@lifeaitools/clauth 1.5.9 → 1.5.11

package/cli/commands/serve.js

@@ -2505,7 +2505,16 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
   const oauthClients = new Map();   // client_id → { client_secret, redirect_uris, client_name }
   const oauthCodes = new Map();     // code → { client_id, redirect_uri, code_challenge, expires }
-  const oauthTokens = new Set();    // active access tokens
+
+  // Persist tokens to disk so daemon restarts don't invalidate claude.ai sessions
+  const TOKENS_FILE = path.join(os.tmpdir(), "clauth-oauth-tokens.json");
+  function loadTokens() {
+    try { return new Set(JSON.parse(fs.readFileSync(TOKENS_FILE, "utf8"))); } catch { return new Set(); }
+  }
+  function saveTokens(set) {
+    try { fs.writeFileSync(TOKENS_FILE, JSON.stringify([...set])); } catch {}
+  }
+  const oauthTokens = loadTokens(); // active access tokens — persisted across restarts
 
   // Pre-generate a stable client for claude.ai (shown at startup)
   const OAUTH_CLIENT_ID = crypto.randomBytes(16).toString("hex");
@@ -2998,6 +3007,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       oauthCodes.delete(body.code);
       const accessToken = crypto.randomBytes(32).toString("hex");
       oauthTokens.add(accessToken);
+      saveTokens(oauthTokens);
 
       const logMsg = `[${new Date().toISOString()}] OAuth: token issued for client ${stored.client_id}\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
@@ -3025,9 +3035,11 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       const authHeader = req.headers.authorization;
       if (!authHeader || !authHeader.startsWith("Bearer ")) {
         const base = oauthBase();
+        // Path-specific resource metadata URL so claude.ai gets the right resource URI
+        const pathName = reqPath === "/mcp" ? "mcp" : reqPath.slice(1);
         res.writeHead(401, {
           "Content-Type": "application/json",
-          "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource"`,
+          "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource/${pathName}"`,
           ...CORS,
         });
         return res.end(JSON.stringify({ error: "unauthorized" }));
@@ -3042,21 +3054,6 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       // fall through to MCP handling below
     }
 
-    // For namespaced paths, send path-specific 401 so claude.ai fetches the right resource metadata
-    if (method === "POST" && (reqPath === "/gws" || reqPath === "/clauth")) {
-      const authHeader = req.headers.authorization;
-      if (!authHeader || !authHeader.startsWith("Bearer ")) {
-        const base = oauthBase();
-        const pathName = reqPath.slice(1); // "gws" or "clauth"
-        res.writeHead(401, {
-          "Content-Type": "application/json",
-          "WWW-Authenticate": `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource/${pathName}"`,
-          ...CORS,
-        });
-        return res.end(JSON.stringify({ error: "unauthorized" }));
-      }
-    }
-
     // ── MCP Streamable HTTP transport (2025-03-26 spec) ──
     // POST /sse, /mcp, /gws, /clauth — JSON-RPC over HTTP
     if (method === "POST" && (reqPath === "/sse" || isMcpPath)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.9",
+  "version": "1.5.11",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {