@lifeaitools/clauth 1.5.18 → 1.5.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli/commands/serve.js +128 -11
- package/package.json +1 -1
package/cli/commands/serve.js
CHANGED
|
@@ -2878,19 +2878,136 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
|
|
|
2878
2878
|
return res.end();
|
|
2879
2879
|
}
|
|
2880
2880
|
|
|
2881
|
-
// ── OAuth Discovery
|
|
2882
|
-
|
|
2883
|
-
|
|
2884
|
-
|
|
2885
|
-
|
|
2881
|
+
// ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
|
|
2882
|
+
// claude.ai probes these for ALL remote MCP connections.
|
|
2883
|
+
// resource MUST match the connector URL configured in claude.ai (/sse).
|
|
2884
|
+
if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
|
|
2885
|
+
const base = oauthBase();
|
|
2886
|
+
res.writeHead(200, { "Content-Type": "application/json", ...CORS });
|
|
2887
|
+
return res.end(JSON.stringify({
|
|
2888
|
+
resource: `${base}/sse`,
|
|
2889
|
+
authorization_servers: [base],
|
|
2890
|
+
scopes_supported: ["mcp:tools"],
|
|
2891
|
+
bearer_methods_supported: ["header"],
|
|
2892
|
+
}));
|
|
2886
2893
|
}
|
|
2887
2894
|
|
|
2888
|
-
|
|
2889
|
-
|
|
2890
|
-
|
|
2891
|
-
|
|
2892
|
-
|
|
2893
|
-
|
|
2895
|
+
if (reqPath === "/.well-known/oauth-authorization-server") {
|
|
2896
|
+
const base = oauthBase();
|
|
2897
|
+
res.writeHead(200, { "Content-Type": "application/json", ...CORS });
|
|
2898
|
+
return res.end(JSON.stringify({
|
|
2899
|
+
issuer: base,
|
|
2900
|
+
authorization_endpoint: `${base}/authorize`,
|
|
2901
|
+
token_endpoint: `${base}/token`,
|
|
2902
|
+
registration_endpoint: `${base}/register`,
|
|
2903
|
+
response_types_supported: ["code"],
|
|
2904
|
+
grant_types_supported: ["authorization_code"],
|
|
2905
|
+
code_challenge_methods_supported: ["S256"],
|
|
2906
|
+
scopes_supported: ["mcp:tools"],
|
|
2907
|
+
}));
|
|
2908
|
+
}
|
|
2909
|
+
|
|
2910
|
+
// ── Dynamic Client Registration (RFC 7591) ──────────────
|
|
2911
|
+
if (method === "POST" && reqPath === "/register") {
|
|
2912
|
+
let body;
|
|
2913
|
+
try { body = await readBody(req); } catch {
|
|
2914
|
+
res.writeHead(400, { "Content-Type": "application/json", ...CORS });
|
|
2915
|
+
return res.end(JSON.stringify({ error: "invalid_request" }));
|
|
2916
|
+
}
|
|
2917
|
+
const clientId = crypto.randomBytes(16).toString("hex");
|
|
2918
|
+
const clientSecret = crypto.randomBytes(32).toString("hex");
|
|
2919
|
+
const client = {
|
|
2920
|
+
client_id: clientId, client_secret: clientSecret,
|
|
2921
|
+
client_name: body.client_name || "unknown",
|
|
2922
|
+
redirect_uris: body.redirect_uris || [],
|
|
2923
|
+
grant_types: body.grant_types || ["authorization_code"],
|
|
2924
|
+
response_types: body.response_types || ["code"],
|
|
2925
|
+
token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
|
|
2926
|
+
};
|
|
2927
|
+
oauthClients.set(clientId, client);
|
|
2928
|
+
const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
|
|
2929
|
+
try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
|
|
2930
|
+
res.writeHead(201, { "Content-Type": "application/json", ...CORS });
|
|
2931
|
+
return res.end(JSON.stringify(client));
|
|
2932
|
+
}
|
|
2933
|
+
|
|
2934
|
+
// ── Authorization endpoint — auto-approve ──────────────
|
|
2935
|
+
if (method === "GET" && reqPath === "/authorize") {
|
|
2936
|
+
const clientId = url.searchParams.get("client_id");
|
|
2937
|
+
const redirectUri = url.searchParams.get("redirect_uri");
|
|
2938
|
+
const state = url.searchParams.get("state");
|
|
2939
|
+
const codeChallenge = url.searchParams.get("code_challenge");
|
|
2940
|
+
const codeChallengeMethod = url.searchParams.get("code_challenge_method");
|
|
2941
|
+
|
|
2942
|
+
if (!clientId || !redirectUri) {
|
|
2943
|
+
res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
|
|
2944
|
+
return res.end("Missing client_id or redirect_uri");
|
|
2945
|
+
}
|
|
2946
|
+
|
|
2947
|
+
const code = crypto.randomBytes(32).toString("hex");
|
|
2948
|
+
oauthCodes.set(code, {
|
|
2949
|
+
client_id: clientId, redirect_uri: redirectUri,
|
|
2950
|
+
code_challenge: codeChallenge, code_challenge_method: codeChallengeMethod,
|
|
2951
|
+
expires: Date.now() + 300_000,
|
|
2952
|
+
});
|
|
2953
|
+
|
|
2954
|
+
const redirect = new URL(redirectUri);
|
|
2955
|
+
redirect.searchParams.set("code", code);
|
|
2956
|
+
if (state) redirect.searchParams.set("state", state);
|
|
2957
|
+
|
|
2958
|
+
const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code issued for ${clientId}, redirecting to ${redirect.origin}\n`;
|
|
2959
|
+
try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
|
|
2960
|
+
res.writeHead(302, { Location: redirect.toString(), ...CORS });
|
|
2961
|
+
return res.end();
|
|
2962
|
+
}
|
|
2963
|
+
|
|
2964
|
+
// ── Token endpoint ──────────────────────────────────────
|
|
2965
|
+
if (method === "POST" && reqPath === "/token") {
|
|
2966
|
+
let body;
|
|
2967
|
+
const ct = req.headers["content-type"] || "";
|
|
2968
|
+
try {
|
|
2969
|
+
if (ct.includes("application/json")) {
|
|
2970
|
+
body = await readBody(req);
|
|
2971
|
+
} else {
|
|
2972
|
+
const raw = await readRawBody(req);
|
|
2973
|
+
body = Object.fromEntries(new URLSearchParams(raw));
|
|
2974
|
+
}
|
|
2975
|
+
} catch {
|
|
2976
|
+
res.writeHead(400, { "Content-Type": "application/json", ...CORS });
|
|
2977
|
+
return res.end(JSON.stringify({ error: "invalid_request" }));
|
|
2978
|
+
}
|
|
2979
|
+
|
|
2980
|
+
if (body.grant_type !== "authorization_code") {
|
|
2981
|
+
res.writeHead(400, { "Content-Type": "application/json", ...CORS });
|
|
2982
|
+
return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
|
|
2983
|
+
}
|
|
2984
|
+
|
|
2985
|
+
const stored = oauthCodes.get(body.code);
|
|
2986
|
+
if (!stored || stored.expires < Date.now()) {
|
|
2987
|
+
oauthCodes.delete(body.code);
|
|
2988
|
+
res.writeHead(400, { "Content-Type": "application/json", ...CORS });
|
|
2989
|
+
return res.end(JSON.stringify({ error: "invalid_grant" }));
|
|
2990
|
+
}
|
|
2991
|
+
|
|
2992
|
+
// PKCE verification
|
|
2993
|
+
if (stored.code_challenge && body.code_verifier) {
|
|
2994
|
+
const computed = sha256base64url(body.code_verifier);
|
|
2995
|
+
if (computed !== stored.code_challenge) {
|
|
2996
|
+
oauthCodes.delete(body.code);
|
|
2997
|
+
res.writeHead(400, { "Content-Type": "application/json", ...CORS });
|
|
2998
|
+
return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE verification failed" }));
|
|
2999
|
+
}
|
|
3000
|
+
}
|
|
3001
|
+
|
|
3002
|
+
oauthCodes.delete(body.code);
|
|
3003
|
+
const accessToken = crypto.randomBytes(32).toString("hex");
|
|
3004
|
+
oauthTokens.add(accessToken);
|
|
3005
|
+
saveTokens(oauthTokens);
|
|
3006
|
+
|
|
3007
|
+
const logMsg = `[${new Date().toISOString()}] OAuth: token issued for client ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
|
|
3008
|
+
try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
|
|
3009
|
+
res.writeHead(200, { "Content-Type": "application/json", ...CORS });
|
|
3010
|
+
return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", expires_in: 86400 }));
|
|
2894
3011
|
}
|
|
2895
3012
|
|
|
2896
3013
|
// ── MCP path helpers ──
|