claude-threads 1.16.0 → 1.16.1

package/CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.16.1] - 2026-05-22
+
+### Security
+- **Fail-closed authorization on the user-driven paths that invoke Claude.** A confirmed bypass let an unauthorized Slack user (not in `allowedUsers`, non-empty allowlist) reach Claude: the bot posted both the "not authorized" warning and a real answer in the same thread. Rather than chase the one leaking caller, authorization is now deny-by-default at the functions that spawn or message Claude on a user's behalf: `startSession`, `sendFollowUp`, and `resumePausedSession`, plus the resume-from-reaction path. A single helper, `isAuthorizedForSession`, encodes every tier (global allowlist, empty-allowlist allow-all, per-session owner and invited users) and refuses a missing, empty, or `unknown` username. Every user-facing path now routes through that one helper instead of duplicating the check. The biggest gap was message-driven resume, which ran purely from persisted state with no identity check; it now takes a `username` and verifies it against the persisted session allowlist before resuming. The two system-triggered resume paths (bulk restore after a bot restart) stay ungated by design, since they carry no user identity. Legitimate username-less follow-ups (passthrough slash commands like `/context`, already authorized upstream) pass an explicit `system` flag so they are not caught. The mid-session approval flow is untouched: it still adds approved users to the session allowlist, so the check passes once approval is granted. (#388)
+- **hono 4.12.18 → 4.12.21** picks up four upstream security fixes: GHSA-2gcr-mfcq-wcc3 (`app.mount()` stripped the mount prefix from the raw, undecoded pathname, so percent-encoded paths could be cut at the wrong offset and reach a sub-app with the wrong path), GHSA-xrhx-7g5j-rcj5 (`hono/ip-restriction` compared IPs by string equality, so non-canonical IPv6 forms such as compressed or hex IPv4-mapped addresses slipped past static deny rules), GHSA-3hrh-pfw6-9m5x (the cookie helper didn't sanitize `sameSite`/`priority`, allowing Set-Cookie injection via `;`, `\r`, `\n`), and GHSA-f577-qrjj-4474 (`hono/jwt` accepted any two-part Authorization header regardless of scheme, not just `Bearer`). claude-threads reaches hono through `@hono/node-server` on the inbound webhook surface, so the mount-prefix and Set-Cookie fixes are the relevant ones. (#386)
+
+### Changed
+- **Production deps** bumped: `@hono/node-server` 2.0.2 → 2.0.3 (preserves headers mutated after raw Response construction), `express-rate-limit` 8.5.1 → 8.5.2 (simplified IPv6 key generation). Lockfile-only. (#386)
+- **Dev deps** bumped: `@types/bun` 1.3.13 → 1.3.14, `@types/node` 25.7.0 → 25.9.1, `@types/react` 19.2.14 → 19.2.15, `eslint` 10.3.0 → 10.4.0 (adds `includeIgnoreFile()` and a `for-direction` sequence-expression check, both additive), `lint-staged` 17.0.4 → 17.0.5, `typescript-eslint` 8.59.3 → 8.59.4 (fixes a `no-floating-promises` stack overflow on recursive types). Lockfile-only. (#385)
+
+### Fixed
+- **Multiple pasted screenshots no longer silently vanish.** When you paste several clipboard images into one chat message, the platforms hand them all the same filename (`image.png`). The save path wrote each one with the `wx` (`O_EXCL`) flag, so the second and later files hit `EEXIST`, got caught, and were reported as a download failure, so they never reached Claude. Saves now dedupe filenames within a single message, inserting a numeric suffix before the extension (`image.png`, `image_1.png`, `image_2.png`); files without an extension get `report`, `report_1`, and so on. The unique name is resolved before the write, so the `wx` flag still does its job against symlink races. (#387)
+- **Inbound attachments are no longer capped at 100 MB.** A hard 100 MB ceiling on incoming files meant anything larger was skipped with a "too large" warning, which surprised people sharing big assets. The cap is gone; an attachment of any reported size is downloaded and written to disk. One tradeoff worth knowing: `downloadFile` still buffers the whole file in memory via `arrayBuffer()`, so a very large attachment is held in RAM while it's written. Streaming that download is a separate change. (#387)
+
 ## [1.16.0] - 2026-05-14
 
 ### Added

package/dist/index.js

@@ -50355,6 +50355,24 @@ function sanitizeFilename(name) {
   }
   return cleaned;
 }
+function dedupeFilename(name, used) {
+  if (!used.has(name)) {
+    used.add(name);
+    return name;
+  }
+  const lastDot = name.lastIndexOf(".");
+  const hasExt = lastDot > 0;
+  const stem = hasExt ? name.slice(0, lastDot) : name;
+  const ext = hasExt ? name.slice(lastDot) : "";
+  let counter = 1;
+  let candidate = `${stem}_${counter}${ext}`;
+  while (used.has(candidate)) {
+    counter += 1;
+    candidate = `${stem}_${counter}${ext}`;
+  }
+  used.add(candidate);
+  return candidate;
+}
 function formatBytes(bytes) {
   if (bytes < 1024)
     return `${bytes} B`;
@@ -53585,6 +53603,18 @@ function getSessionStatus(session) {
   return "idle";
 }
 
+// src/session/authorization.ts
+function isAuthorizedForSession(check) {
+  const { username, platform, sessionAllowedUsers } = check;
+  if (!username || username === "unknown") {
+    return false;
+  }
+  if (platform.isUserAllowed(username)) {
+    return true;
+  }
+  return sessionAllowedUsers?.has(username) ?? false;
+}
+
 // src/claude/cli.ts
 init_spawn();
 init_logger();
@@ -54818,7 +54848,7 @@ function createPassthroughHandler(slashCommand) {
       return { handled: false };
     }
     if (ctx.isAllowed) {
-      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`);
+      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`, undefined, undefined, undefined, { system: true });
     }
     return { handled: true };
   };
@@ -54866,7 +54896,7 @@ async function handleDynamicSlashCommand(command, args, ctx) {
   }
   if (ctx.isAllowed) {
     const fullCommand = args ? `/${command} ${args}` : `/${command}`;
-    await ctx.sessionManager.sendFollowUp(ctx.threadId, fullCommand);
+    await ctx.sessionManager.sendFollowUp(ctx.threadId, fullCommand, undefined, undefined, undefined, { system: true });
   }
   return { handled: true };
 }
@@ -55387,7 +55417,6 @@ import { lstat, mkdir as mkdir2, mkdtemp, rm as rm2, writeFile as writeFile2 } f
 import { tmpdir as tmpdir2 } from "os";
 import { join as join9 } from "path";
 var log18 = createLogger("streaming");
-var MAX_UPLOAD_SIZE = 100 * 1024 * 1024;
 var UPLOAD_ROOT_DIR = "claude-threads-uploads";
 function safeIdSegment(id) {
   return id.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -55427,18 +55456,11 @@ async function saveFilesToUploadDir(platform, uploadDir, files, debug = false) {
     return { saved, skipped };
   }
   const messageDir = await mkdtemp(join9(uploadDir, `${Date.now().toString(36)}-`));
+  const usedNames = new Set;
   for (const file of files) {
-    if (file.size > MAX_UPLOAD_SIZE) {
-      skipped.push({
-        name: file.name,
-        reason: `File too large (${formatBytes(file.size)} > ${formatBytes(MAX_UPLOAD_SIZE)} limit)`,
-        suggestion: "Split the file or share it via an external link"
-      });
-      continue;
-    }
     try {
       const buffer = await platform.downloadFile(file.id);
-      const safeName = sanitizeFilename(file.name);
+      const safeName = dedupeFilename(sanitizeFilename(file.name), usedNames);
       const absolutePath = join9(messageDir, safeName);
       await writeFile2(absolutePath, buffer, { mode: 384, flag: "wx" });
       saved.push({
@@ -66728,6 +66750,10 @@ async function startSession(options, username, displayName, replyToPostId, platf
   if (!platform) {
     throw new Error(`Platform '${platformId}' not found. Call addPlatform() first.`);
   }
+  if (!isAuthorizedForSession({ username, platform, sessionAllowedUsers: undefined })) {
+    log30.warn(`auth.denied.startSession: @${username || "unknown"} not authorized to start session in ${threadId.substring(0, 8)}...`);
+    return;
+  }
   const activeOrPending = ctx.state.sessions.size + pendingStartsCount;
   if (activeOrPending >= ctx.config.maxSessions) {
     const formatter2 = platform.getFormatter();
@@ -67095,9 +67121,15 @@ ${failFormatter.formatItalic("Your previous conversation context is preserved, b
     await ctx.ops.updateStickyMessage();
   }
 }
-async function sendFollowUp(session, message, files, ctx, username, displayName) {
+async function sendFollowUp(session, message, files, ctx, username, displayName, options) {
   if (!session.claude.isRunning())
     return;
+  if (!options?.system) {
+    if (!isAuthorizedForSession({ username, platform: session.platform, sessionAllowedUsers: session.sessionAllowedUsers })) {
+      sessionLog6(session).warn(`auth.denied.sendFollowUp: @${username || "unknown"} not authorized`);
+      return;
+    }
+  }
   if (session.needsContextPromptOnNextMessage) {
     session.needsContextPromptOnNextMessage = false;
     await session.messageManager?.prepareForUserMessage();
@@ -67120,7 +67152,7 @@ async function sendFollowUp(session, message, files, ctx, username, displayName)
   session.messageCount++;
   await session.messageManager.handleUserMessage(messageToSend, files, username, displayName);
 }
-async function resumePausedSession(threadId, message, files, ctx) {
+async function resumePausedSession(threadId, message, files, ctx, username) {
   const persisted = ctx.state.sessionStore.load();
   const state = findPersistedByThreadId(persisted, threadId);
   if (!state) {
@@ -67128,6 +67160,16 @@ async function resumePausedSession(threadId, message, files, ctx) {
     return;
   }
   const shortId = threadId.substring(0, 8);
+  const platform = ctx.state.platforms.get(state.platformId);
+  if (!platform) {
+    log30.warn(`auth.denied.resume: platform '${state.platformId}' not found for ${shortId}...`);
+    return;
+  }
+  const sessionAllowedUsers = new Set(state.sessionAllowedUsers || [state.startedBy].filter(Boolean));
+  if (!isAuthorizedForSession({ username, platform, sessionAllowedUsers })) {
+    log30.warn(`auth.denied.resume: @${username || "unknown"} not authorized to resume ${shortId}...`);
+    return;
+  }
   log30.info(`\uD83D\uDD04 Resuming paused session ${shortId}... for new message`);
   await resumeSession(state, ctx);
   const session = ctx.ops.findSessionByThreadId(threadId);
@@ -67645,9 +67687,9 @@ async function tryResumeFromReaction(deps, platformId, postId, username) {
   const sessionId = `${platformId}:${persistedSession.threadId}`;
   if (deps.registry.hasById(sessionId))
     return false;
-  const allowedUsers = new Set(persistedSession.sessionAllowedUsers);
   const platform = deps.platforms.get(platformId);
-  if (!allowedUsers.has(username) && !platform?.isUserAllowed(username)) {
+  const sessionAllowedUsers = new Set(persistedSession.sessionAllowedUsers || [persistedSession.startedBy].filter(Boolean));
+  if (!platform || !isAuthorizedForSession({ username, platform, sessionAllowedUsers })) {
     if (platform) {
       await platform.createPost(`⚠️ @${username} is not authorized to resume this session`, persistedSession.threadId);
     }
@@ -68233,11 +68275,11 @@ class SessionManager extends EventEmitter4 {
     }
     return;
   }
-  async sendFollowUp(threadId, message, files, username, displayName) {
+  async sendFollowUp(threadId, message, files, username, displayName, options) {
     const session = this.findSessionByThreadId(threadId);
     if (!session || !session.claude.isRunning())
       return;
-    await sendFollowUp(session, message, files, this.getContext(), username, displayName);
+    await sendFollowUp(session, message, files, this.getContext(), username, displayName, options);
   }
   isSessionActive() {
     return this.registry.size > 0;
@@ -68251,8 +68293,8 @@ class SessionManager extends EventEmitter4 {
       return false;
     return this.registry.getPersistedByThreadId(threadId) !== undefined;
   }
-  async resumePausedSession(threadId, message, files) {
-    await resumePausedSession(threadId, message, files, this.getContext());
+  async resumePausedSession(threadId, message, files, username) {
+    await resumePausedSession(threadId, message, files, this.getContext(), username);
   }
   getPersistedSession(threadId) {
     return this.registry.getPersistedByThreadId(threadId);
@@ -78305,7 +78347,7 @@ async function handleMessage(client, session, post2, user, options) {
       }
       const files2 = post2.metadata?.files;
       if (content || files2?.length) {
-        await session.resumePausedSession(threadRoot, content, files2);
+        await session.resumePausedSession(threadRoot, content, files2, username);
       }
       return;
     }

package/dist/mcp/mcp-server.js

@@ -51043,7 +51043,6 @@ function formatBytes(bytes) {
 
 // src/operations/streaming/handler.ts
 var log2 = createLogger("streaming");
-var MAX_UPLOAD_SIZE = 100 * 1024 * 1024;
 async function postSkippedFilesFeedback(platform, threadId, skipped) {
   if (skipped.length === 0)
     return;
@@ -55810,7 +55809,7 @@ function createPassthroughHandler(slashCommand) {
       return { handled: false };
     }
     if (ctx.isAllowed) {
-      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`);
+      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`, undefined, undefined, undefined, { system: true });
     }
     return { handled: true };
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-threads",
-  "version": "1.16.0",
+  "version": "1.16.1",
   "description": "Share Claude Code sessions live in a Mattermost channel with interactive features",
   "main": "dist/index.js",
   "type": "module",