feat: browser-based OAuth login flow (story 406)

Add three HTTP endpoints for OAuth login without terminal access: - GET /oauth/authorize — generates PKCE params, redirects to claude.com/cai/oauth/authorize with code=true and full scopes - GET /callback — exchanges auth code for tokens via JSON POST to platform.claude.com/v1/oauth/token, writes ~/.claude/.credentials.json - GET /oauth/status — returns current credential state as JSON Uses SHA-256 (sha2 crate) for PKCE code challenge. The authorize URL targets claude.com/cai/ (not platform.claude.com) which is required for Max/Pro subscriptions to grant user:inference scope. Users visit http://localhost:3001/oauth/authorize in their browser to authenticate. Matrix/WhatsApp can send this link when auth fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 19:58:18 +00:00
parent 710b604b7c
commit 877f69c897
6 changed files with 472 additions and 0 deletions
@@ -0,0 +1,21 @@
+---
+name: "Browser-based OAuth login flow from web UI and chat integrations"
+---
+
+# Story 406: Browser-based OAuth login flow from web UI and chat integrations
+
+## User Story
+
+As a new storkit user (or one whose refresh token has expired), I want to complete the full Claude OAuth login flow from the web UI, Matrix, or WhatsApp so that I don't need terminal access to run `claude login`.
+
+## Acceptance Criteria
+
+- [ ] From the web UI, the user can initiate OAuth login — storkit generates the Anthropic authorize URL and opens it in a new tab
+- [ ] After the user authenticates in the browser, the OAuth callback writes accessToken, refreshToken, and expiresAt to ~/.claude/.credentials.json
+- [ ] From Matrix or WhatsApp, storkit sends the user a clickable OAuth authorize link when credentials are missing or fully expired
+- [ ] After successful login, the user can immediately start chatting without restarting storkit
+- [ ] If the OAuth callback fails or the user cancels, a clear error is shown
+
+## Out of Scope
+
+- TBD
@@ -4044,6 +4044,7 @@ dependencies = [
 "serde_json",
 "serde_urlencoded",
 "serde_yaml",
+ "sha2",
 "strip-ansi-escapes",
 "tempfile",
 "tokio",
@@ -21,6 +21,7 @@ rust-embed = "8"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_urlencoded = "0.7"
+sha2 = "0.10"
 serde_yaml = "0.9"
 strip-ansi-escapes = "0.2"
 tempfile = "3"
@@ -23,6 +23,7 @@ rust-embed = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 serde_urlencoded = { workspace = true }
+sha2 = { workspace = true }
 serde_yaml = { workspace = true }
 strip-ansi-escapes = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros", "sync", "process"] }
@@ -9,6 +9,7 @@ pub mod health;
 pub mod io;
 pub mod mcp;
 pub mod model;
+pub mod oauth;
 pub mod settings;
 pub mod workflow;

@@ -65,6 +66,8 @@ pub fn build_routes(

    let (api_service, docs_service) = build_openapi_service(ctx_arc.clone());

+    let oauth_state = Arc::new(oauth::OAuthState::new(resolve_port()));
+
    let mut route = Route::new()
        .nest("/api", api_service)
        .nest("/docs", docs_service.swagger_ui())
@@ -78,6 +81,18 @@ pub fn build_routes(
            post(mcp::mcp_post_handler).get(mcp::mcp_get_handler),
        )
        .at("/health", get(health::health))
+        .at(
+            "/oauth/authorize",
+            get(oauth::oauth_authorize).data(oauth_state.clone()),
+        )
+        .at(
+            "/callback",
+            get(oauth::oauth_callback).data(oauth_state.clone()),
+        )
+        .at(
+            "/oauth/status",
+            get(oauth::oauth_status),
+        )
        .at("/assets/*path", get(assets::embedded_asset))
        .at("/", get(assets::embedded_index))
        .at("/*path", get(assets::embedded_file));
@@ -0,0 +1,433 @@
+use crate::llm::oauth;
+use crate::slog;
+use poem::handler;
+use poem::http::StatusCode;
+use poem::web::{Data, Query, Redirect};
+use serde::Deserialize;
+use std::collections::HashMap;
+use std::sync::{Arc, Mutex};
+
+/// Anthropic OAuth configuration.
+const CLIENT_ID: &str = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+/// Claude.ai authorize URL (for Max/Pro subscriptions).
+const AUTHORIZE_URL: &str = "https://claude.com/cai/oauth/authorize";
+const TOKEN_ENDPOINT: &str = "https://platform.claude.com/v1/oauth/token";
+const SCOPES: &str =
+    "user:inference user:profile user:mcp_servers user:sessions:claude_code user:file_upload";
+
+/// In-memory store for pending PKCE flows, keyed by state parameter.
+#[derive(Clone)]
+pub struct OAuthState {
+    /// Maps state → (code_verifier, redirect_uri)
+    pending: Arc<Mutex<HashMap<String, PendingFlow>>>,
+    /// The port the server is listening on (for building redirect_uri).
+    port: u16,
+}
+
+struct PendingFlow {
+    code_verifier: String,
+    redirect_uri: String,
+}
+
+impl OAuthState {
+    pub fn new(port: u16) -> Self {
+        Self {
+            pending: Arc::new(Mutex::new(HashMap::new())),
+            port,
+        }
+    }
+
+    fn callback_url(&self) -> String {
+        format!("http://localhost:{}/callback", self.port)
+    }
+}
+
+/// Generate a random alphanumeric string of the given length.
+fn random_string(len: usize) -> String {
+    use std::collections::hash_map::RandomState;
+    use std::hash::{BuildHasher, Hasher};
+    let mut s = String::with_capacity(len);
+    let chars = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    for _ in 0..len {
+        let hasher = RandomState::new().build_hasher();
+        let idx = hasher.finish() as usize % chars.len();
+        s.push(chars[idx] as char);
+    }
+    s
+}
+
+/// Compute the S256 PKCE code challenge from a code verifier.
+fn compute_code_challenge(verifier: &str) -> String {
+    use sha2::{Digest, Sha256};
+    let hash = Sha256::digest(verifier.as_bytes());
+    base64url_encode(&hash)
+}
+
+/// Base64url-encode without padding (RFC 7636).
+fn base64url_encode(data: &[u8]) -> String {
+    // Standard base64 then convert to base64url
+    const CHARS: &[u8] =
+        b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+    let mut result = String::new();
+    let mut i = 0;
+    while i < data.len() {
+        let b0 = data[i] as u32;
+        let b1 = if i + 1 < data.len() { data[i + 1] as u32 } else { 0 };
+        let b2 = if i + 2 < data.len() { data[i + 2] as u32 } else { 0 };
+        let triple = (b0 << 16) | (b1 << 8) | b2;
+
+        result.push(CHARS[((triple >> 18) & 0x3F) as usize] as char);
+        result.push(CHARS[((triple >> 12) & 0x3F) as usize] as char);
+        if i + 1 < data.len() {
+            result.push(CHARS[((triple >> 6) & 0x3F) as usize] as char);
+        }
+        if i + 2 < data.len() {
+            result.push(CHARS[(triple & 0x3F) as usize] as char);
+        }
+        i += 3;
+    }
+    // Convert to base64url: replace + with -, / with _
+    result.replace('+', "-").replace('/', "_")
+}
+
+/// `GET /oauth/authorize` — Initiates the OAuth flow.
+///
+/// Generates PKCE parameters, stores them, and redirects the browser to
+/// Anthropic's authorization page.
+#[handler]
+pub async fn oauth_authorize(state: Data<&Arc<OAuthState>>) -> Redirect {
+    let code_verifier = random_string(128);
+    let code_challenge = compute_code_challenge(&code_verifier);
+    let csrf_state = random_string(32);
+    let redirect_uri = state.callback_url();
+
+    slog!("[oauth] Starting OAuth flow, state={}", csrf_state);
+
+    // Store the pending flow
+    state.pending.lock().unwrap().insert(
+        csrf_state.clone(),
+        PendingFlow {
+            code_verifier,
+            redirect_uri: redirect_uri.clone(),
+        },
+    );
+
+    let authorize_url = format!(
+        "{}?code=true&client_id={}&response_type=code&redirect_uri={}&scope={}&code_challenge={}&code_challenge_method=S256&state={}",
+        AUTHORIZE_URL,
+        CLIENT_ID,
+        percent_encode(&redirect_uri),
+        percent_encode(SCOPES),
+        percent_encode(&code_challenge),
+        percent_encode(&csrf_state),
+    );
+
+    Redirect::temporary(authorize_url)
+}
+
+#[derive(Deserialize)]
+pub struct CallbackParams {
+    code: Option<String>,
+    state: Option<String>,
+    error: Option<String>,
+    error_description: Option<String>,
+}
+
+/// Response from the Anthropic OAuth token endpoint.
+#[derive(Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    refresh_token: Option<String>,
+    expires_in: u64,
+    #[allow(dead_code)]
+    token_type: Option<String>,
+    #[allow(dead_code)]
+    scope: Option<String>,
+}
+
+/// `GET /oauth/callback` — Handles the OAuth redirect from Anthropic.
+///
+/// Exchanges the authorization code for tokens and writes them to
+/// `~/.claude/.credentials.json`.
+#[handler]
+pub async fn oauth_callback(
+    state: Data<&Arc<OAuthState>>,
+    Query(params): Query<CallbackParams>,
+) -> poem::Response {
+    // Handle errors from Anthropic
+    if let Some(err) = &params.error {
+        let desc = params
+            .error_description
+            .as_deref()
+            .unwrap_or("Unknown error");
+        slog!("[oauth] Authorization denied: {} - {}", err, desc);
+        return html_response(
+            StatusCode::BAD_REQUEST,
+            "Authentication Failed",
+            &format!("Anthropic denied the request: {desc}"),
+        );
+    }
+
+    let code = match &params.code {
+        Some(c) => c,
+        None => {
+            return html_response(
+                StatusCode::BAD_REQUEST,
+                "Missing Code",
+                "No authorization code received from Anthropic.",
+            );
+        }
+    };
+
+    let csrf_state = match &params.state {
+        Some(s) => s,
+        None => {
+            return html_response(
+                StatusCode::BAD_REQUEST,
+                "Missing State",
+                "No state parameter received. Possible CSRF attack.",
+            );
+        }
+    };
+
+    // Look up and remove the pending flow
+    let pending = state.pending.lock().unwrap().remove(csrf_state);
+    let flow = match pending {
+        Some(f) => f,
+        None => {
+            slog!("[oauth] Unknown state parameter: {}", csrf_state);
+            return html_response(
+                StatusCode::BAD_REQUEST,
+                "Invalid State",
+                "Unknown or expired state parameter. Please try logging in again.",
+            );
+        }
+    };
+
+    slog!("[oauth] Received callback, exchanging code for tokens");
+
+    // Exchange the authorization code for tokens
+    let client = reqwest::Client::new();
+    let resp = client
+        .post(TOKEN_ENDPOINT)
+        .header("Content-Type", "application/json")
+        .json(&serde_json::json!({
+            "grant_type": "authorization_code",
+            "code": code,
+            "client_id": CLIENT_ID,
+            "redirect_uri": &flow.redirect_uri,
+            "code_verifier": &flow.code_verifier,
+            "state": csrf_state,
+        }))
+        .send()
+        .await;
+
+    let resp = match resp {
+        Ok(r) => r,
+        Err(e) => {
+            slog!("[oauth] Token exchange request failed: {}", e);
+            return html_response(
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Token Exchange Failed",
+                &format!("Failed to contact Anthropic: {e}"),
+            );
+        }
+    };
+
+    let status = resp.status();
+    let body = resp.text().await.unwrap_or_default();
+
+    slog!("[oauth] Token exchange response (HTTP {}): {}", status, body);
+
+    if !status.is_success() {
+        return html_response(
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "Token Exchange Failed",
+            &format!("Anthropic returned HTTP {status}. Please try again."),
+        );
+    }
+
+    let token_resp: TokenResponse = match serde_json::from_str(&body) {
+        Ok(t) => t,
+        Err(e) => {
+            slog!("[oauth] Failed to parse token response: {}", e);
+            return html_response(
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Token Parse Failed",
+                "Received an unexpected response from Anthropic.",
+            );
+        }
+    };
+
+    let now_ms = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .map(|d| d.as_millis() as u64)
+        .unwrap_or(0);
+
+    let creds = oauth::CredentialsFile {
+        claude_ai_oauth: oauth::OAuthCredentials {
+            access_token: token_resp.access_token,
+            refresh_token: token_resp.refresh_token.unwrap_or_default(),
+            expires_at: now_ms + (token_resp.expires_in * 1000),
+            scopes: SCOPES.split(' ').map(|s| s.to_string()).collect(),
+            subscription_type: None,
+            rate_limit_tier: None,
+        },
+    };
+
+    if let Err(e) = oauth::write_credentials(&creds) {
+        slog!("[oauth] Failed to write credentials: {}", e);
+        return html_response(
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "Credential Write Failed",
+            &format!("Tokens received but failed to save: {e}"),
+        );
+    }
+
+    slog!("[oauth] Successfully authenticated and saved credentials");
+
+    html_response(
+        StatusCode::OK,
+        "Authenticated!",
+        "Claude OAuth login successful. You can close this tab and return to Storkit.",
+    )
+}
+
+/// Check whether valid (non-expired) OAuth credentials exist.
+#[handler]
+pub async fn oauth_status() -> poem::Response {
+    match oauth::read_credentials() {
+        Ok(creds) => {
+            let now_ms = std::time::SystemTime::now()
+                .duration_since(std::time::UNIX_EPOCH)
+                .map(|d| d.as_millis() as u64)
+                .unwrap_or(0);
+            let expired = now_ms > creds.claude_ai_oauth.expires_at;
+            let body = serde_json::json!({
+                "authenticated": true,
+                "expired": expired,
+                "expires_at": creds.claude_ai_oauth.expires_at,
+                "has_refresh_token": !creds.claude_ai_oauth.refresh_token.is_empty(),
+            });
+            poem::Response::builder()
+                .status(StatusCode::OK)
+                .header("Content-Type", "application/json")
+                .body(body.to_string())
+        }
+        Err(_) => {
+            let body = serde_json::json!({
+                "authenticated": false,
+                "expired": false,
+                "expires_at": 0,
+                "has_refresh_token": false,
+            });
+            poem::Response::builder()
+                .status(StatusCode::OK)
+                .header("Content-Type", "application/json")
+                .body(body.to_string())
+        }
+    }
+}
+
+/// Percent-encode a string for use in URL query parameters.
+fn percent_encode(input: &str) -> String {
+    let mut encoded = String::with_capacity(input.len() * 3);
+    for byte in input.bytes() {
+        match byte {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                encoded.push(byte as char);
+            }
+            _ => {
+                encoded.push_str(&format!("%{byte:02X}"));
+            }
+        }
+    }
+    encoded
+}
+
+fn html_response(status: StatusCode, title: &str, message: &str) -> poem::Response {
+    let html = format!(
+        r#"<!DOCTYPE html>
+<html>
+<head><title>{title}</title>
+<style>
+body {{ font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #1a1a2e; color: #e0e0e0; }}
+.card {{ background: #16213e; padding: 2rem; border-radius: 12px; text-align: center; max-width: 400px; box-shadow: 0 4px 24px rgba(0,0,0,0.3); }}
+h1 {{ margin-top: 0; }}
+</style>
+</head>
+<body><div class="card"><h1>{title}</h1><p>{message}</p></div></body>
+</html>"#
+    );
+    poem::Response::builder()
+        .status(status)
+        .header("Content-Type", "text/html; charset=utf-8")
+        .body(html)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn base64url_encode_basic() {
+        // Test vector: "Hello" → base64 "SGVsbG8=" → base64url "SGVsbG8"
+        let encoded = base64url_encode(b"Hello");
+        assert_eq!(encoded, "SGVsbG8");
+    }
+
+    #[test]
+    fn base64url_encode_no_padding() {
+        // Ensure no '=' padding characters
+        let encoded = base64url_encode(b"a");
+        assert!(!encoded.contains('='));
+    }
+
+    #[test]
+    fn base64url_encode_no_plus_or_slash() {
+        // Encode bytes that would produce + and / in standard base64
+        let data: Vec<u8> = (0..=255).collect();
+        let encoded = base64url_encode(&data);
+        assert!(!encoded.contains('+'));
+        assert!(!encoded.contains('/'));
+    }
+
+    #[test]
+    fn compute_code_challenge_returns_nonempty() {
+        let challenge = compute_code_challenge("test_verifier_string");
+        assert!(!challenge.is_empty());
+    }
+
+    #[test]
+    fn compute_code_challenge_is_deterministic() {
+        let a = compute_code_challenge("same_input");
+        let b = compute_code_challenge("same_input");
+        assert_eq!(a, b);
+    }
+
+    #[test]
+    fn random_string_length() {
+        let s = random_string(64);
+        assert_eq!(s.len(), 64);
+    }
+
+    #[test]
+    fn random_string_is_alphanumeric() {
+        let s = random_string(100);
+        assert!(s.chars().all(|c| c.is_ascii_alphanumeric()));
+    }
+
+    #[test]
+    fn oauth_state_callback_url() {
+        let state = OAuthState::new(3001);
+        assert_eq!(state.callback_url(), "http://localhost:3001/callback");
+    }
+
+    #[tokio::test]
+    async fn html_response_contains_title_and_message() {
+        let resp = html_response(StatusCode::OK, "Test Title", "Test message");
+        let body = resp.into_body().into_string().await.unwrap();
+        assert!(body.contains("Test Title"));
+        assert!(body.contains("Test message"));
+    }
+}