@lifeaitools/clauth 1.5.65 → 1.5.66
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli/commands/serve.js +10 -5
- package/package.json +1 -1
package/cli/commands/serve.js
CHANGED
|
@@ -3252,11 +3252,16 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
|
|
|
3252
3252
|
|
|
3253
3253
|
// ── MCP SSE transport — /sse and namespaced paths ────
|
|
3254
3254
|
// GET /sse|/gws|/clauth — open SSE stream, receive endpoint event
|
|
3255
|
-
// Remote clients (claude.ai)
|
|
3256
|
-
//
|
|
3257
|
-
|
|
3258
|
-
|
|
3259
|
-
|
|
3255
|
+
// Remote clients (claude.ai) arrive with a Bearer token via OAuth.
|
|
3256
|
+
// They use Streamable HTTP (POST only) — return 405 on GET so claude.ai
|
|
3257
|
+
// knows to POST directly. Local clients have no Bearer token and use SSE.
|
|
3258
|
+
if (method === "GET" && isMcpPath) {
|
|
3259
|
+
const getAuthHeader = req.headers.authorization;
|
|
3260
|
+
const getToken = getAuthHeader?.startsWith("Bearer ") ? getAuthHeader.slice(7) : null;
|
|
3261
|
+
if (!noAuthHost && getToken && oauthTokens.has(getToken)) {
|
|
3262
|
+
res.writeHead(405, { "Content-Type": "application/json", "Allow": "POST", ...CORS });
|
|
3263
|
+
return res.end(JSON.stringify({ error: "Method Not Allowed", detail: "Use POST for Streamable HTTP transport" }));
|
|
3264
|
+
}
|
|
3260
3265
|
}
|
|
3261
3266
|
if (method === "GET" && (reqPath === "/sse" || isMcpPath)) {
|
|
3262
3267
|
const sessionId = `ses_${++sseCounter}_${Date.now()}`;
|