claude-remote-cli 3.9.0 → 3.9.2

package/dist/server/auth.js

@@ -26,8 +26,7 @@ export async function verifyPin(pin, hash) {
             return false;
         }
     }
-    // Legacy bcrypt hashes: require PIN reset
-    console.warn('[auth] Legacy bcrypt PIN hash detected. Delete pinHash from config and restart to set a new PIN.');
+    // Legacy bcrypt hashes are migrated at startup; if one reaches here, reject it
     return false;
 }
 export function isRateLimited(ip) {
@@ -56,6 +55,9 @@ export function clearRateLimit(ip) {
 export function generateCookieToken() {
     return crypto.randomBytes(32).toString('hex');
 }
+export function isLegacyHash(hash) {
+    return !!hash && !hash.startsWith('scrypt:');
+}
 export function _resetForTesting() {
     attemptMap.clear();
 }

package/dist/server/index.js

@@ -1,3 +1,4 @@
+import crypto from 'node:crypto';
 import fs from 'node:fs';
 import http from 'node:http';
 import os from 'node:os';
@@ -160,8 +161,21 @@ async function main() {
     catch (err) {
         console.warn('Analytics disabled: failed to initialize:', err instanceof Error ? err.message : err);
     }
+    if (config.pinHash && auth.isLegacyHash(config.pinHash)) {
+        console.log('Migrating legacy PIN hash to scrypt. You will need to set a new PIN.');
+        delete config.pinHash;
+        saveConfig(CONFIG_PATH, config);
+    }
     if (!config.pinHash) {
-        const pin = await promptPin('Set up a PIN for claude-remote-cli:');
+        let pin;
+        if (process.stdin.isTTY) {
+            pin = await promptPin('Set up a PIN for claude-remote-cli:');
+        }
+        else {
+            pin = crypto.randomInt(100000, 999999).toString();
+            console.log(`No interactive terminal detected. Generated PIN: ${pin}`);
+            console.log('Change it by deleting pinHash from your config file and restarting interactively.');
+        }
         config.pinHash = await auth.hashPin(pin);
         saveConfig(CONFIG_PATH, config);
         console.log('PIN set successfully.');

package/dist/test/auth.test.js

@@ -1,6 +1,6 @@
 import { test } from 'node:test';
 import assert from 'node:assert';
-import { hashPin, verifyPin, isRateLimited, recordFailedAttempt, generateCookieToken, _resetForTesting, } from '../server/auth.js';
+import { hashPin, verifyPin, isLegacyHash, isRateLimited, recordFailedAttempt, generateCookieToken, _resetForTesting, } from '../server/auth.js';
 test('hashPin returns scrypt hash with expected format', async () => {
     _resetForTesting();
     const hash = await hashPin('1234');
@@ -77,6 +77,17 @@ test('hashPin produces unique salts', async () => {
     assert.strictEqual(await verifyPin('1234', hash1), true);
     assert.strictEqual(await verifyPin('1234', hash2), true);
 });
+test('isLegacyHash returns true for bcrypt hashes', () => {
+    assert.strictEqual(isLegacyHash('$2b$10$abcdefghijklmnopqrstuuABCDEFGHIJKLMNOPQRSTUVWXYZ012'), true);
+    assert.strictEqual(isLegacyHash('$2a$10$someotherbcrypthashvalue'), true);
+});
+test('isLegacyHash returns false for scrypt hashes', async () => {
+    const hash = await hashPin('1234');
+    assert.strictEqual(isLegacyHash(hash), false);
+});
+test('isLegacyHash returns false for empty string', () => {
+    assert.strictEqual(isLegacyHash(''), false);
+});
 test('generateCookieToken returns non-empty string', () => {
     _resetForTesting();
     const token = generateCookieToken();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-remote-cli",
-  "version": "3.9.0",
+  "version": "3.9.2",
   "description": "Remote web interface for Claude Code CLI sessions",
   "type": "module",
   "main": "dist/server/index.js",