claude-ide-bridge 2.4.0 → 2.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/README.md +5 -5
  2. package/dist/bridge.d.ts +2 -0
  3. package/dist/bridge.js +21 -5
  4. package/dist/bridge.js.map +1 -1
  5. package/dist/config.d.ts +0 -2
  6. package/dist/config.js +1 -13
  7. package/dist/config.js.map +1 -1
  8. package/dist/extensionClient.js +8 -0
  9. package/dist/extensionClient.js.map +1 -1
  10. package/dist/oauth.d.ts +32 -47
  11. package/dist/oauth.js +275 -320
  12. package/dist/oauth.js.map +1 -1
  13. package/dist/server.d.ts +0 -13
  14. package/dist/server.js +54 -93
  15. package/dist/server.js.map +1 -1
  16. package/dist/streamableHttp.d.ts +7 -0
  17. package/dist/streamableHttp.js +40 -11
  18. package/dist/streamableHttp.js.map +1 -1
  19. package/dist/tools/git-utils.js.map +1 -1
  20. package/dist/tools/handoffNote.d.ts +0 -1
  21. package/dist/tools/handoffNote.js +1 -1
  22. package/dist/tools/handoffNote.js.map +1 -1
  23. package/dist/tools/lsp.js +2 -7
  24. package/dist/tools/lsp.js.map +1 -1
  25. package/dist/tools/searchAndReplace.js.map +1 -1
  26. package/dist/tools/searchWorkspace.js.map +1 -1
  27. package/package.json +1 -1
package/dist/oauth.d.ts CHANGED
@@ -1,52 +1,37 @@
1
+ import http from "node:http";
1
2
  /**
2
- * OAuth 2.0 Authorization Server for claude-ide-bridge.
3
+ * OAuth 2.1 Authorization Server + Resource Server for claude-ide-bridge.
3
4
  *
4
- * Implements the MCP OAuth 2.0 profile required for authenticated remote servers:
5
- * - RFC 8414 Authorization Server Metadata (/.well-known/oauth-authorization-server)
6
- * - RFC 6749 Authorization Code Grant with PKCE (S256, RFC 7636)
7
- * - RFC 7009 Token Revocation (/oauth/revoke)
5
+ * Implements the MCP spec (2025-11-25) authorization requirements:
6
+ * - /.well-known/oauth-protected-resource (RFC 9728)
7
+ * - /.well-known/oauth-authorization-server (RFC 8414)
8
+ * - GET /authorize — approval page
9
+ * - POST /authorize — form submit (issues auth code)
10
+ * - POST /token — code + PKCE verifier → access token
8
11
  *
9
- * Design
10
- * All state is in-memory. The bridge's static bearer token is the resource owner
11
- * credential: only someone who knows it can open an OAuth flow via the approval page.
12
- * Issued access tokens are opaque base64url strings stored in a TTL map.
13
- * resolveBearerToken() is called by server.ts to admit OAuth-issued tokens alongside
14
- * the static bridge token (backward compat).
15
- * Refresh tokens are not issued.
16
- *
17
- * Security
18
- * PKCE S256 mandatory. Auth codes single-use, 5 min TTL. Access tokens 1 h TTL.
19
- * All string comparisons via crypto.timingSafeEqual. HTML output attribute-escaped.
12
+ * The existing authToken from the lock file is issued as the access token —
13
+ * no new token system is needed.
20
14
  */
21
- import type { IncomingMessage, ServerResponse } from "node:http";
22
- export interface OAuthServer {
23
- handleDiscovery(res: ServerResponse): void;
24
- handleAuthorize(req: IncomingMessage, res: ServerResponse): Promise<void>;
25
- handleToken(req: IncomingMessage, res: ServerResponse): Promise<void>;
26
- handleRevoke(req: IncomingMessage, res: ServerResponse): Promise<void>;
27
- resolveBearerToken(token: string): string | null;
28
- }
29
- export declare class OAuthServerImpl implements OAuthServer {
30
- private readonly bridgeToken;
31
- private readonly issuerUrl;
32
- private readonly authCodes;
33
- private readonly accessTokens;
34
- private readonly gcTimer;
35
- constructor(bridgeToken: string, issuerUrl: string);
36
- destroy(): void;
37
- handleDiscovery(res: ServerResponse): void;
38
- handleAuthorize(req: IncomingMessage, res: ServerResponse): Promise<void>;
39
- private authorizeGet;
40
- private authorizePost;
41
- handleToken(req: IncomingMessage, res: ServerResponse): Promise<void>;
42
- handleRevoke(req: IncomingMessage, res: ServerResponse): Promise<void>;
43
- resolveBearerToken(token: string): string | null;
44
- private randomToken;
45
- private safeEqual;
46
- private pkceVerify;
47
- private readBody;
48
- private sendJson;
49
- private sendError;
50
- private parseAuthorizeParams;
51
- private approvalPage;
15
+ export declare const ALLOWED_REDIRECT_URIS: Set<string>;
16
+ export declare class OAuthServer {
17
+ private readonly authToken;
18
+ private port;
19
+ private bindAddress;
20
+ private codes;
21
+ private pruneTimer;
22
+ constructor(authToken: string);
23
+ setPort(port: number, bindAddress?: string): void;
24
+ close(): void;
25
+ private baseUrl;
26
+ private pruneExpiredCodes;
27
+ /** WWW-Authenticate header value to include on 401 responses. */
28
+ wwwAuthenticate(): string;
29
+ handleProtectedResourceMetadata(_req: http.IncomingMessage, res: http.ServerResponse): void;
30
+ handleAuthorizationServerMetadata(_req: http.IncomingMessage, res: http.ServerResponse): void;
31
+ handleAuthorize(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
32
+ private handleAuthorizeGet;
33
+ private handleAuthorizePost;
34
+ private validateAuthorizeParams;
35
+ handleToken(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
52
36
  }
37
+ export declare function createOAuthServer(authToken: string): OAuthServer;