clay-server 2.35.0-beta.1 → 2.35.0-beta.2

package/lib/server-settings.js

@@ -362,8 +362,9 @@ function attachSettings(ctx) {
 
     // PUT /api/user/auto-continue
     if (req.method === "PUT" && fullUrl === "/api/user/auto-continue") {
+      var isMultiUser = users.isMultiUser();
       var mu = getMultiUserFromReq(req);
-      if (!mu) {
+      if (!isMultiUser) {
         // Single-user: use daemon config fallback
         var body = "";
         req.on("data", function (chunk) { body += chunk; });
@@ -382,6 +383,11 @@ function attachSettings(ctx) {
         });
         return true;
       }
+      if (!mu) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end('{"error":"unauthorized"}');
+        return true;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -405,8 +411,9 @@ function attachSettings(ctx) {
 
     // PUT /api/user/mates-enabled
     if (req.method === "PUT" && fullUrl === "/api/user/mates-enabled") {
+      var isMultiUser = users.isMultiUser();
       var mu = getMultiUserFromReq(req);
-      if (!mu) {
+      if (!isMultiUser) {
         // Single-user: store on daemon config
         var body = "";
         req.on("data", function (chunk) { body += chunk; });
@@ -426,6 +433,11 @@ function attachSettings(ctx) {
         });
         return true;
       }
+      if (!mu) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end('{"error":"unauthorized"}');
+        return true;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -449,8 +461,9 @@ function attachSettings(ctx) {
 
     // PUT /api/user/chat-layout
     if (req.method === "PUT" && fullUrl === "/api/user/chat-layout") {
+      var isMultiUser = users.isMultiUser();
       var mu = getMultiUserFromReq(req);
-      if (!mu) {
+      if (!isMultiUser) {
         // Single-user: save to daemon config
         var body = "";
         req.on("data", function (chunk) { body += chunk; });
@@ -470,6 +483,11 @@ function attachSettings(ctx) {
         });
         return true;
       }
+      if (!mu) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end('{"error":"unauthorized"}');
+        return true;
+      }
       var body = "";
       req.on("data", function (chunk) { body += chunk; });
       req.on("end", function () {
@@ -493,8 +511,9 @@ function attachSettings(ctx) {
 
     // POST /api/user/mate-onboarded
     if (req.method === "POST" && fullUrl === "/api/user/mate-onboarded") {
+      var isMultiUser = users.isMultiUser();
       var mu = getMultiUserFromReq(req);
-      if (!mu) {
+      if (!isMultiUser) {
         // Single-user: save to daemon config
         if (typeof opts.onSetMateOnboarded === "function") {
           opts.onSetMateOnboarded();
@@ -502,6 +521,11 @@ function attachSettings(ctx) {
         res.writeHead(200, { "Content-Type": "application/json" });
         res.end('{"ok":true}');
       } else {
+        if (!mu) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end('{"error":"unauthorized"}');
+          return true;
+        }
         users.setMateOnboarded(mu.id);
         res.writeHead(200, { "Content-Type": "application/json" });
         res.end('{"ok":true}');
@@ -511,13 +535,19 @@ function attachSettings(ctx) {
 
     // GET /api/user/tool-palettes
     if (req.method === "GET" && fullUrl === "/api/user/tool-palettes") {
+      var isMultiUser = users.isMultiUser();
       var muGet = getMultiUserFromReq(req);
       var palettes = {};
-      if (!muGet) {
+      if (!isMultiUser) {
         if (typeof opts.onGetToolPalettes === "function") {
           palettes = opts.onGetToolPalettes() || {};
         }
       } else {
+        if (!muGet) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end('{"error":"unauthorized"}');
+          return true;
+        }
         palettes = users.getToolPalettes(muGet.id) || {};
       }
       res.writeHead(200, { "Content-Type": "application/json" });
@@ -527,6 +557,7 @@ function attachSettings(ctx) {
 
     // PUT /api/user/tool-palettes
     if (req.method === "PUT" && fullUrl === "/api/user/tool-palettes") {
+      var isMultiUser = users.isMultiUser();
       var muPut = getMultiUserFromReq(req);
       var bodyTp = "";
       req.on("data", function (chunk) { bodyTp += chunk; });
@@ -537,7 +568,7 @@ function attachSettings(ctx) {
           var order = dataTp.order;
           var hidden = dataTp.hidden;
           var result;
-          if (!muPut) {
+          if (!isMultiUser) {
             if (typeof opts.onSetToolPalette !== "function") {
               res.writeHead(500, { "Content-Type": "application/json" });
               res.end('{"error":"Not supported"}');
@@ -545,6 +576,11 @@ function attachSettings(ctx) {
             }
             result = opts.onSetToolPalette(paletteName, order, hidden);
           } else {
+            if (!muPut) {
+              res.writeHead(401, { "Content-Type": "application/json" });
+              res.end('{"error":"unauthorized"}');
+              return;
+            }
             result = users.setToolPalette(muPut.id, paletteName, order, hidden);
           }
           if (result && result.error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.35.0-beta.1",
+  "version": "2.35.0-beta.2",
   "description": "Self-hosted Claude Code in your browser. Multi-session, multi-user, push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",