@lifeaitools/clauth 1.5.14 → 1.5.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/cli/commands/serve.js +13 -14
  2. package/package.json +1 -1
package/cli/commands/serve.js CHANGED
@@ -2880,17 +2880,19 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
2880
2880
 
2881
2881
  // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
2882
2882
  if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
2883
- const base = oauthBase();
2884
- // Derive resource URL from the well-known path suffix
2885
- // /.well-known/oauth-protected-resource → /mcp
2886
- // /.well-known/oauth-protected-resource/mcp → /mcp
2887
- // /.well-known/oauth-protected-resource/gws → /gws
2888
- // /.well-known/oauth-protected-resource/clauth → /clauth
2883
+ // Only advertise OAuth for /mcp — /gws and /clauth are open (no OAuth).
2884
+ // Advertising OAuth on open paths causes claude.ai to do an OAuth dance,
2885
+ // get a token, then have no retry context (since the original 200 wasn't a 401).
2889
2886
  const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "") || "mcp";
2890
- const resourcePath = suffix === "sse" ? "mcp" : suffix;
2887
+ if (suffix !== "mcp" && suffix !== "") {
2888
+ // Path-specific OAuth metadata requested for a non-mcp path — 404 it
2889
+ res.writeHead(404, { "Content-Type": "application/json", ...CORS });
2890
+ return res.end(JSON.stringify({ error: "not_found" }));
2891
+ }
2892
+ const base = oauthBase();
2891
2893
  res.writeHead(200, { "Content-Type": "application/json", ...CORS });
2892
2894
  return res.end(JSON.stringify({
2893
- resource: `${base}/${resourcePath}`,
2895
+ resource: `${base}/mcp`,
2894
2896
  authorization_servers: [base],
2895
2897
  scopes_supported: ["mcp:tools"],
2896
2898
  bearer_methods_supported: ["header"],
@@ -3069,16 +3071,13 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
3069
3071
  }
3070
3072
 
3071
3073
  if (rpcMethod === "initialize") {
3072
- // Echo back the client's requested protocol version (negotiate down if needed)
3073
- const clientVersion = req.headers["mcp-protocol-version"] || body.params?.protocolVersion || "2025-03-26";
3074
- const SUPPORTED = ["2025-11-25", "2025-03-26"];
3075
- const protocolVersion = SUPPORTED.includes(clientVersion) ? clientVersion : "2025-03-26";
3074
+ // Always return 2025-03-26 returning 2025-11-25 causes claude.ai to require OAuth
3076
3075
  const result = {
3077
- protocolVersion,
3076
+ protocolVersion: "2025-03-26",
3078
3077
  serverInfo: { name: serverNameForPath(reqPath), version: VERSION },
3079
3078
  capabilities: { tools: {} }
3080
3079
  };
3081
- res.writeHead(200, { "Content-Type": "application/json", "mcp-protocol-version": protocolVersion, ...CORS });
3080
+ res.writeHead(200, { "Content-Type": "application/json", ...CORS });
3082
3081
  return res.end(JSON.stringify({ jsonrpc: "2.0", id, result }));
3083
3082
  }
3084
3083
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lifeaitools/clauth",
3
- "version": "1.5.14",
3
+ "version": "1.5.16",
4
4
  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
5
5
  "type": "module",
6
6
  "bin": {