@lifeaitools/clauth 1.5.8 → 1.5.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli/commands/serve.js +24 -4
- package/package.json +1 -1
package/cli/commands/serve.js
CHANGED
|
@@ -2870,13 +2870,18 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
|
|
|
2870
2870
|
}
|
|
2871
2871
|
|
|
2872
2872
|
// ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
|
|
2873
|
-
if (reqPath
|
|
2874
|
-
reqPath === "/.well-known/oauth-protected-resource/mcp" ||
|
|
2875
|
-
reqPath === "/.well-known/oauth-protected-resource/sse") {
|
|
2873
|
+
if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
|
|
2876
2874
|
const base = oauthBase();
|
|
2875
|
+
// Derive resource URL from the well-known path suffix
|
|
2876
|
+
// /.well-known/oauth-protected-resource → /mcp
|
|
2877
|
+
// /.well-known/oauth-protected-resource/mcp → /mcp
|
|
2878
|
+
// /.well-known/oauth-protected-resource/gws → /gws
|
|
2879
|
+
// /.well-known/oauth-protected-resource/clauth → /clauth
|
|
2880
|
+
const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "") || "mcp";
|
|
2881
|
+
const resourcePath = suffix === "sse" ? "mcp" : suffix;
|
|
2877
2882
|
res.writeHead(200, { "Content-Type": "application/json", ...CORS });
|
|
2878
2883
|
return res.end(JSON.stringify({
|
|
2879
|
-
resource: `${base}
|
|
2884
|
+
resource: `${base}/${resourcePath}`,
|
|
2880
2885
|
authorization_servers: [base],
|
|
2881
2886
|
scopes_supported: ["mcp:tools"],
|
|
2882
2887
|
bearer_methods_supported: ["header"],
|
|
@@ -3037,6 +3042,21 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
|
|
|
3037
3042
|
// fall through to MCP handling below
|
|
3038
3043
|
}
|
|
3039
3044
|
|
|
3045
|
+
// For namespaced paths, send path-specific 401 so claude.ai fetches the right resource metadata
|
|
3046
|
+
if (method === "POST" && (reqPath === "/gws" || reqPath === "/clauth")) {
|
|
3047
|
+
const authHeader = req.headers.authorization;
|
|
3048
|
+
if (!authHeader || !authHeader.startsWith("Bearer ")) {
|
|
3049
|
+
const base = oauthBase();
|
|
3050
|
+
const pathName = reqPath.slice(1); // "gws" or "clauth"
|
|
3051
|
+
res.writeHead(401, {
|
|
3052
|
+
"Content-Type": "application/json",
|
|
3053
|
+
"WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource/${pathName}"`,
|
|
3054
|
+
...CORS,
|
|
3055
|
+
});
|
|
3056
|
+
return res.end(JSON.stringify({ error: "unauthorized" }));
|
|
3057
|
+
}
|
|
3058
|
+
}
|
|
3059
|
+
|
|
3040
3060
|
// ── MCP Streamable HTTP transport (2025-03-26 spec) ──
|
|
3041
3061
|
// POST /sse, /mcp, /gws, /clauth — JSON-RPC over HTTP
|
|
3042
3062
|
if (method === "POST" && (reqPath === "/sse" || isMcpPath)) {
|