fix: bypass proxies for subscription oauth

Author: joohw

core/internal/buildinfo/buildinfo.go

@@ -4,7 +4,7 @@ import "strings"
 
 // Set at link time via -ldflags (see .goreleaser.yaml).
 var (
-	Version = "dev0.1.92"
+	Version = "dev0.1.93"
 	Commit  = "none"
 	Date    = "unknown"
 )

core/internal/subscriptionauth/oauth.go

@@ -48,6 +48,16 @@ const (
 // claudeTokenURL is a var (not const) so tests can point it at a local server.
 var claudeTokenURL = "https://platform.claude.com/v1/oauth/token"
 
+// oauthHTTPClient deliberately ignores HTTP_PROXY/HTTPS_PROXY/ALL_PROXY.
+// OAuth callback/token/profile traffic should not be routed through user API proxies.
+var oauthHTTPClient = &http.Client{Transport: oauthDirectTransport()}
+
+func oauthDirectTransport() *http.Transport {
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.Proxy = nil
+	return transport
+}
+
 type LoginResult struct {
 	OK           bool   `json:"ok"`
 	LoggedIn     bool   `json:"loggedIn,omitempty"`
@@ -388,7 +398,7 @@ func enrichClaudeProfile(ctx context.Context, creds *tokenCredentials) error {
 	}
 	req.Header.Set("Authorization", "Bearer "+creds.Access)
 	req.Header.Set("Accept", "application/json")
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := oauthHTTPClient.Do(req)
 	if err != nil {
 		return err
 	}
@@ -452,7 +462,7 @@ func postForm(ctx context.Context, rawURL string, form url.Values, dest any) err
 }
 
 func doJSON(req *http.Request, dest any, label string) error {
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := oauthHTTPClient.Do(req)
 	if err != nil {
 		return err
 	}

core/internal/subscriptionauth/oauth_test.go

@@ -14,6 +14,16 @@ import (
 	"testing"
 )
 
+func TestOAuthHTTPClientBypassesEnvironmentProxy(t *testing.T) {
+	transport, ok := oauthHTTPClient.Transport.(*http.Transport)
+	if !ok {
+		t.Fatalf("oauth transport = %T, want *http.Transport", oauthHTTPClient.Transport)
+	}
+	if transport.Proxy != nil {
+		t.Fatal("oauth HTTP client must bypass environment proxy settings")
+	}
+}
+
 func TestGeneratePKCEChallenge(t *testing.T) {
 	pair, err := generatePKCE()
 	if err != nil {

electron/clovapi-desktop.js

@@ -163,6 +163,23 @@ function agentUninstall(kind) {
   return runDesktopAsync(["agents", "uninstall", "--cli", String(kind || "")], { timeout: 10 * 60 * 1000 });
 }
 
+function authLoginEnv() {
+  const bypass = ["127.0.0.1", "localhost", "::1"].join(",");
+  const merge = (value) => {
+    const current = String(value || "").trim();
+    if (!current) return bypass;
+    const parts = current.split(",").map((part) => part.trim()).filter(Boolean);
+    for (const host of bypass.split(",")) {
+      if (!parts.some((part) => part.toLowerCase() === host.toLowerCase())) parts.push(host);
+    }
+    return parts.join(",");
+  };
+  return {
+    ...process.env,
+    NO_PROXY: merge(process.env.NO_PROXY),
+    no_proxy: merge(process.env.no_proxy),
+  };
+}
 function authStatus() {
   return runAuthAsync(["status"]);
 }
@@ -176,6 +193,7 @@ async function authLogin(provider) {
     cancelKey: providerId,
     onOutput: outputHandler,
     timeout: AUTH_LOGIN_TIMEOUT,
+    env: authLoginEnv(),
   });
   if (result.cancelled) {
     return { ok: false, cancelled: true, error: "已取消登录" };