fix: check CLAUDE_CODE_OAUTH_TOKEN in checkCredentials()#979
Conversation
checkCredentials() never checked CLAUDE_CODE_OAUTH_TOKEN, so a valid long-lived token was ignored and auth status fell through to reading ~/.claude/.credentials.json, reporting false expiry once that file's short-lived OAuth session cycled. Add the check in the same priority slot Claude Code itself uses: after ANTHROPIC_AUTH_TOKEN/ANTHROPIC_API_KEY (incl. apiKeyHelper via settings.json), before falling back to the credentials file. Uses method: 'environment', matching the existing convention in opencode-auth.provider.ts for env-var-sourced static credentials.
Finding: F5 (cosmetic nit) from cloudcli-upstream-auth-prs-2026-07 audit.
Replaces the raw env var name with a human-readable label in the auth
status email field, matching the friendlier style of the other auth
methods ('Auth Token', 'API Key Auth').
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughAdds an early ChangesOAuth Env Token Support
Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@server/modules/providers/list/claude/claude-auth.provider.ts`:
- Around line 103-106: The Claude auth check currently only reads
CLAUDE_CODE_OAUTH_TOKEN from process.env, so users who configure it through
Claude settings env may still be marked unauthenticated. Update the
authentication logic in claude-auth.provider.ts, especially the code around the
existing CLAUDE_CODE_OAUTH_TOKEN check in the relevant auth method, to also read
the token from Claude’s settings env source (such as the env block loaded from
settings.json or settings.local.json) before returning unauthenticated.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 5fbf5539-0ca1-4c8e-acef-744cf76c341d
📒 Files selected for processing (1)
server/modules/providers/list/claude/claude-auth.provider.ts
Adds coverage for the priority order in checkCredentials(): OAuth token authenticates independent of a stale credentials file, falls back to credentials_file when unset, reports unauthenticated on an expired credentials file, and yields to ANTHROPIC_API_KEY per the documented precedence order. checkCredentials() has no dependency on the claude CLI (only env vars and ~/.claude files), so it's called directly rather than through getStatus()/checkInstalled() — keeps the test portable across environments that may not have claude installed. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
Added test coverage for the |
… env block CodeRabbit review on siteboon#979: Claude Code accepts CLAUDE_CODE_OAUTH_TOKEN from the settings.json/settings.local.json env block, not just process.env — same as ANTHROPIC_API_KEY/ANTHROPIC_AUTH_TOKEN, which are already checked both ways a few lines above. Checking only process.env missed users who configured the token there, reporting them as unauthenticated. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Problem
checkCredentials()inclaude-auth.provider.tsnever checksCLAUDE_CODE_OAUTH_TOKEN. Ifthat env var is set (e.g. via
claude setup-token, for a long-lived non-interactivecredential), it's silently ignored, and auth status falls through to reading
~/.claude/.credentials.jsoninstead. Once that file's own short-lived OAuth session expires,getStatus()reports "Claude login has expired" even though the app is actually stillauthenticated via the token — a false negative for anyone using
CLAUDE_CODE_OAUTH_TOKEN.Root cause
The priority chain in
checkCredentials()checksANTHROPIC_AUTH_TOKEN,ANTHROPIC_API_KEY,and their
settings.jsonequivalents, then falls straight to the credentials file — with nostep in between for
CLAUDE_CODE_OAUTH_TOKEN.Fix
Added the check in the same priority slot Claude Code itself uses (per
https://code.claude.com/docs/en/authentication): afterANTHROPIC_AUTH_TOKEN/ANTHROPIC_API_KEY(and theirapiKeyHelper/settings.json equivalents), before falling back tothe credentials file. Uses
method: 'environment', matching the existing convention alreadyused by
opencode-auth.provider.tsfor the same "static credential from an env var" case(rather than inventing a new value the frontend's
method !== 'api_key'UI gate doesn't knowabout).
Testing
Manually verified
getStatus()now returnsauthenticated: truewhenCLAUDE_CODE_OAUTH_TOKENis set even with a stale/expired
~/.claude/.credentials.json, and confirmed the existingfallback behavior (no token set) is unchanged.
npm run typecheck,npm run lint, andnpm run buildall pass clean.Summary by CodeRabbit