crashlabs/huskies
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity
Files
6b1737d52d0a3dc48bc165cd9420610bde48f319
huskies/server/src/http/oauth.rs
T

441 lines
14 KiB
Rust
Raw Normal View History

feat: browser-based OAuth login flow (story 406)
2026-03-26 19:58:18 +00:00
use crate::llm::oauth;
use crate::slog;
use poem::handler;
use poem::http::StatusCode;
use poem::web::{Data, Query, Redirect};
use serde::Deserialize;
use std::collections::HashMap;
use std::sync::{Arc, Mutex};
/// Anthropic OAuth configuration.
const CLIENT_ID: &str = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
/// Claude.ai authorize URL (for Max/Pro subscriptions).
const AUTHORIZE_URL: &str = "https://claude.com/cai/oauth/authorize";
const TOKEN_ENDPOINT: &str = "https://platform.claude.com/v1/oauth/token";
const SCOPES: &str =
"user:inference user:profile user:mcp_servers user:sessions:claude_code user:file_upload";
/// In-memory store for pending PKCE flows, keyed by state parameter.
#[derive(Clone)]
pub struct OAuthState {
/// Maps state → (code_verifier, redirect_uri)
pending: Arc<Mutex<HashMap<String, PendingFlow>>>,
/// The port the server is listening on (for building redirect_uri).
port: u16,
}
struct PendingFlow {
code_verifier: String,
redirect_uri: String,
}
impl OAuthState {
pub fn new(port: u16) -> Self {
Self {
pending: Arc::new(Mutex::new(HashMap::new())),
port,
}
}
fn callback_url(&self) -> String {
format!("http://localhost:{}/callback", self.port)
}
}
/// Generate a random alphanumeric string of the given length.
fn random_string(len: usize) -> String {
use std::collections::hash_map::RandomState;
use std::hash::{BuildHasher, Hasher};
let mut s = String::with_capacity(len);
let chars = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
for _ in 0..len {
let hasher = RandomState::new().build_hasher();
let idx = hasher.finish() as usize % chars.len();
s.push(chars[idx] as char);
}
s
}
/// Compute the S256 PKCE code challenge from a code verifier.
fn compute_code_challenge(verifier: &str) -> String {
use sha2::{Digest, Sha256};
let hash = Sha256::digest(verifier.as_bytes());
base64url_encode(&hash)
}
/// Base64url-encode without padding (RFC 7636).
fn base64url_encode(data: &[u8]) -> String {
// Standard base64 then convert to base64url
const CHARS: &[u8] =
b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
let mut result = String::new();
let mut i = 0;
while i < data.len() {
let b0 = data[i] as u32;
let b1 = if i + 1 < data.len() { data[i + 1] as u32 } else { 0 };
let b2 = if i + 2 < data.len() { data[i + 2] as u32 } else { 0 };
let triple = (b0 << 16) | (b1 << 8) | b2;
result.push(CHARS[((triple >> 18) & 0x3F) as usize] as char);
result.push(CHARS[((triple >> 12) & 0x3F) as usize] as char);
if i + 1 < data.len() {
result.push(CHARS[((triple >> 6) & 0x3F) as usize] as char);
}
if i + 2 < data.len() {
result.push(CHARS[(triple & 0x3F) as usize] as char);
}
i += 3;
}
// Convert to base64url: replace + with -, / with _
result.replace('+', "-").replace('/', "_")
}
/// `GET /oauth/authorize` — Initiates the OAuth flow.
///
/// Generates PKCE parameters, stores them, and redirects the browser to
/// Anthropic's authorization page.
#[handler]
pub async fn oauth_authorize(state: Data<&Arc<OAuthState>>) -> Redirect {
let code_verifier = random_string(128);
let code_challenge = compute_code_challenge(&code_verifier);
let csrf_state = random_string(32);
let redirect_uri = state.callback_url();
slog!("[oauth] Starting OAuth flow, state={}", csrf_state);
// Store the pending flow
state.pending.lock().unwrap().insert(
csrf_state.clone(),
PendingFlow {
code_verifier,
redirect_uri: redirect_uri.clone(),
},
);
let authorize_url = format!(
"{}?code=true&client_id={}&response_type=code&redirect_uri={}&scope={}&code_challenge={}&code_challenge_method=S256&state={}",
AUTHORIZE_URL,
CLIENT_ID,
percent_encode(&redirect_uri),
percent_encode(SCOPES),
percent_encode(&code_challenge),
percent_encode(&csrf_state),
);
Redirect::temporary(authorize_url)
}
#[derive(Deserialize)]
pub struct CallbackParams {
code: Option<String>,
state: Option<String>,
error: Option<String>,
error_description: Option<String>,
}
/// Response from the Anthropic OAuth token endpoint.
#[derive(Deserialize)]
struct TokenResponse {
access_token: String,
refresh_token: Option<String>,
expires_in: u64,
#[allow(dead_code)]
token_type: Option<String>,
#[allow(dead_code)]
scope: Option<String>,
}
/// `GET /oauth/callback` — Handles the OAuth redirect from Anthropic.
///
/// Exchanges the authorization code for tokens and writes them to
/// `~/.claude/.credentials.json`.
#[handler]
pub async fn oauth_callback(
state: Data<&Arc<OAuthState>>,
Query(params): Query<CallbackParams>,
) -> poem::Response {
// Handle errors from Anthropic
if let Some(err) = &params.error {
let desc = params
.error_description
.as_deref()
.unwrap_or("Unknown error");
slog!("[oauth] Authorization denied: {} - {}", err, desc);
return html_response(
StatusCode::BAD_REQUEST,
"Authentication Failed",
&format!("Anthropic denied the request: {desc}"),
);
}
let code = match &params.code {
Some(c) => c,
None => {
return html_response(
StatusCode::BAD_REQUEST,
"Missing Code",
"No authorization code received from Anthropic.",
);
}
};
let csrf_state = match &params.state {
Some(s) => s,
None => {
return html_response(
StatusCode::BAD_REQUEST,
"Missing State",
"No state parameter received. Possible CSRF attack.",
);
}
};
// Look up and remove the pending flow
let pending = state.pending.lock().unwrap().remove(csrf_state);
let flow = match pending {
Some(f) => f,
None => {
slog!("[oauth] Unknown state parameter: {}", csrf_state);
return html_response(
StatusCode::BAD_REQUEST,
"Invalid State",
"Unknown or expired state parameter. Please try logging in again.",
);
}
};
slog!("[oauth] Received callback, exchanging code for tokens");
// Exchange the authorization code for tokens
let client = reqwest::Client::new();
let resp = client
.post(TOKEN_ENDPOINT)
.header("Content-Type", "application/json")
.json(&serde_json::json!({
"grant_type": "authorization_code",
"code": code,
"client_id": CLIENT_ID,
"redirect_uri": &flow.redirect_uri,
"code_verifier": &flow.code_verifier,
"state": csrf_state,
}))
.send()
.await;
let resp = match resp {
Ok(r) => r,
Err(e) => {
slog!("[oauth] Token exchange request failed: {}", e);
return html_response(
StatusCode::INTERNAL_SERVER_ERROR,
"Token Exchange Failed",
&format!("Failed to contact Anthropic: {e}"),
);
}
};
let status = resp.status();
let body = resp.text().await.unwrap_or_default();
slog!("[oauth] Token exchange response (HTTP {}): {}", status, body);
if !status.is_success() {
return html_response(
StatusCode::INTERNAL_SERVER_ERROR,
"Token Exchange Failed",
&format!("Anthropic returned HTTP {status}. Please try again."),
);
}
let token_resp: TokenResponse = match serde_json::from_str(&body) {
Ok(t) => t,
Err(e) => {
slog!("[oauth] Failed to parse token response: {}", e);
return html_response(
StatusCode::INTERNAL_SERVER_ERROR,
"Token Parse Failed",
"Received an unexpected response from Anthropic.",
);
}
};
let now_ms = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|d| d.as_millis() as u64)
.unwrap_or(0);
let creds = oauth::CredentialsFile {
claude_ai_oauth: oauth::OAuthCredentials {
access_token: token_resp.access_token,
refresh_token: token_resp.refresh_token.unwrap_or_default(),
expires_at: now_ms + (token_resp.expires_in * 1000),
scopes: SCOPES.split(' ').map(|s| s.to_string()).collect(),
subscription_type: None,
rate_limit_tier: None,
},
};
if let Err(e) = oauth::write_credentials(&creds) {
slog!("[oauth] Failed to write credentials: {}", e);
return html_response(
StatusCode::INTERNAL_SERVER_ERROR,
"Credential Write Failed",
&format!("Tokens received but failed to save: {e}"),
);
}
slog!("[oauth] Successfully authenticated and saved credentials");
html_response(
StatusCode::OK,
"Authenticated!",
huskies: rename project from storkit to huskies
2026-04-03 16:12:52 +01:00
"Claude OAuth login successful. You can close this tab and return to Huskies.",
feat: browser-based OAuth login flow (story 406)
2026-03-26 19:58:18 +00:00
)
}
/// Check whether valid (non-expired) OAuth credentials exist.
#[handler]
pub async fn oauth_status() -> poem::Response {
match oauth::read_credentials() {
Ok(creds) => {
let now_ms = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|d| d.as_millis() as u64)
.unwrap_or(0);
let expired = now_ms > creds.claude_ai_oauth.expires_at;
let body = serde_json::json!({
"authenticated": true,
"expired": expired,
"expires_at": creds.claude_ai_oauth.expires_at,
"has_refresh_token": !creds.claude_ai_oauth.refresh_token.is_empty(),
});
poem::Response::builder()
.status(StatusCode::OK)
.header("Content-Type", "application/json")
.body(body.to_string())
}
Err(_) => {
let body = serde_json::json!({
"authenticated": false,
"expired": false,
"expires_at": 0,
"has_refresh_token": false,
});
poem::Response::builder()
.status(StatusCode::OK)
.header("Content-Type", "application/json")
.body(body.to_string())
}
}
}
/// Percent-encode a string for use in URL query parameters.
fn percent_encode(input: &str) -> String {
let mut encoded = String::with_capacity(input.len() * 3);
for byte in input.bytes() {
match byte {
b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
encoded.push(byte as char);
}
_ => {
encoded.push_str(&format!("%{byte:02X}"));
}
}
}
encoded
}
fn html_response(status: StatusCode, title: &str, message: &str) -> poem::Response {
let html = format!(
r#"<!DOCTYPE html>
<html>
<head><title>{title}</title>
<style>
body {{ font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #1a1a2e; color: #e0e0e0; }}
.card {{ background: #16213e; padding: 2rem; border-radius: 12px; text-align: center; max-width: 400px; box-shadow: 0 4px 24px rgba(0,0,0,0.3); }}
h1 {{ margin-top: 0; }}
</style>
</head>
<body><div class="card"><h1>{title}</h1><p>{message}</p></div></body>
</html>"#
);
poem::Response::builder()
.status(status)
.header("Content-Type", "text/html; charset=utf-8")
.body(html)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn base64url_encode_basic() {
// Test vector: "Hello" → base64 "SGVsbG8=" → base64url "SGVsbG8"
let encoded = base64url_encode(b"Hello");
assert_eq!(encoded, "SGVsbG8");
}
#[test]
fn base64url_encode_no_padding() {
// Ensure no '=' padding characters
let encoded = base64url_encode(b"a");
assert!(!encoded.contains('='));
}
#[test]
fn base64url_encode_no_plus_or_slash() {
// Encode bytes that would produce + and / in standard base64
let data: Vec<u8> = (0..=255).collect();
let encoded = base64url_encode(&data);
assert!(!encoded.contains('+'));
assert!(!encoded.contains('/'));
}
#[test]
fn compute_code_challenge_returns_nonempty() {
let challenge = compute_code_challenge("test_verifier_string");
assert!(!challenge.is_empty());
}
#[test]
fn compute_code_challenge_is_deterministic() {
let a = compute_code_challenge("same_input");
let b = compute_code_challenge("same_input");
assert_eq!(a, b);
}
#[test]
fn random_string_length() {
let s = random_string(64);
assert_eq!(s.len(), 64);
}
#[test]
fn random_string_is_alphanumeric() {
let s = random_string(100);
assert!(s.chars().all(|c| c.is_ascii_alphanumeric()));
}
#[test]
fn oauth_state_callback_url() {
let state = OAuthState::new(3001);
assert_eq!(state.callback_url(), "http://localhost:3001/callback");
}
storkit: merge 449_bug_oauth_callback_url_ignores_port_cli_flag
2026-03-31 14:52:18 +00:00
#[test]
fn oauth_state_callback_url_uses_given_port() {
// Ensure OAuthState::new uses the port passed to it, not a hardcoded value.
let state = OAuthState::new(9876);
assert_eq!(state.callback_url(), "http://localhost:9876/callback");
}
feat: browser-based OAuth login flow (story 406)
2026-03-26 19:58:18 +00:00
#[tokio::test]
async fn html_response_contains_title_and_message() {
let resp = html_response(StatusCode::OK, "Test Title", "Test message");
let body = resp.into_body().into_string().await.unwrap();
assert!(body.contains("Test Title"));
assert!(body.contains("Test message"));
}
}
Reference in New Issue Copy Permalink