@lifeaitools/clauth 1.5.31 → 1.5.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/cli/commands/serve.js +12 -4
  2. package/package.json +1 -1
package/cli/commands/serve.js CHANGED
@@ -2938,10 +2938,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
2938
2938
  // claude.ai ignores metadata endpoints and constructs /register, /authorize,
2939
2939
  // /token from the domain root (issue #82). Keep well-known as 404 so claude.ai
2940
2940
  // uses the fallback paths. OAuth endpoints below are live.
2941
+ // well-known OAuth discovery — HTML 404, no CORS, no JSON (match Express/regen-media)
2941
2942
  if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
2942
2943
  reqPath === "/.well-known/oauth-authorization-server") {
2943
- res.writeHead(404, { "Content-Type": "application/json", ...CORS });
2944
- return res.end(JSON.stringify({ error: "not_found" }));
2944
+ res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
2945
+ return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
2945
2946
  }
2946
2947
 
2947
2948
  // ── OAuth endpoints REMOVED ──────────────
@@ -4301,11 +4302,18 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
4301
4302
  }
4302
4303
  }
4303
4304
 
4305
+ // OAuth paths — return plain HTML 404 (not JSON) to match Express/regen-media pattern.
4306
+ // claude.ai treats JSON 404 as "OAuth endpoint exists but errored" vs HTML 404 = "path doesn't exist"
4307
+ if (["/register", "/authorize", "/token"].includes(reqPath) ||
4308
+ reqPath.startsWith("/.well-known/oauth")) {
4309
+ res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
4310
+ return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
4311
+ }
4312
+
4304
4313
  // Unknown route — don't count browser/MCP noise as auth failures
4305
- // Don't count browser noise, MCP discovery probes, or OAuth probes as auth failures
4306
4314
  const isBenign = reqPath.startsWith("/.well-known/") || [
4307
4315
  "/favicon.ico", "/robots.txt", "/apple-touch-icon.png", "/apple-touch-icon-precomposed.png",
4308
- "/sse", "/mcp", "/gws", "/clauth", "/message", "/register", "/authorize", "/token", "/shutdown", "/restart",
4316
+ "/sse", "/mcp", "/gws", "/clauth", "/message", "/shutdown", "/restart",
4309
4317
  ].includes(reqPath);
4310
4318
  if (isBenign) {
4311
4319
  res.writeHead(404, { "Content-Type": "application/json", ...CORS });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lifeaitools/clauth",
3
- "version": "1.5.31",
3
+ "version": "1.5.32",
4
4
  "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
5
5
  "type": "module",
6
6
  "bin": {