@lifeaitools/clauth 1.5.16 → 1.5.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/cli/commands/serve.js +5 -34
  2. package/package.json +1 -1
package/cli/commands/serve.js CHANGED
@@ -2878,40 +2878,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
2878
2878
  return res.end();
2879
2879
  }
2880
2880
 
2881
- // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
2882
- if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
2883
- // Only advertise OAuth for /mcp — /gws and /clauth are open (no OAuth).
2884
- // Advertising OAuth on open paths causes claude.ai to do an OAuth dance,
2885
- // get a token, then have no retry context (since the original 200 wasn't a 401).
2886
- const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "") || "mcp";
2887
- if (suffix !== "mcp" && suffix !== "") {
2888
- // Path-specific OAuth metadata requested for a non-mcp path — 404 it
2889
- res.writeHead(404, { "Content-Type": "application/json", ...CORS });
2890
- return res.end(JSON.stringify({ error: "not_found" }));
2891
- }
2892
- const base = oauthBase();
2893
- res.writeHead(200, { "Content-Type": "application/json", ...CORS });
2894
- return res.end(JSON.stringify({
2895
- resource: `${base}/mcp`,
2896
- authorization_servers: [base],
2897
- scopes_supported: ["mcp:tools"],
2898
- bearer_methods_supported: ["header"],
2899
- }));
2900
- }
2901
-
2902
- if (reqPath === "/.well-known/oauth-authorization-server") {
2903
- const base = oauthBase();
2904
- res.writeHead(200, { "Content-Type": "application/json", ...CORS });
2905
- return res.end(JSON.stringify({
2906
- issuer: base,
2907
- authorization_endpoint: `${base}/authorize`,
2908
- token_endpoint: `${base}/token`,
2909
- registration_endpoint: `${base}/register`,
2910
- response_types_supported: ["code"],
2911
- grant_types_supported: ["authorization_code"],
2912
- code_challenge_methods_supported: ["S256"],
2913
- scopes_supported: ["mcp:tools"],
2914
- }));
2881
+ // ── OAuth Discovery — disabled (causes claude.ai OAuth loop) ──────────────
2882
+ if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
2883
+ reqPath === "/.well-known/oauth-authorization-server") {
2884
+ res.writeHead(404, { "Content-Type": "application/json", ...CORS });
2885
+ return res.end(JSON.stringify({ error: "not_found" }));
2915
2886
  }
2916
2887
 
2917
2888
  // ── Dynamic Client Registration (RFC 7591) ──────────────
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lifeaitools/clauth",
3
- "version": "1.5.16",
3
+ "version": "1.5.17",
4
4
  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
5
5
  "type": "module",
6
6
  "bin": {