FilesExpand file tree

 main

/

authFileDescriptor.ts

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

196 lines (186 loc) · 6.63 KB

 main

/

authFileDescriptor.ts

Top

File metadata and controls

• Code
• Blame

196 lines (186 loc) · 6.63 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

import { mkdirSync, writeFileSync } from 'fs'

import {

getApiKeyFromFd,

getOauthTokenFromFd,

setApiKeyFromFd,

setOauthTokenFromFd,

} from '../bootstrap/state.js'

import { logForDebugging } from './debug.js'

import { isEnvTruthy } from './envUtils.js'

import { errorMessage, isENOENT } from './errors.js'

import { getFsImplementation } from './fsOperations.js'

/**

* Well-known token file locations in CCR. The Go environment-manager creates

* /home/claude/.claude/remote/ and will (eventually) write these files too.

* Until then, this module writes them on successful FD read so subprocesses

* spawned inside the CCR container can find the token without inheriting

* the FD — which they can't: pipe FDs don't cross tmux/shell boundaries.

*/

const CCR_TOKEN_DIR = '/home/claude/.claude/remote'

export const CCR_OAUTH_TOKEN_PATH = `${CCR_TOKEN_DIR}/.oauth_token`

export const CCR_API_KEY_PATH = `${CCR_TOKEN_DIR}/.api_key`

export const CCR_SESSION_INGRESS_TOKEN_PATH = `${CCR_TOKEN_DIR}/.session_ingress_token`

/**

* Best-effort write of the token to a well-known location for subprocess

* access. CCR-gated: outside CCR there's no /home/claude/ and no reason to

* put a token on disk that the FD was meant to keep off disk.

*/

export function maybePersistTokenForSubprocesses(

path: string,

token: string,

tokenName: string,

): void {

if (!isEnvTruthy(process.env.CLAUDE_CODE_REMOTE)) {

return

}

try {

// eslint-disable-next-line custom-rules/no-sync-fs -- one-shot startup write in CCR, caller is sync

mkdirSync(CCR_TOKEN_DIR, { recursive: true, mode: 0o700 })

// eslint-disable-next-line custom-rules/no-sync-fs -- one-shot startup write in CCR, caller is sync

writeFileSync(path, token, { encoding: 'utf8', mode: 0o600 })

logForDebugging(`Persisted ${tokenName} to ${path} for subprocess access`)

} catch (error) {

logForDebugging(

`Failed to persist ${tokenName} to disk (non-fatal): ${errorMessage(error)}`,

{ level: 'error' },

)

}

}

/**

* Fallback read from a well-known file. The path only exists in CCR (env-manager

* creates the directory), so file-not-found is the expected outcome everywhere

* else — treated as "no fallback", not an error.

*/

export function readTokenFromWellKnownFile(

path: string,

tokenName: string,

): string | null {

try {

const fsOps = getFsImplementation()

// eslint-disable-next-line custom-rules/no-sync-fs -- fallback read for CCR subprocess path, one-shot at startup, caller is sync

const token = fsOps.readFileSync(path, { encoding: 'utf8' }).trim()

if (!token) {

return null

}

logForDebugging(`Read ${tokenName} from well-known file ${path}`)

return token

} catch (error) {

// ENOENT is the expected outcome outside CCR — stay silent. Anything

// else (EACCES from perm misconfig, etc.) is worth surfacing in the

// debug log so subprocess auth failures aren't mysterious.

if (!isENOENT(error)) {

logForDebugging(

`Failed to read ${tokenName} from ${path}: ${errorMessage(error)}`,

{ level: 'debug' },

)

}

return null

}

}

/**

* Shared FD-or-well-known-file credential reader.

*

* Priority order:

* 1. File descriptor (legacy path) — env var points at a pipe FD passed by

* the Go env-manager via cmd.ExtraFiles. Pipe is drained on first read

* and doesn't cross exec/tmux boundaries.

* 2. Well-known file — written by this function on successful FD read (and

* eventually by the env-manager directly). Covers subprocesses that can't

* inherit the FD.

*

* Returns null if neither source has a credential. Cached in global state.

*/

function getCredentialFromFd({

envVar,

wellKnownPath,

label,

getCached,

setCached,

}: {

envVar: string

wellKnownPath: string

label: string

getCached: () => string | null | undefined

setCached: (value: string | null) => void

}): string | null {

const cached = getCached()

if (cached !== undefined) {

return cached

}

const fdEnv = process.env[envVar]

if (!fdEnv) {

// No FD env var — either we're not in CCR, or we're a subprocess whose

// parent stripped the (useless) FD env var. Try the well-known file.

const fromFile = readTokenFromWellKnownFile(wellKnownPath, label)

setCached(fromFile)

return fromFile

}

const fd = parseInt(fdEnv, 10)

if (Number.isNaN(fd)) {

logForDebugging(

`${envVar} must be a valid file descriptor number, got: ${fdEnv}`,

{ level: 'error' },

)

setCached(null)

return null

}

try {

// Use /dev/fd on macOS/BSD, /proc/self/fd on Linux

const fsOps = getFsImplementation()

const fdPath =

process.platform === 'darwin' || process.platform === 'freebsd'

? `/dev/fd/${fd}`

: `/proc/self/fd/${fd}`

// eslint-disable-next-line custom-rules/no-sync-fs -- legacy FD path, read once at startup, caller is sync

const token = fsOps.readFileSync(fdPath, { encoding: 'utf8' }).trim()

if (!token) {

logForDebugging(`File descriptor contained empty ${label}`, {

level: 'error',

})

setCached(null)

return null

}

logForDebugging(`Successfully read ${label} from file descriptor ${fd}`)

setCached(token)

maybePersistTokenForSubprocesses(wellKnownPath, token, label)

return token

} catch (error) {

logForDebugging(

`Failed to read ${label} from file descriptor ${fd}: ${errorMessage(error)}`,

{ level: 'error' },

)

// FD env var was set but read failed — typically a subprocess that

// inherited the env var but not the FD (ENXIO). Try the well-known file.

const fromFile = readTokenFromWellKnownFile(wellKnownPath, label)

setCached(fromFile)

return fromFile

}

}

/**

* Get the CCR-injected OAuth token. See getCredentialFromFd for FD-vs-disk

* rationale. Env var: CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR.

* Well-known file: /home/claude/.claude/remote/.oauth_token.

*/

export function getOAuthTokenFromFileDescriptor(): string | null {

return getCredentialFromFd({

envVar: 'CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR',

wellKnownPath: CCR_OAUTH_TOKEN_PATH,

label: 'OAuth token',

getCached: getOauthTokenFromFd,

setCached: setOauthTokenFromFd,

})

}

/**

* Get the CCR-injected API key. See getCredentialFromFd for FD-vs-disk

* rationale. Env var: CLAUDE_CODE_API_KEY_FILE_DESCRIPTOR.

* Well-known file: /home/claude/.claude/remote/.api_key.

*/

export function getApiKeyFromFileDescriptor(): string | null {

return getCredentialFromFd({

envVar: 'CLAUDE_CODE_API_KEY_FILE_DESCRIPTOR',

wellKnownPath: CCR_API_KEY_PATH,

label: 'API key',

getCached: getApiKeyFromFd,

setCached: setApiKeyFromFd,

})

}