@lifeaitools/clauth 1.5.36 → 1.5.37

package/cli/commands/serve.js

@@ -2914,7 +2914,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       const base = oauthBase();
       const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
       const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({
         resource: `${base}${resourcePath}`,
         authorization_servers: [base],
@@ -2925,7 +2925,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     if (reqPath === "/.well-known/oauth-authorization-server") {
       const base = oauthBase();
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({
         issuer: base,
         authorization_endpoint: `${base}/authorize`,
@@ -2959,7 +2959,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       oauthClients.set(clientId, client);
       const logMsg = `[${new Date().toISOString()}] OAuth: registered public client ${clientId} (${client.client_name})\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(201, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify(client));
     }
 
@@ -3011,7 +3011,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
       const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(302, { Location: redirect.toString(), ...CORS });
+      res.writeHead(302, { Location: redirect.toString(), "Cache-Control": "no-store", ...CORS });
       return res.end();
     }
 
@@ -3082,7 +3082,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
       const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
     }
 
@@ -3112,7 +3112,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         const resourceMeta = `${base}/.well-known/oauth-protected-resource/${resourcePath}`;
         res.writeHead(401, {
           "Content-Type": "application/json",
-          "WWW-Authenticate": `Bearer resource_metadata="${resourceMeta}"`,
+          "WWW-Authenticate": `Bearer realm="MCP", resource_metadata="${resourceMeta}"`,
+          "Cache-Control": "no-store",
           ...CORS,
         });
         return res.end(JSON.stringify({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.36",
+  "version": "1.5.37",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {