@lifeaitools/clauth 1.5.33 → 1.5.35

package/cli/commands/serve.js

@@ -2934,21 +2934,136 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end();
     }
 
-    // ── OAuth Discovery — 404 well-known only ──────────────
-    // claude.ai ignores metadata endpoints and constructs /register, /authorize,
-    // /token from the domain root (issue #82). Keep well-known as 404 so claude.ai
-    // uses the fallback paths. OAuth endpoints below are live.
-    // well-known OAuth discovery — HTML 404, no CORS, no JSON (match Express/regen-media)
-    if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
-        reqPath === "/.well-known/oauth-authorization-server") {
-      res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
-      return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
-    }
-
-    // ── OAuth endpoints REMOVED ──────────────
-    // claude.ai's OAuth is bugged (token issued, never used — anthropics/claude-code#46140).
-    // regen-media works because it has NO OAuth handlers at all.
-    // These paths fall through to the catch-all 404 at the bottom.
+    // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
+    // Restore full well-known + OAuth so custom setup with client_id/secret works.
+    if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
+      const base = oauthBase();
+      const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
+      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({
+        resource: `${base}${resourcePath}`,
+        authorization_servers: [base],
+        scopes_supported: ["mcp:tools"],
+        bearer_methods_supported: ["header"],
+      }));
+    }
+
+    if (reqPath === "/.well-known/oauth-authorization-server") {
+      const base = oauthBase();
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({
+        issuer: base,
+        authorization_endpoint: `${base}/authorize`,
+        token_endpoint: `${base}/token`,
+        registration_endpoint: `${base}/register`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code"],
+        code_challenge_methods_supported: ["S256"],
+        scopes_supported: ["mcp:tools"],
+      }));
+    }
+
+    // ── Dynamic Client Registration (RFC 7591) ──────────────
+    if (method === "POST" && reqPath === "/register") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+      const clientId = crypto.randomBytes(16).toString("hex");
+      const clientSecret = crypto.randomBytes(32).toString("hex");
+      const client = {
+        client_id: clientId, client_secret: clientSecret,
+        client_name: body.client_name || "unknown",
+        redirect_uris: body.redirect_uris || [],
+        grant_types: body.grant_types || ["authorization_code"],
+        response_types: body.response_types || ["code"],
+        token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
+      };
+      oauthClients.set(clientId, client);
+      const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify(client));
+    }
+
+    // ── Authorization endpoint — auto-approve ──────────────
+    if (method === "GET" && reqPath === "/authorize") {
+      const clientId = url.searchParams.get("client_id");
+      const redirectUri = url.searchParams.get("redirect_uri");
+      const state = url.searchParams.get("state");
+      const codeChallenge = url.searchParams.get("code_challenge");
+
+      if (!clientId || !redirectUri) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("Missing client_id or redirect_uri");
+      }
+
+      const code = crypto.randomBytes(32).toString("hex");
+      oauthCodes.set(code, {
+        client_id: clientId, redirect_uri: redirectUri,
+        code_challenge: codeChallenge,
+        expires: Date.now() + 300_000,
+      });
+
+      const redirect = new URL(redirectUri);
+      redirect.searchParams.set("code", code);
+      if (state) redirect.searchParams.set("state", state);
+
+      const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(302, { Location: redirect.toString(), ...CORS });
+      return res.end();
+    }
+
+    // ── Token endpoint ──────────────────────────────────────
+    if (method === "POST" && reqPath === "/token") {
+      let body;
+      const ct = req.headers["content-type"] || "";
+      try {
+        if (ct.includes("application/json")) {
+          body = await readBody(req);
+        } else {
+          const raw = await readRawBody(req);
+          body = Object.fromEntries(new URLSearchParams(raw));
+        }
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+
+      if (body.grant_type !== "authorization_code") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
+      }
+
+      const stored = oauthCodes.get(body.code);
+      if (!stored || stored.expires < Date.now()) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant" }));
+      }
+
+      if (stored.code_challenge && body.code_verifier) {
+        const computed = sha256base64url(body.code_verifier);
+        if (computed !== stored.code_challenge) {
+          oauthCodes.delete(body.code);
+          res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+          return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE failed" }));
+        }
+      }
+
+      oauthCodes.delete(body.code);
+      const accessToken = crypto.randomBytes(32).toString("hex");
+      oauthTokens.add(accessToken);
+      saveTokens(oauthTokens);
+
+      const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
+    }
 
     // ── MCP path helpers ──
     const MCP_PATHS = ["/mcp", "/gws", "/clauth"];
@@ -2997,11 +3112,19 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       const acceptsSSE = (req.headers.accept || "").includes("text/event-stream");
 
       // Helper: respond in SSE or JSON format based on client preference
+      // SSE response matches regen-media/Express exactly: no CORS, Content-Length, x-powered-by
       function mcpRespond(res, jsonRpcResponse) {
         if (acceptsSSE) {
           const ssePayload = `event: message\ndata: ${JSON.stringify(jsonRpcResponse)}\n\n`;
-          res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", ...CORS });
-          return res.end(ssePayload);
+          const buf = Buffer.from(ssePayload, "utf8");
+          res.writeHead(200, {
+            "Content-Type": "text/event-stream",
+            "Content-Length": buf.length,
+            "Cache-Control": "no-cache",
+            "vary": "Accept-Encoding",
+            "x-powered-by": "Express",
+          });
+          return res.end(buf);
         }
         res.writeHead(200, { "Content-Type": "application/json", ...CORS });
         return res.end(JSON.stringify(jsonRpcResponse));
@@ -4311,18 +4434,10 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       }
     }
 
-    // OAuth paths — return plain HTML 404 (not JSON) to match Express/regen-media pattern.
-    // claude.ai treats JSON 404 as "OAuth endpoint exists but errored" vs HTML 404 = "path doesn't exist"
-    if (["/register", "/authorize", "/token"].includes(reqPath) ||
-        reqPath.startsWith("/.well-known/oauth")) {
-      res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
-      return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
-    }
-
     // Unknown route — don't count browser/MCP noise as auth failures
     const isBenign = reqPath.startsWith("/.well-known/") || [
       "/favicon.ico", "/robots.txt", "/apple-touch-icon.png", "/apple-touch-icon-precomposed.png",
-      "/sse", "/mcp", "/gws", "/clauth", "/message", "/shutdown", "/restart",
+      "/sse", "/mcp", "/gws", "/clauth", "/message", "/register", "/authorize", "/token", "/shutdown", "/restart",
     ].includes(reqPath);
     if (isBenign) {
       res.writeHead(404, { "Content-Type": "application/json", ...CORS });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.33",
+  "version": "1.5.35",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {