Skip to content

fix: OAuth credential proxy — auto-refresh tokens + beta header#1076

Closed
glifocat wants to merge 1 commit into
nanocoai:mainfrom
glifocat:fix-oauth-proxy
Closed

fix: OAuth credential proxy — auto-refresh tokens + beta header#1076
glifocat wants to merge 1 commit into
nanocoai:mainfrom
glifocat:fix-oauth-proxy

Conversation

@glifocat
Copy link
Copy Markdown
Collaborator

@glifocat glifocat commented Mar 14, 2026

Type of Change

  • Skill - adds a new skill in .claude/skills/
  • Fix - bug fix or security fix to source code
  • Simplification - reduces or simplifies source code

Description

OAuth users are hitting 401 "OAuth authentication is currently not supported" because the credential proxy doesn't send the required anthropic-beta: oauth-2025-04-20 header. Additionally, OAuth tokens stored in .env expire after ~4 hours with no automatic refresh, causing silent auth failures.

This PR fixes both issues:

1. Beta header injection (credential-proxy.ts):

  • Injects anthropic-beta: oauth-2025-04-20 on all OAuth-proxied requests
  • Unconditional credential injection — the proxy always replaces auth headers, regardless of what the container sends. This prevents the SDK's OAuth exchange flow from delivering a working temp API key into the untrusted container.
  • req.pipe() streaming for large request bodies (base64 images)
  • /health endpoint, JSON error responses (502/503), 10-min timeout

2. Token auto-refresh (new oauth-token.ts):

  • Reads ~/.claude/.credentials.json (same file the claude CLI maintains)
  • In-memory cache with 5-minute expiry buffer
  • Auto-refreshes expired tokens via platform.claude.com/v1/oauth/token
  • Promise-chain serialization (only one refresh runs at a time)
  • Atomic file writes (write temp + rename) to prevent credential corruption
  • Falls back to .env token if credentials file is unavailable

Based on work by @calebfaruki (#871) and @kianwoon (#930, #969). Supersedes both PRs with a combined, tested implementation.

Related issues: #730 (OAuth tokens expire)

@glifocat @claude
fix: OAuth credential proxy — auto-refresh tokens + beta header
eb22f58 
OAuth users hitting 401 "OAuth authentication is currently not supported"
because the proxy was missing the required `anthropic-beta: oauth-2025-04-20`
header. Additionally, tokens in .env expire after ~4 hours with no refresh.

Changes:
- Add src/oauth-token.ts: reads ~/.claude/.credentials.json, caches tokens
  in memory, auto-refreshes via platform.claude.com when expired, serializes
  concurrent refreshes through a promise chain, writes back atomically
- Rewrite credential proxy: async handler, unconditional credential injection
  (no exchange-based flow), beta header for OAuth, req.pipe() streaming,
  /health endpoint, JSON error responses, 10-min timeout
- Update tests for new behavior (mock getFreshOAuthToken, process.env for
  upstream URL, unconditional OAuth injection assertions)

Based on work by @calebfaruki (nanocoai#871) and @kianwoon (nanocoai#930/nanocoai#969).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Andy-NanoClaw-AI Andy-NanoClaw-AI added Status: Needs Review Ready for maintainer review PR: Fix Bug fix labels Mar 14, 2026
pillaiinfotechbot pushed a commit to pillaiinfotechbot/nanoclaw-updated that referenced this pull request Apr 2, 2026
@claude
Mount host Development directory in all agent containers
9f3a09c 
Adds /Users/mac/Development as /workspace/extra/Development in every
agent container, same pattern as the sysbridge mount. Resolves tasks
nanocoai#855, nanocoai#1070, nanocoai#1071, nanocoai#1073, nanocoai#1075, nanocoai#1076, nanocoai#1077 — agents can now
access project repos from within their Docker containers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
thats2easyyy added a commit to thats2easyyy/nanoclaw that referenced this pull request Apr 8, 2026
@thats2easyyy @claude
fix(credential-proxy): inject OAuth bearer + oauth-2025-04-20 beta un…
23a5c7d 
…conditionally

Without this, OAuth tokens hit 401 "OAuth authentication is currently
not supported" because api.anthropic.com requires the oauth-2025-04-20
beta feature flag for Bearer-auth requests. The previous code only
injected on requests where the container already sent an Authorization
header, which never happens on the non-exchange SDK path.

Also resolves a merge conflict from the native-credential-proxy skill:
HEAD retained a stray ONECLI_URL export in src/config.ts that conflicted
with the skill's CREDENTIAL_PROXY_PORT addition. Took the skill's side.

Matches the approach in upstream PR nanocoai#1076 (still open at time of commit).
Relevant issue: nanocoai#730 (OAuth tokens expire overnight).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gavrielc gavrielc closed this May 1, 2026
@bkutasi bkutasi mentioned this pull request May 1, 2026
Open
@github-actions github-actions Bot mentioned this pull request May 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gavrielc gavrielc Awaiting requested review from gavrielc gavrielc is a code owner

@gabi-simons gabi-simons Awaiting requested review from gabi-simons gabi-simons is a code owner

Assignees

No one assigned

Labels

PR: Fix Bug fix Status: Needs Review Ready for maintainer review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@glifocat @gavrielc @Andy-NanoClaw-AI