@lifeaitools/clauth 1.5.35 → 1.5.36

package/cli/commands/serve.js

@@ -1969,12 +1969,11 @@ function copyMcp(elId) {
 }
 
 async function rollMcpCreds() {
-  if (!confirm("Roll MCP credentials? You will need to re-add connectors in claude.ai with the new credentials.")) return;
+  if (!confirm("Invalidate all OAuth tokens? Claude.ai connectors will need to re-authenticate.")) return;
   try {
     const resp = await fetch(BASE + "/roll-mcp-creds", { method: "POST" }).then(r => r.json());
-    if (resp.client_id) {
-      document.getElementById("mcp-client-id").textContent = resp.client_id;
-      document.getElementById("mcp-client-secret").textContent = resp.client_secret;
+    if (resp.tokens_invalidated) {
+      alert("All OAuth clients and tokens invalidated. Claude.ai will re-register automatically on next connection.");
     }
   } catch(e) { alert("Failed: " + e.message); }
 }
@@ -2374,12 +2373,11 @@ async function wizShowMcpSetup(hostname) {
 }
 
 async function wizRollCreds() {
-  if (!confirm("Roll MCP credentials? Existing claude.ai connectors will need to be re-added with the new credentials.")) return;
+  if (!confirm("Invalidate all OAuth tokens? Claude.ai connectors will need to re-authenticate.")) return;
   try {
     const resp = await apiFetch("/roll-mcp-creds", { method: "POST" });
-    if (resp?.client_id) {
-      document.getElementById("wiz-mcp-cid").textContent = resp.client_id;
-      document.getElementById("wiz-mcp-sec").textContent = resp.client_secret;
+    if (resp?.tokens_invalidated) {
+      alert("All OAuth clients and tokens invalidated. Claude.ai will re-register automatically on next connection.");
     }
   } catch(e) { alert("Failed to roll credentials: " + e.message); }
 }
@@ -2545,12 +2543,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   let tunnelStatus = "not_started"; // "not_started" | "not_configured" | "starting" | "live" | "error" | "missing_cloudflared"
 
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
-  const oauthClients = new Map();   // client_id → { client_secret, redirect_uris, client_name }
+  const oauthClients = new Map();   // client_id → { redirect_uris, client_name, token_endpoint_auth_method }
   const oauthCodes = new Map();     // code → { client_id, redirect_uri, code_challenge, expires }
 
   // Persist tokens + credentials to disk so daemon restarts don't invalidate sessions
   const TOKENS_FILE = path.join(os.tmpdir(), "clauth-oauth-tokens.json");
-  const CREDS_FILE = path.join(os.tmpdir(), "clauth-oauth-creds.json");
   function loadTokens() {
     try { return new Set(JSON.parse(fs.readFileSync(TOKENS_FILE, "utf8"))); } catch { return new Set(); }
   }
@@ -2559,29 +2556,6 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   }
   const oauthTokens = loadTokens(); // active access tokens — persisted across restarts
 
-  // Stable client credentials — persist across restarts so claude.ai custom setup works
-  function loadOrCreateCreds() {
-    try {
-      const saved = JSON.parse(fs.readFileSync(CREDS_FILE, "utf8"));
-      if (saved.client_id && saved.client_secret) return saved;
-    } catch {}
-    const creds = {
-      client_id: crypto.randomBytes(16).toString("hex"),
-      client_secret: crypto.randomBytes(32).toString("hex"),
-    };
-    try { fs.writeFileSync(CREDS_FILE, JSON.stringify(creds)); } catch {}
-    return creds;
-  }
-  const stableCreds = loadOrCreateCreds();
-  let OAUTH_CLIENT_ID = stableCreds.client_id;
-  let OAUTH_CLIENT_SECRET = stableCreds.client_secret;
-  oauthClients.set(OAUTH_CLIENT_ID, {
-    client_id: OAUTH_CLIENT_ID, client_secret: OAUTH_CLIENT_SECRET,
-    client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
-    grant_types: ["authorization_code"], response_types: ["code"],
-    token_endpoint_auth_method: "client_secret_post",
-  });
-
   function oauthBase() { return tunnelUrl || `http://127.0.0.1:${port}`; }
   function sha256base64url(str) { return crypto.createHash("sha256").update(str).digest("base64url"); }
 
@@ -2959,6 +2933,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         registration_endpoint: `${base}/register`,
         response_types_supported: ["code"],
         grant_types_supported: ["authorization_code"],
+        token_endpoint_auth_methods_supported: ["none"],
         code_challenge_methods_supported: ["S256"],
         scopes_supported: ["mcp:tools"],
       }));
@@ -2972,39 +2947,62 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         return res.end(JSON.stringify({ error: "invalid_request" }));
       }
       const clientId = crypto.randomBytes(16).toString("hex");
-      const clientSecret = crypto.randomBytes(32).toString("hex");
       const client = {
-        client_id: clientId, client_secret: clientSecret,
+        client_id: clientId,
+        // NO client_secret — public client (OAuth 2.1)
         client_name: body.client_name || "unknown",
         redirect_uris: body.redirect_uris || [],
         grant_types: body.grant_types || ["authorization_code"],
         response_types: body.response_types || ["code"],
-        token_endpoint_auth_method: body.token_endpoint_auth_method || "client_secret_post",
+        token_endpoint_auth_method: "none",  // PUBLIC CLIENT
       };
       oauthClients.set(clientId, client);
-      const logMsg = `[${new Date().toISOString()}] OAuth: registered client ${clientId} (${client.client_name})\n`;
+      const logMsg = `[${new Date().toISOString()}] OAuth: registered public client ${clientId} (${client.client_name})\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
       res.writeHead(201, { "Content-Type": "application/json", ...CORS });
       return res.end(JSON.stringify(client));
     }
 
-    // ── Authorization endpoint — auto-approve ──────────────
+    // ── Authorization endpoint — auto-approve (PKCE mandatory) ──
     if (method === "GET" && reqPath === "/authorize") {
       const clientId = url.searchParams.get("client_id");
       const redirectUri = url.searchParams.get("redirect_uri");
       const state = url.searchParams.get("state");
       const codeChallenge = url.searchParams.get("code_challenge");
+      const codeChallengeMethod = url.searchParams.get("code_challenge_method");
 
+      // Validate required params
       if (!clientId || !redirectUri) {
         res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
         return res.end("Missing client_id or redirect_uri");
       }
 
+      // PKCE is MANDATORY — reject if missing
+      if (!codeChallenge || codeChallengeMethod !== "S256") {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("PKCE required: code_challenge with S256 method");
+      }
+
+      // Validate client exists
+      if (!oauthClients.has(clientId)) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("Unknown client_id");
+      }
+
+      // Validate redirect_uri matches registered URIs
+      const client = oauthClients.get(clientId);
+      if (client.redirect_uris.length > 0 && !client.redirect_uris.includes(redirectUri)) {
+        res.writeHead(400, { "Content-Type": "text/plain", ...CORS });
+        return res.end("redirect_uri mismatch");
+      }
+
+      // Auto-approve (no user interaction — clauth is a personal vault)
       const code = crypto.randomBytes(32).toString("hex");
       oauthCodes.set(code, {
-        client_id: clientId, redirect_uri: redirectUri,
+        client_id: clientId,
+        redirect_uri: redirectUri,
         code_challenge: codeChallenge,
-        expires: Date.now() + 300_000,
+        expires: Date.now() + 300_000,  // 5 minutes
       });
 
       const redirect = new URL(redirectUri);
@@ -3017,7 +3015,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return res.end();
     }
 
-    // ── Token endpoint ──────────────────────────────────────
+    // ── Token endpoint (public client + PKCE mandatory) ─────
     if (method === "POST" && reqPath === "/token") {
       let body;
       const ct = req.headers["content-type"] || "";
@@ -3025,6 +3023,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         if (ct.includes("application/json")) {
           body = await readBody(req);
         } else {
+          // application/x-www-form-urlencoded (Claude uses this)
           const raw = await readRawBody(req);
           body = Object.fromEntries(new URLSearchParams(raw));
         }
@@ -3033,27 +3032,49 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         return res.end(JSON.stringify({ error: "invalid_request" }));
       }
 
+      // Validate grant_type
       if (body.grant_type !== "authorization_code") {
         res.writeHead(400, { "Content-Type": "application/json", ...CORS });
         return res.end(JSON.stringify({ error: "unsupported_grant_type" }));
       }
 
+      // Validate authorization code exists and is not expired
       const stored = oauthCodes.get(body.code);
       if (!stored || stored.expires < Date.now()) {
         oauthCodes.delete(body.code);
         res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "invalid_grant" }));
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "Code expired or invalid" }));
       }
 
-      if (stored.code_challenge && body.code_verifier) {
-        const computed = sha256base64url(body.code_verifier);
-        if (computed !== stored.code_challenge) {
-          oauthCodes.delete(body.code);
-          res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-          return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE failed" }));
-        }
+      // Validate client_id matches
+      if (body.client_id !== stored.client_id) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "client_id mismatch" }));
       }
 
+      // Validate redirect_uri matches
+      if (body.redirect_uri !== stored.redirect_uri) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "redirect_uri mismatch" }));
+      }
+
+      // PKCE verification — MANDATORY (not optional)
+      if (!body.code_verifier) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required" }));
+      }
+
+      const computed = sha256base64url(body.code_verifier);
+      if (computed !== stored.code_challenge) {
+        oauthCodes.delete(body.code);
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "invalid_grant", error_description: "PKCE verification failed" }));
+      }
+
+      // All checks passed — delete code (one-time use) and issue token
       oauthCodes.delete(body.code);
       const accessToken = crypto.randomBytes(32).toString("hex");
       oauthTokens.add(accessToken);
@@ -3079,18 +3100,29 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return "clauth";
     }
 
-    // ── MCP endpoint auth ──
-    // No 401 gate — tunnel URL is the shared secret. Accept all connections.
-    // If Bearer token present, mark as remote for vault scoping.
+    // ── MCP endpoint auth — 401 gate (OAuth 2.1 protocol) ──
     if (method === "POST" && (reqPath === "/sse" || isMcpPath)) {
       const authHeader = req.headers.authorization;
-      if (authHeader?.startsWith("Bearer ")) {
-        const token = authHeader.slice(7);
-        if (oauthTokens.has(token) || token === OAUTH_CLIENT_SECRET) {
-          req._clauthRemote = true;
-        }
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+      if (!token || !oauthTokens.has(token)) {
+        // No valid Bearer token → return 401 with discovery hint
+        const base = oauthBase();
+        const resourcePath = isMcpPath ? reqPath.slice(1) : "sse"; // "mcp", "gws", "clauth", or "sse"
+        const resourceMeta = `${base}/.well-known/oauth-protected-resource/${resourcePath}`;
+        res.writeHead(401, {
+          "Content-Type": "application/json",
+          "WWW-Authenticate": `Bearer resource_metadata="${resourceMeta}"`,
+          ...CORS,
+        });
+        return res.end(JSON.stringify({
+          error: "unauthorized",
+          error_description: "Bearer token required",
+        }));
       }
-      // fall through to MCP handling
+
+      // Valid token — mark as remote and fall through to MCP handling
+      req._clauthRemote = true;
     }
 
     // ── MCP Streamable HTTP transport ──
@@ -3330,42 +3362,26 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       });
     }
 
-    // GET /mcp-setup — OAuth credentials for claude.ai MCP setup (localhost only)
+    // GET /mcp-setup — OAuth setup info for claude.ai MCP (localhost only)
     if (method === "GET" && reqPath === "/mcp-setup") {
       const base = tunnelUrl && tunnelUrl.startsWith("http") ? tunnelUrl : null;
       return ok(res, {
         url: base ? `${base}/clauth` : null,
         gwsUrl: base ? `${base}/gws` : null,
-        clientId: OAUTH_CLIENT_ID,
-        clientSecret: OAUTH_CLIENT_SECRET,
+        note: "OAuth 2.1 public client — Claude registers dynamically, no client_secret needed",
       });
     }
 
-    // POST /roll-mcp-creds — generate new client ID/secret, invalidate all tokens
+    // POST /roll-mcp-creds — invalidate all tokens and clear all dynamic clients
     if (method === "POST" && reqPath === "/roll-mcp-creds") {
       if (lockedGuard(res)) return;
-      const newId = crypto.randomBytes(16).toString("hex");
-      const newSecret = crypto.randomBytes(32).toString("hex");
-      // Update in-memory
-      oauthClients.delete(OAUTH_CLIENT_ID);
-      OAUTH_CLIENT_ID = newId;
-      OAUTH_CLIENT_SECRET = newSecret;
-      stableCreds.client_id = newId;
-      stableCreds.client_secret = newSecret;
-      try { fs.writeFileSync(CREDS_FILE, JSON.stringify(stableCreds)); } catch {}
-      // Register new client
-      oauthClients.set(newId, {
-        client_id: newId, client_secret: newSecret,
-        client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
-        grant_types: ["authorization_code"], response_types: ["code"],
-        token_endpoint_auth_method: "client_secret_post",
-      });
-      // Invalidate all existing tokens
+      // Clear all dynamic clients and tokens
+      oauthClients.clear();
       oauthTokens.clear();
       saveTokens(oauthTokens);
-      const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — new client ${newId.slice(0,8)}…, all tokens invalidated\n`;
+      const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — all clients and tokens invalidated\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      return ok(res, { client_id: newId, client_secret: newSecret, tokens_invalidated: true });
+      return ok(res, { clients_cleared: true, tokens_invalidated: true });
     }
 
     // POST /tunnel — start or stop tunnel manually (action in body)
@@ -4446,8 +4462,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     return strike(res, 404, `Unknown endpoint: ${reqPath}`);
   });
 
-  server.__oauthClientId = OAUTH_CLIENT_ID;
-  server.__oauthClientSecret = OAUTH_CLIENT_SECRET;
+  // OAuth 2.1 public client — no static credentials to expose
+  server.__oauthClients = oauthClients;
   return server;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.35",
+  "version": "1.5.36",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {