@lifeaitools/clauth 1.5.34 → 1.5.36

package/cli/commands/serve.js

@@ -1969,12 +1969,11 @@ function copyMcp(elId) {
 }
 
 async function rollMcpCreds() {
-  if (!confirm("Roll MCP credentials? You will need to re-add connectors in claude.ai with the new credentials.")) return;
+  if (!confirm("Invalidate all OAuth tokens? Claude.ai connectors will need to re-authenticate.")) return;
   try {
     const resp = await fetch(BASE + "/roll-mcp-creds", { method: "POST" }).then(r => r.json());
-    if (resp.client_id) {
-      document.getElementById("mcp-client-id").textContent = resp.client_id;
-      document.getElementById("mcp-client-secret").textContent = resp.client_secret;
+    if (resp.tokens_invalidated) {
+      alert("All OAuth clients and tokens invalidated. Claude.ai will re-register automatically on next connection.");
     }
   } catch(e) { alert("Failed: " + e.message); }
 }
@@ -2374,12 +2373,11 @@ async function wizShowMcpSetup(hostname) {
 }
 
 async function wizRollCreds() {
-  if (!confirm("Roll MCP credentials? Existing claude.ai connectors will need to be re-added with the new credentials.")) return;
+  if (!confirm("Invalidate all OAuth tokens? Claude.ai connectors will need to re-authenticate.")) return;
   try {
     const resp = await apiFetch("/roll-mcp-creds", { method: "POST" });
-    if (resp?.client_id) {
-      document.getElementById("wiz-mcp-cid").textContent = resp.client_id;
-      document.getElementById("wiz-mcp-sec").textContent = resp.client_secret;
+    if (resp?.tokens_invalidated) {
+      alert("All OAuth clients and tokens invalidated. Claude.ai will re-register automatically on next connection.");
     }
   } catch(e) { alert("Failed to roll credentials: " + e.message); }
 }
@@ -2545,12 +2543,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   let tunnelStatus = "not_started"; // "not_started" | "not_configured" | "starting" | "live" | "error" | "missing_cloudflared"
 
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
-  const oauthClients = new Map();   // client_id → { client_secret, redirect_uris, client_name }
+  const oauthClients = new Map();   // client_id → { redirect_uris, client_name, token_endpoint_auth_method }
   const oauthCodes = new Map();     // code → { client_id, redirect_uri, code_challenge, expires }
 
   // Persist tokens + credentials to disk so daemon restarts don't invalidate sessions
   const TOKENS_FILE = path.join(os.tmpdir(), "clauth-oauth-tokens.json");
-  const CREDS_FILE = path.join(os.tmpdir(), "clauth-oauth-creds.json");
   function loadTokens() {
     try { return new Set(JSON.parse(fs.readFileSync(TOKENS_FILE, "utf8"))); } catch { return new Set(); }
   }
@@ -2559,29 +2556,6 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   }
   const oauthTokens = loadTokens(); // active access tokens — persisted across restarts
 
-  // Stable client credentials — persist across restarts so claude.ai custom setup works
-  function loadOrCreateCreds() {
-    try {
-      const saved = JSON.parse(fs.readFileSync(CREDS_FILE, "utf8"));
-      if (saved.client_id && saved.client_secret) return saved;
-    } catch {}
-    const creds = {
-      client_id: crypto.randomBytes(16).toString("hex"),
-      client_secret: crypto.randomBytes(32).toString("hex"),
-    };
-    try { fs.writeFileSync(CREDS_FILE, JSON.stringify(creds)); } catch {}
-    return creds;
-  }
-  const stableCreds = loadOrCreateCreds();
-  let OAUTH_CLIENT_ID = stableCreds.client_id;
-  let OAUTH_CLIENT_SECRET = stableCreds.client_secret;
-  oauthClients.set(OAUTH_CLIENT_ID, {
-    client_id: OAUTH_CLIENT_ID, client_secret: OAUTH_CLIENT_SECRET,
-    client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
-    grant_types: ["authorization_code"], response_types: ["code"],
-    token_endpoint_auth_method: "client_secret_post",
-  });
-
   function oauthBase() { return tunnelUrl || `http://127.0.0.1:${port}`; }
   function sha256base64url(str) { return crypto.createHash("sha256").update(str).digest("base64url"); }
 
@@ -2934,21 +2908,183 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end();
     }
 
-    // ── OAuth Discovery — 404 well-known only ──────────────
-    // claude.ai ignores metadata endpoints and constructs /register, /authorize,
-    // /token from the domain root (issue #82). Keep well-known as 404 so claude.ai
-    // uses the fallback paths. OAuth endpoints below are live.
-    // well-known OAuth discovery — HTML 404, no CORS, no JSON (match Express/regen-media)
-    if (reqPath.startsWith("/.well-known/oauth-protected-resource") ||
-        reqPath === "/.well-known/oauth-authorization-server") {
-      res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
-      return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
+    // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
+    // Restore full well-known + OAuth so custom setup with client_id/secret works.
+    if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
+      const base = oauthBase();
+      const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
+      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({
+        resource: `${base}${resourcePath}`,
+        authorization_servers: [base],
+        scopes_supported: ["mcp:tools"],
+        bearer_methods_supported: ["header"],
+      }));
+    }
+
+    if (reqPath === "/.well-known/oauth-authorization-server") {
+      const base = oauthBase();
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({
+        issuer: base,
+        authorization_endpoint: `${base}/authorize`,
+        token_endpoint: `${base}/token`,
+        registration_endpoint: `${base}/register`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code"],
+        token_endpoint_auth_methods_supported: ["none"],
+        code_challenge_methods_supported: ["S256"],
+        scopes_supported: ["mcp:tools"],
+      }));
+    }
+
+    // ── Dynamic Client Registration (RFC 7591) ──────────────
+    if (method === "POST" && reqPath === "/register") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+      const clientId = crypto.randomBytes(16).toString("hex");
+      const client = {
+        client_id: clientId,
+        // NO client_secret — public client (OAuth 2.1)
+        client_name: body.client_name || "unknown",
+        redirect_uris: body.redirect_uris || [],
+        grant_types: body.grant_types || ["authorization_code"],
+        response_types: body.response_types || ["code"],
+        token_endpoint_auth_method: "none",  // PUBLIC CLIENT
+      };
+      oauthClients.set(clientId, client);
+      const logMsg = `[${new Date().toISOString()}] OAuth: registered public client ${clientId} (${client.client_name})\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify(client));
+    }
+
+    // ── Authorization endpoint — auto-approve (PKCE mandatory) ──
+    if (method === "GET" && reqPath === "/authorize") {
+      const clientId = url.searchParams.get("client_id");
+      const redirectUri = url.searchParams.get("redirect_uri");
+      const state = url.searchParams.get("state");
+      const codeChallenge = url.searchParams.get("code_challenge");
+      const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+
+      // Validate required params
+      if (!clientId || !redirectUri) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("Missing client_id or redirect_uri");
+      }
+
+      // PKCE is MANDATORY — reject if missing
+      if (!codeChallenge || codeChallengeMethod !== "S256") {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("PKCE required: code_challenge with S256 method");
+      }
+
+      // Validate client exists
+      if (!oauthClients.has(clientId)) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("Unknown client_id");
+      }
+
+      // Validate redirect_uri matches registered URIs
+      const client = oauthClients.get(clientId);
+      if (client.redirect_uris.length > 0 && !client.redirect_uris.includes(redirectUri)) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("redirect_uri mismatch");
+      }
+
+      // Auto-approve (no user interaction — clauth is a personal vault)
+      const code = crypto.randomBytes(32).toString("hex");
+      oauthCodes.set(code, {
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        code_challenge: codeChallenge,
+        expires: Date.now() + 300_000,  // 5 minutes
+      });
+
+      const redirect = new URL(redirectUri);
+      redirect.searchParams.set("code", code);
+      if (state) redirect.searchParams.set("state", state);
+
+      const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(302, { Location: redirect.toString(), ...CORS });
+      return res.end();
     }
 
-    // ── OAuth endpoints REMOVED ──────────────
-    // claude.ai's OAuth is bugged (token issued, never used — anthropics/claude-code#46140).
-    // regen-media works because it has NO OAuth handlers at all.
-    // These paths fall through to the catch-all 404 at the bottom.
+    // ── Token endpoint (public client + PKCE mandatory) ─────
+    if (method === "POST" && reqPath === "/token") {
+      let body;
+      const ct = req.headers["content-type"] || "";
+      try {
+        if (ct.includes("application/json")) {
+          body = await readBody(req);
+        } else {
+          // application/x-www-form-urlencoded (Claude uses this)
+          const raw = await readRawBody(req);
+          body = Object.fromEntries(new URLSearchParams(raw));
+        }
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_request" }));
+      }
+
+      // Validate grant_type
+      if (body.grant_type !== "authorization_code") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
+      }
+
+      // Validate authorization code exists and is not expired
+      const stored = oauthCodes.get(body.code);
+      if (!stored || stored.expires < Date.now()) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "Code expired or invalid" }));
+      }
+
+      // Validate client_id matches
+      if (body.client_id !== stored.client_id) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "client_id mismatch" }));
+      }
+
+      // Validate redirect_uri matches
+      if (body.redirect_uri !== stored.redirect_uri) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "redirect_uri mismatch" }));
+      }
+
+      // PKCE verification — MANDATORY (not optional)
+      if (!body.code_verifier) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required" }));
+      }
+
+      const computed = sha256base64url(body.code_verifier);
+      if (computed !== stored.code_challenge) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE verification failed" }));
+      }
+
+      // All checks passed — delete code (one-time use) and issue token
+      oauthCodes.delete(body.code);
+      const accessToken = crypto.randomBytes(32).toString("hex");
+      oauthTokens.add(accessToken);
+      saveTokens(oauthTokens);
+
+      const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
+    }
 
     // ── MCP path helpers ──
     const MCP_PATHS = ["/mcp", "/gws", "/clauth"];
@@ -2964,18 +3100,29 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return "clauth";
     }
 
-    // ── MCP endpoint auth ──
-    // No 401 gate — tunnel URL is the shared secret. Accept all connections.
-    // If Bearer token present, mark as remote for vault scoping.
+    // ── MCP endpoint auth — 401 gate (OAuth 2.1 protocol) ──
     if (method === "POST" && (reqPath === "/sse" || isMcpPath)) {
       const authHeader = req.headers.authorization;
-      if (authHeader?.startsWith("Bearer ")) {
-        const token = authHeader.slice(7);
-        if (oauthTokens.has(token) || token === OAUTH_CLIENT_SECRET) {
-          req._clauthRemote = true;
-        }
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+      if (!token || !oauthTokens.has(token)) {
+        // No valid Bearer token → return 401 with discovery hint
+        const base = oauthBase();
+        const resourcePath = isMcpPath ? reqPath.slice(1) : "sse"; // "mcp", "gws", "clauth", or "sse"
+        const resourceMeta = `${base}/.well-known/oauth-protected-resource/${resourcePath}`;
+        res.writeHead(401, {
+          "Content-Type": "application/json",
+          "WWW-Authenticate": `Bearer resource_metadata="${resourceMeta}"`,
+          ...CORS,
+        });
+        return res.end(JSON.stringify({
+          error: "unauthorized",
+          error_description: "Bearer token required",
+        }));
       }
-      // fall through to MCP handling
+
+      // Valid token — mark as remote and fall through to MCP handling
+      req._clauthRemote = true;
     }
 
     // ── MCP Streamable HTTP transport ──
@@ -3215,42 +3362,26 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       });
     }
 
-    // GET /mcp-setup — OAuth credentials for claude.ai MCP setup (localhost only)
+    // GET /mcp-setup — OAuth setup info for claude.ai MCP (localhost only)
     if (method === "GET" && reqPath === "/mcp-setup") {
       const base = tunnelUrl && tunnelUrl.startsWith("http") ? tunnelUrl : null;
       return ok(res, {
         url: base ? `${base}/clauth` : null,
         gwsUrl: base ? `${base}/gws` : null,
-        clientId: OAUTH_CLIENT_ID,
-        clientSecret: OAUTH_CLIENT_SECRET,
+        note: "OAuth 2.1 public client — Claude registers dynamically, no client_secret needed",
       });
     }
 
-    // POST /roll-mcp-creds — generate new client ID/secret, invalidate all tokens
+    // POST /roll-mcp-creds — invalidate all tokens and clear all dynamic clients
     if (method === "POST" && reqPath === "/roll-mcp-creds") {
       if (lockedGuard(res)) return;
-      const newId = crypto.randomBytes(16).toString("hex");
-      const newSecret = crypto.randomBytes(32).toString("hex");
-      // Update in-memory
-      oauthClients.delete(OAUTH_CLIENT_ID);
-      OAUTH_CLIENT_ID = newId;
-      OAUTH_CLIENT_SECRET = newSecret;
-      stableCreds.client_id = newId;
-      stableCreds.client_secret = newSecret;
-      try { fs.writeFileSync(CREDS_FILE, JSON.stringify(stableCreds)); } catch {}
-      // Register new client
-      oauthClients.set(newId, {
-        client_id: newId, client_secret: newSecret,
-        client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
-        grant_types: ["authorization_code"], response_types: ["code"],
-        token_endpoint_auth_method: "client_secret_post",
-      });
-      // Invalidate all existing tokens
+      // Clear all dynamic clients and tokens
+      oauthClients.clear();
       oauthTokens.clear();
       saveTokens(oauthTokens);
-      const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — new client ${newId.slice(0,8)}…, all tokens invalidated\n`;
+      const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — all clients and tokens invalidated\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      return ok(res, { client_id: newId, client_secret: newSecret, tokens_invalidated: true });
+      return ok(res, { clients_cleared: true, tokens_invalidated: true });
     }
 
     // POST /tunnel — start or stop tunnel manually (action in body)
@@ -4319,18 +4450,10 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       }
     }
 
-    // OAuth paths — return plain HTML 404 (not JSON) to match Express/regen-media pattern.
-    // claude.ai treats JSON 404 as "OAuth endpoint exists but errored" vs HTML 404 = "path doesn't exist"
-    if (["/register", "/authorize", "/token"].includes(reqPath) ||
-        reqPath.startsWith("/.well-known/oauth")) {
-      res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
-      return res.end("<!DOCTYPE html><html><head><title>404</title></head><body><h1>Not Found</h1></body></html>");
-    }
-
     // Unknown route — don't count browser/MCP noise as auth failures
     const isBenign = reqPath.startsWith("/.well-known/") || [
       "/favicon.ico", "/robots.txt", "/apple-touch-icon.png", "/apple-touch-icon-precomposed.png",
-      "/sse", "/mcp", "/gws", "/clauth", "/message", "/shutdown", "/restart",
+      "/sse", "/mcp", "/gws", "/clauth", "/message", "/register", "/authorize", "/token", "/shutdown", "/restart",
     ].includes(reqPath);
     if (isBenign) {
       res.writeHead(404, { "Content-Type": "application/json", ...CORS });
@@ -4339,8 +4462,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     return strike(res, 404, `Unknown endpoint: ${reqPath}`);
   });
 
-  server.__oauthClientId = OAUTH_CLIENT_ID;
-  server.__oauthClientSecret = OAUTH_CLIENT_SECRET;
+  // OAuth 2.1 public client — no static credentials to expose
+  server.__oauthClients = oauthClients;
   return server;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.34",
+  "version": "1.5.36",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {