npm - @lifeaitools/clauth - Versions diffs - 1.5.25 → 1.5.27 - Mend

@lifeaitools/clauth 1.5.25 → 1.5.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/cli/commands/serve.js +16 -207
package/package.json +1 -1

package/cli/commands/serve.js CHANGED Viewed

@@ -2934,158 +2934,21 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end();
     }
-    // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
-    // claude.ai probes these for ALL remote MCP connections.
-    // resource MUST match the connector URL configured in claude.ai.
-    // /.well-known/oauth-protected-resource/gws → resource=/gws
-    // /.well-known/oauth-protected-resource/sse → resource=/sse
-    // /.well-known/oauth-protected-resource     → resource=/sse (default)
-    if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
-      const base = oauthBase();
-      const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
-      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/clauth";
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({
-        resource: `${base}${resourcePath}`,
-        authorization_servers: [base],
-        scopes_supported: ["mcp:tools"],
-        bearer_methods_supported: ["header"],
-      }));
-    }
-    if (reqPath === "/.well-known/oauth-authorization-server") {
-      const base = oauthBase();
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({
-        issuer: base,
-        authorization_endpoint: `${base}/authorize`,
-        token_endpoint: `${base}/token`,
-        registration_endpoint: `${base}/register`,
-        response_types_supported: ["code"],
-        grant_types_supported: ["authorization_code", "client_credentials"],
-        code_challenge_methods_supported: ["S256"],
-        scopes_supported: ["mcp:tools"],
-      }));
-    }
-    // ── Dynamic Client Registration (RFC 7591) ──────────────
-    if (method === "POST" && reqPath === "/register") {
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_request" }));
-      }
-      const clientId = crypto.randomBytes(16).toString("hex");
-      const clientSecret = crypto.randomBytes(32).toString("hex");
-      const client = {
-        client_id: clientId, client_secret: clientSecret,
-        client_name: body.client_name || "unknown",
-        redirect_uris: body.redirect_uris || [],
-        grant_types: body.grant_types || ["authorization_code"],
-        response_types: body.response_types || ["code"],
-        token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
-      };
-      oauthClients.set(clientId, client);
-      const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify(client));
-    }
-    // ── Authorization endpoint — auto-approve ──────────────
-    if (method === "GET" && reqPath === "/authorize") {
-      const clientId = url.searchParams.get("client_id");
-      const redirectUri = url.searchParams.get("redirect_uri");
-      const state = url.searchParams.get("state");
-      const codeChallenge = url.searchParams.get("code_challenge");
-      const codeChallengeMethod = url.searchParams.get("code_challenge_method");
-      if (!clientId || !redirectUri) {
-        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
-        return res.end("Missing client_id or redirect_uri");
-      }
-      const code = crypto.randomBytes(32).toString("hex");
-      oauthCodes.set(code, {
-        client_id: clientId, redirect_uri: redirectUri,
-        code_challenge: codeChallenge, code_challenge_method: codeChallengeMethod,
-        expires: Date.now() + 300_000,
-      });
-      const redirect = new URL(redirectUri);
-      redirect.searchParams.set("code", code);
-      if (state) redirect.searchParams.set("state", state);
-      const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code issued for ${clientId}, redirecting to ${redirect.origin}\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(302, { Location: redirect.toString(), ...CORS });
-      return res.end();
+    // ── OAuth Discovery — 404 all endpoints ──────────────
+    // claude.ai probes well-known for remote MCP. If it gets 200, it insists on
+    // completing OAuth (which succeeds server-side but claude.ai never uses the token).
+    // Returning 404 makes claude.ai skip OAuth and connect directly.
+    if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
+        reqPath === "/.well-known/oauth-authorization-server") {
+      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ error: "not_found" }));
     }
-    // ── Token endpoint ──────────────────────────────────────
-    if (method === "POST" && reqPath === "/token") {
-      let body;
-      const ct = req.headers["content-type"] || "";
-      try {
-        if (ct.includes("application/json")) {
-          body = await readBody(req);
-        } else {
-          const raw = await readRawBody(req);
-          body = Object.fromEntries(new URLSearchParams(raw));
-        }
-      } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_request" }));
-      }
-      // client_credentials grant — skip authorize/redirect, just issue token from client_id+secret
-      if (body.grant_type === "client_credentials") {
-        const cid = body.client_id;
-        const csec = body.client_secret;
-        if (cid === OAUTH_CLIENT_ID && csec === OAUTH_CLIENT_SECRET) {
-          const accessToken = crypto.randomBytes(32).toString("hex");
-          oauthTokens.add(accessToken);
-          saveTokens(oauthTokens);
-          const logMsg = `[${new Date().toISOString()}] OAuth: client_credentials token issued for ${cid.slice(0,8)}… (token=${accessToken.slice(0,8)}…)\n`;
-          try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-          res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", expires_in: 86400, scope: "mcp:tools" }));
-        }
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_client" }));
-      }
-      if (body.grant_type !== "authorization_code") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
-      }
-      const stored = oauthCodes.get(body.code);
-      if (!stored || stored.expires < Date.now()) {
-        oauthCodes.delete(body.code);
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_grant" }));
-      }
-      // PKCE verification
-      if (stored.code_challenge && body.code_verifier) {
-        const computed = sha256base64url(body.code_verifier);
-        if (computed !== stored.code_challenge) {
-          oauthCodes.delete(body.code);
-          res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE verification failed" }));
-        }
-      }
-      oauthCodes.delete(body.code);
-      const accessToken = crypto.randomBytes(32).toString("hex");
-      oauthTokens.add(accessToken);
-      saveTokens(oauthTokens);
-      const logMsg = `[${new Date().toISOString()}] OAuth: token issued for client ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", expires_in: 86400 }));
+    if ((method === "POST" && reqPath === "/register") ||
+        (method === "GET"  && reqPath === "/authorize") ||
+        (method === "POST" && reqPath === "/token")) {
+      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ error: "not_found" }));
     }
     // ── MCP path helpers ──
@@ -3103,44 +2966,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     }
     // ── MCP endpoint auth ──
-    // Tunnel requests (Host = tunnel hostname) MUST have Bearer token → 401 triggers OAuth.
-    // Local requests (Host = 127.0.0.1) pass through without auth.
+    // No 401 gate — tunnel URL is the shared secret. Accept all connections.
+    // If Bearer token present, mark as remote for vault scoping.
     if (method === "POST" && (reqPath === "/sse" || isMcpPath)) {
       const authHeader = req.headers.authorization;
-      const host = (req.headers.host || "").split(":")[0];
-      const isTunnelReq = tunnelUrl && host !== "127.0.0.1" && host !== "localhost" && host !== "::1";
-      const authLogMsg = [
-        `[${new Date().toISOString()}] MCP POST ${reqPath}`,
-        `  Host: ${req.headers.host || "(none)"} (tunnel=${isTunnelReq})`,
-        `  Authorization: ${authHeader ? (authHeader.startsWith("Bearer ") ? `Bearer ${authHeader.slice(7, 15)}… (known=${oauthTokens.has(authHeader.slice(7))})` : authHeader.slice(0, 30) + "…") : "(none)"}`,
-        `  mcp-protocol-version: ${req.headers["mcp-protocol-version"] || "(not set)"}`,
-        `  accept: ${req.headers["accept"] || "(not set)"}`,
-      ].join("\n") + "\n";
-      try { fs.appendFileSync(LOG_FILE, authLogMsg); } catch {}
-      if (isTunnelReq) {
-        if (!authHeader || !authHeader.startsWith("Bearer ")) {
-          const base = oauthBase();
-          const logMsg = `[${new Date().toISOString()}] OAuth: 401 → requiring auth for tunnel POST ${reqPath}\n`;
-          try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-          res.writeHead(401, {
-            "Content-Type": "application/json",
-            "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource"`,
-            ...CORS,
-          });
-          return res.end(JSON.stringify({ error: "unauthorized" }));
-        }
-        const token = authHeader.slice(7);
-        // Accept: OAuth-issued tokens OR the stable client_secret directly
-        const isValidToken = oauthTokens.has(token) || token === OAUTH_CLIENT_SECRET;
-        if (!isValidToken) {
-          const logMsg = `[${new Date().toISOString()}] OAuth: REJECTED token ${token.slice(0,8)}… (pool=${oauthTokens.size}, secret=${token === OAUTH_CLIENT_SECRET})\n`;
-          try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-          res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ error: "invalid_token" }));
-        }
-        req._clauthRemote = true;
-      } else if (authHeader?.startsWith("Bearer ")) {
+      if (authHeader?.startsWith("Bearer ")) {
         const token = authHeader.slice(7);
         if (oauthTokens.has(token) || token === OAUTH_CLIENT_SECRET) {
           req._clauthRemote = true;
@@ -3207,28 +3037,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     // ── MCP SSE transport — /sse and namespaced paths ────
     // GET /sse|/gws|/clauth — open SSE stream, receive endpoint event
-    // Tunnel requests require Bearer token (same as POST above)
     if (method === "GET" && (reqPath === "/sse" || isMcpPath)) {
-      const authHeader = req.headers.authorization;
-      const host = (req.headers.host || "").split(":")[0];
-      const isTunnelReq = tunnelUrl && host !== "127.0.0.1" && host !== "localhost" && host !== "::1";
-      if (isTunnelReq) {
-        if (!authHeader || !authHeader.startsWith("Bearer ")) {
-          const base = oauthBase();
-          res.writeHead(401, {
-            "Content-Type": "application/json",
-            "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource"`,
-            ...CORS,
-          });
-          return res.end(JSON.stringify({ error: "unauthorized" }));
-        }
-        const sseToken = authHeader.slice(7);
-        if (!oauthTokens.has(sseToken) && sseToken !== OAUTH_CLIENT_SECRET) {
-          res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ error: "invalid_token" }));
-        }
-        // Token valid — mark as remote
-      }
       const sessionId = `ses_${++sseCounter}_${Date.now()}`;
       res.writeHead(200, {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.25",
+  "version": "1.5.27",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {