);
-      if (!oauthTokens.has(token)) {
-        const badTokenLog = `[${new Date().toISOString()}] OAuth: REJECTED token ${token.slice(0,8)}… (pool size=${oauthTokens.size})\n`;
-        try { fs.appendFileSync(LOG_FILE, badTokenLog); } catch {}
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_token" }));
+      // Mark as remote if a valid token is present (for vault access scoping)
+      if (authHeader?.startsWith("Bearer ") && oauthTokens.has(authHeader.slice(7))) {
+        req._clauthRemote = true;
       }
-      // Token valid — mark as remote caller (claude.ai via tunnel)
-      req._clauthRemote = true;
-      // fall through to MCP handling below
+      // fall through to MCP handling — no 401 gate on these paths
     }
 
     // ── MCP Streamable HTTP transport (2025-03-26 spec) ──
@@ -3125,9 +3107,9 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end(JSON.stringify({ jsonrpc: "2.0", id, error: { code: -32601, message: `Unknown method: ${rpcMethod}` } }));
     }
 
-    // ── MCP SSE transport (legacy) ───────────────────────
-    // GET /sse — open SSE stream, receive endpoint event
-    if (method === "GET" && reqPath === "/sse") {
+    // ── MCP SSE transport — /sse and namespaced paths ────
+    // GET /sse|/gws|/clauth — open SSE stream, receive endpoint event
+    if (method === "GET" && (reqPath === "/sse" || isMcpPath)) {
       const sessionId = `ses_${++sseCounter}_${Date.now()}`;
 
       res.writeHead(200, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.13",
+  "version": "1.5.14",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {