npm - @lifeaitools/clauth - Versions diffs - 1.5.27 → 1.5.28 - Mend

@lifeaitools/clauth 1.5.27 → 1.5.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/cli/commands/serve.js +104 -9
package/package.json +1 -1

package/cli/commands/serve.js CHANGED Viewed

@@ -2934,21 +2934,116 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end();
     }
-    // ── OAuth Discovery — 404 all endpoints ──────────────
-    // claude.ai probes well-known for remote MCP. If it gets 200, it insists on
-    // completing OAuth (which succeeds server-side but claude.ai never uses the token).
-    // Returning 404 makes claude.ai skip OAuth and connect directly.
+    // ── OAuth Discovery — 404 well-known only ──────────────
+    // claude.ai ignores metadata endpoints and constructs /register, /authorize,
+    // /token from the domain root (issue #82). Keep well-known as 404 so claude.ai
+    // uses the fallback paths. OAuth endpoints below are live.
     if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
         reqPath === "/.well-known/oauth-authorization-server") {
       res.writeHead(404, { "Content-Type": "application/json", ...CORS });
       return res.end(JSON.stringify({ error: "not_found" }));
     }
-    if ((method === "POST" && reqPath === "/register") ||
-        (method === "GET"  && reqPath === "/authorize") ||
-        (method === "POST" && reqPath === "/token")) {
-      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({ error: "not_found" }));
+    // ── Dynamic Client Registration (RFC 7591) ──────────────
+    if (method === "POST" && reqPath === "/register") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+      const clientId = crypto.randomBytes(16).toString("hex");
+      const clientSecret = crypto.randomBytes(32).toString("hex");
+      const client = {
+        client_id: clientId, client_secret: clientSecret,
+        client_name: body.client_name || "unknown",
+        redirect_uris: body.redirect_uris || [],
+        grant_types: body.grant_types || ["authorization_code"],
+        response_types: body.response_types || ["code"],
+        token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
+      };
+      oauthClients.set(clientId, client);
+      const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify(client));
+    }
+    // ── Authorization endpoint — auto-approve ──────────────
+    if (method === "GET" && reqPath === "/authorize") {
+      const clientId = url.searchParams.get("client_id");
+      const redirectUri = url.searchParams.get("redirect_uri");
+      const state = url.searchParams.get("state");
+      const codeChallenge = url.searchParams.get("code_challenge");
+      if (!clientId || !redirectUri) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("Missing client_id or redirect_uri");
+      }
+      const code = crypto.randomBytes(32).toString("hex");
+      oauthCodes.set(code, {
+        client_id: clientId, redirect_uri: redirectUri,
+        code_challenge: codeChallenge,
+        expires: Date.now() + 300_000,
+      });
+      const redirect = new URL(redirectUri);
+      redirect.searchParams.set("code", code);
+      if (state) redirect.searchParams.set("state", state);
+      const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(302, { Location: redirect.toString(), ...CORS });
+      return res.end();
+    }
+    // ── Token endpoint ──────────────────────────────────────
+    if (method === "POST" && reqPath === "/token") {
+      let body;
+      const ct = req.headers["content-type"] || "";
+      try {
+        if (ct.includes("application/json")) {
+          body = await readBody(req);
+        } else {
+          const raw = await readRawBody(req);
+          body = Object.fromEntries(new URLSearchParams(raw));
+        }
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+      if (body.grant_type !== "authorization_code") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
+      }
+      const stored = oauthCodes.get(body.code);
+      if (!stored || stored.expires < Date.now()) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant" }));
+      }
+      // PKCE verification
+      if (stored.code_challenge && body.code_verifier) {
+        const computed = sha256base64url(body.code_verifier);
+        if (computed !== stored.code_challenge) {
+          oauthCodes.delete(body.code);
+          res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+          return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE failed" }));
+        }
+      }
+      oauthCodes.delete(body.code);
+      const accessToken = crypto.randomBytes(32).toString("hex");
+      oauthTokens.add(accessToken);
+      saveTokens(oauthTokens);
+      const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
     }
     // ── MCP path helpers ──

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.27",
+  "version": "1.5.28",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {