@lifeaitools/clauth 1.5.29 → 1.5.31

package/cli/commands/serve.js

@@ -2944,116 +2944,10 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end(JSON.stringify({ error: "not_found" }));
     }
 
-    // ── Dynamic Client Registration — DISABLED ──────────────
-    // claude.ai's OAuth authorization_code flow is bugged (token issued, never used).
-    // If /register returns 201, claude.ai starts OAuth and fails.
-    // If /register returns 404, claude.ai falls back to authless (which works).
-    if (method === "POST" && reqPath === "/register") {
-      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({ error: "not_found" }));
-    }
-
-    // ── Dynamic Client Registration (kept for future use) ──────────────
-    if (false && method === "POST" && reqPath === "/register") {
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_request" }));
-      }
-      const clientId = crypto.randomBytes(16).toString("hex");
-      const clientSecret = crypto.randomBytes(32).toString("hex");
-      const client = {
-        client_id: clientId, client_secret: clientSecret,
-        client_name: body.client_name || "unknown",
-        redirect_uris: body.redirect_uris || [],
-        grant_types: body.grant_types || ["authorization_code"],
-        response_types: body.response_types || ["code"],
-        token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
-      };
-      oauthClients.set(clientId, client);
-      const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify(client));
-    }
-
-    // ── Authorization endpoint — auto-approve ──────────────
-    if (method === "GET" && reqPath === "/authorize") {
-      const clientId = url.searchParams.get("client_id");
-      const redirectUri = url.searchParams.get("redirect_uri");
-      const state = url.searchParams.get("state");
-      const codeChallenge = url.searchParams.get("code_challenge");
-
-      if (!clientId || !redirectUri) {
-        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
-        return res.end("Missing client_id or redirect_uri");
-      }
-
-      const code = crypto.randomBytes(32).toString("hex");
-      oauthCodes.set(code, {
-        client_id: clientId, redirect_uri: redirectUri,
-        code_challenge: codeChallenge,
-        expires: Date.now() + 300_000,
-      });
-
-      const redirect = new URL(redirectUri);
-      redirect.searchParams.set("code", code);
-      if (state) redirect.searchParams.set("state", state);
-
-      const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(302, { Location: redirect.toString(), ...CORS });
-      return res.end();
-    }
-
-    // ── Token endpoint ──────────────────────────────────────
-    if (method === "POST" && reqPath === "/token") {
-      let body;
-      const ct = req.headers["content-type"] || "";
-      try {
-        if (ct.includes("application/json")) {
-          body = await readBody(req);
-        } else {
-          const raw = await readRawBody(req);
-          body = Object.fromEntries(new URLSearchParams(raw));
-        }
-      } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_request" }));
-      }
-
-      if (body.grant_type !== "authorization_code") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
-      }
-
-      const stored = oauthCodes.get(body.code);
-      if (!stored || stored.expires < Date.now()) {
-        oauthCodes.delete(body.code);
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_grant" }));
-      }
-
-      // PKCE verification
-      if (stored.code_challenge && body.code_verifier) {
-        const computed = sha256base64url(body.code_verifier);
-        if (computed !== stored.code_challenge) {
-          oauthCodes.delete(body.code);
-          res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE failed" }));
-        }
-      }
-
-      oauthCodes.delete(body.code);
-      const accessToken = crypto.randomBytes(32).toString("hex");
-      oauthTokens.add(accessToken);
-      saveTokens(oauthTokens);
-
-      const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
-      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-      return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
-    }
+    // ── OAuth endpoints REMOVED ──────────────
+    // claude.ai's OAuth is bugged (token issued, never used — anthropics/claude-code#46140).
+    // regen-media works because it has NO OAuth handlers at all.
+    // These paths fall through to the catch-all 404 at the bottom.
 
     // ── MCP path helpers ──
     const MCP_PATHS = ["/mcp", "/gws", "/clauth"];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.29",
+  "version": "1.5.31",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {