Fixes, readme

Drop cli-proxy-api token handling, use only native Claude credentials. Simplify refresh to single endpoint (platform.claude.com) with scope. Add debug/refresh and debug/shutdown endpoints. Graceful shutdown.
2026-04-10 12:56:42 +02:00
parent f22765d8f0
commit 4abd4e68dc
5 changed files with 97 additions and 142 deletions
@@ -10,7 +10,6 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"strings"
 	"sync"
 	"time"

@@ -19,9 +18,9 @@ import (
 )

 const (
-	cliProxyTokenEndpoint = "https://api.anthropic.com/v1/oauth/token"
-	nativeTokenEndpoint   = "https://platform.claude.com/v1/oauth/token"
-	clientID              = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+	tokenEndpoint = "https://platform.claude.com/v1/oauth/token"
+	clientID      = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+	oauthScopes   = "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload"

 	refreshLead     = 5 * time.Minute
 	refreshInterval = 30 * time.Second
@@ -34,6 +33,7 @@ type tokenRequest struct {
 	ClientID     string `json:"client_id"`
 	GrantType    string `json:"grant_type"`
 	RefreshToken string `json:"refresh_token"`
+	Scope        string `json:"scope"`
 }

 type tokenResponse struct {
@@ -50,23 +50,18 @@ func RefreshToken(ctx context.Context, cred *Credential) error {
 		return fmt.Errorf("no refresh token")
 	}

-	endpoint := cliProxyTokenEndpoint
-	if cred.ID == "claude-native" {
-		endpoint = nativeTokenEndpoint
-	}
-
 	reqBody, _ := json.Marshal(tokenRequest{
 		ClientID:     clientID,
 		GrantType:    "refresh_token",
 		RefreshToken: cred.RefreshToken,
+		Scope:        oauthScopes,
 	})

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(reqBody))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, tokenEndpoint, bytes.NewReader(reqBody))
 	if err != nil {
 		return fmt.Errorf("create request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")

 	resp, err := utlsClient.Do(req)
 	if err != nil {
@@ -100,59 +95,36 @@ func RefreshToken(ctx context.Context, cred *Credential) error {

 func persistCredential(cred *Credential) error {
 	cred.mu.Lock()
-	id := cred.ID
 	filePath := cred.FilePath
 	accessToken := cred.AccessToken
 	refreshToken := cred.RefreshToken
 	expiresAt := cred.ExpiresAt
-	email := cred.Email
 	cred.mu.Unlock()

 	if filePath == "" {
 		return nil
 	}

-	if id == "claude-native" {
-		return persistNativeCredential(filePath, accessToken, refreshToken, expiresAt)
-	}
-	return persistCliProxyCredential(filePath, accessToken, refreshToken, expiresAt, email)
-}
-
-func persistCliProxyCredential(path, accessToken, refreshToken string, expiresAt time.Time, email string) error {
-	data := map[string]string{
-		"access_token":  accessToken,
-		"refresh_token": refreshToken,
-		"email":         email,
-		"expired":       expiresAt.Format(time.RFC3339),
-		"type":          "claude",
-		"last_refresh":  time.Now().Format(time.RFC3339),
-	}
-	out, _ := json.MarshalIndent(data, "", "  ")
-	return os.WriteFile(path, out, 0600)
-}
-
-func persistNativeCredential(path, accessToken, refreshToken string, expiresAt time.Time) error {
-	raw, err := os.ReadFile(path)
+	raw, err := os.ReadFile(filePath)
 	if err != nil {
 		return err
 	}
-	var doc map[string]interface{}
+	var doc map[string]any
 	if err := json.Unmarshal(raw, &doc); err != nil {
 		return err
 	}
-	oauth, _ := doc["claudeAiOauth"].(map[string]interface{})
+	oauth, _ := doc["claudeAiOauth"].(map[string]any)
 	if oauth == nil {
-		oauth = make(map[string]interface{})
+		oauth = make(map[string]any)
 	}
 	oauth["accessToken"] = accessToken
 	oauth["refreshToken"] = refreshToken
 	oauth["expiresAt"] = expiresAt.UnixMilli()
 	doc["claudeAiOauth"] = oauth
 	out, _ := json.MarshalIndent(doc, "", "  ")
-	return os.WriteFile(path, out, 0600)
+	return os.WriteFile(filePath, out, 0600)
 }

-// Chrome TLS HTTP client for refresh requests (same as proxy transport).
 func newUTLSClient() *http.Client {
 	return &http.Client{
 		Timeout:   15 * time.Second,
@@ -214,7 +186,6 @@ func (t *utlsRefreshTransport) RoundTrip(req *http.Request) (*http.Response, err
 	return h2Conn.RoundTrip(req)
 }

-// StartBackgroundRefresh runs a goroutine that checks and refreshes tokens periodically.
 func StartBackgroundRefresh(ctx context.Context, pool *Pool) {
 	go func() {
 		for {
@@ -223,13 +194,13 @@ func StartBackgroundRefresh(ctx context.Context, pool *Pool) {
 				log.Printf("background refresh stopped")
 				return
 			case <-time.After(refreshInterval):
-				refreshAll(pool)
+				refreshExpiring(pool)
 			}
 		}
 	}()
 }

-func refreshAll(pool *Pool) {
+func refreshExpiring(pool *Pool) {
 	pool.mu.Lock()
 	creds := make([]*Credential, len(pool.creds))
 	copy(creds, pool.creds)
@@ -269,18 +240,3 @@ func refreshAll(pool *Pool) {
 		}
 	}
 }
-
-// NeedsRefresh checks if a credential needs refresh within the lead time.
-func NeedsRefresh(cred *Credential) bool {
-	cred.mu.Lock()
-	defer cred.mu.Unlock()
-	if cred.ExpiresAt.IsZero() || cred.RefreshToken == "" {
-		return false
-	}
-	return time.Until(cred.ExpiresAt) <= refreshLead
-}
-
-// IsNativeCredential checks if the credential is from ~/.claude/.credentials.json.
-func IsNativeCredential(cred *Credential) bool {
-	return cred.ID == "claude-native" || strings.Contains(cred.FilePath, ".credentials.json")
-}
@@ -54,5 +54,49 @@ func (p *Pool) MarkSuccess(cred *Credential) {
 }

 func (p *Pool) RefreshExpiring(ctx context.Context) {
-	refreshAll(p)
+	refreshExpiring(p)
+}
+
+func (p *Pool) RefreshAll(ctx context.Context) []map[string]string {
+	p.mu.Lock()
+	creds := make([]*Credential, len(p.creds))
+	copy(creds, p.creds)
+	p.mu.Unlock()
+
+	var results []map[string]string
+	for _, cred := range creds {
+		cred.mu.Lock()
+		id := cred.ID
+		email := cred.Email
+		oldExpiry := cred.ExpiresAt
+		hasRefresh := cred.RefreshToken != ""
+		cred.mu.Unlock()
+
+		r := map[string]string{
+			"id":         id,
+			"email":      email,
+			"old_expiry": oldExpiry.Format(time.RFC3339),
+		}
+
+		if !hasRefresh {
+			r["status"] = "skipped"
+			r["reason"] = "no refresh token"
+			results = append(results, r)
+			continue
+		}
+
+		err := RefreshToken(ctx, cred)
+		if err != nil {
+			r["status"] = "error"
+			r["error"] = err.Error()
+		} else {
+			cred.mu.Lock()
+			r["status"] = "ok"
+			r["new_expiry"] = cred.ExpiresAt.Format(time.RFC3339)
+			r["new_token_prefix"] = cred.AccessToken[:20] + "..."
+			cred.mu.Unlock()
+		}
+		results = append(results, r)
+	}
+	return results
 }