Skip to content

fix: check CLAUDE_CODE_OAUTH_TOKEN in checkCredentials()#979

Open
TadMSTR wants to merge 4 commits into
siteboon:mainfrom
TadMSTR:fix/check-credentials-oauth-token
Open

fix: check CLAUDE_CODE_OAUTH_TOKEN in checkCredentials()#979
TadMSTR wants to merge 4 commits into
siteboon:mainfrom
TadMSTR:fix/check-credentials-oauth-token

Conversation

@TadMSTR

@TadMSTR TadMSTR commented Jul 9, 2026

Copy link
Copy Markdown

Problem

checkCredentials() in claude-auth.provider.ts never checks CLAUDE_CODE_OAUTH_TOKEN. If
that env var is set (e.g. via claude setup-token, for a long-lived non-interactive
credential), it's silently ignored, and auth status falls through to reading
~/.claude/.credentials.json instead. Once that file's own short-lived OAuth session expires,
getStatus() reports "Claude login has expired" even though the app is actually still
authenticated via the token — a false negative for anyone using CLAUDE_CODE_OAUTH_TOKEN.

Root cause

The priority chain in checkCredentials() checks ANTHROPIC_AUTH_TOKEN, ANTHROPIC_API_KEY,
and their settings.json equivalents, then falls straight to the credentials file — with no
step in between for CLAUDE_CODE_OAUTH_TOKEN.

Fix

Added the check in the same priority slot Claude Code itself uses (per
https://code.claude.com/docs/en/authentication): after ANTHROPIC_AUTH_TOKEN /
ANTHROPIC_API_KEY (and their apiKeyHelper/settings.json equivalents), before falling back to
the credentials file. Uses method: 'environment', matching the existing convention already
used by opencode-auth.provider.ts for the same "static credential from an env var" case
(rather than inventing a new value the frontend's method !== 'api_key' UI gate doesn't know
about).

Testing

Manually verified getStatus() now returns authenticated: true when CLAUDE_CODE_OAUTH_TOKEN
is set even with a stale/expired ~/.claude/.credentials.json, and confirmed the existing
fallback behavior (no token set) is unchanged. npm run typecheck, npm run lint, and
npm run build all pass clean.

Summary by CodeRabbit

  • New Features
    • Added support for authenticating with a long-lived Claude OAuth token via an environment variable.
    • When set, the token is prioritized and authentication succeeds immediately, with the auth method and email labeled accordingly.
  • Tests
    • Added automated coverage for token selection priority and correct behavior across environment-token, config-provided token, valid credentials-file, and expired credentials scenarios, including precedence over the API key flow.

TadMSTR and others added 2 commits July 9, 2026 11:36
checkCredentials() never checked CLAUDE_CODE_OAUTH_TOKEN, so a valid
long-lived token was ignored and auth status fell through to reading
~/.claude/.credentials.json, reporting false expiry once that file's
short-lived OAuth session cycled.

Add the check in the same priority slot Claude Code itself uses:
after ANTHROPIC_AUTH_TOKEN/ANTHROPIC_API_KEY (incl. apiKeyHelper via
settings.json), before falling back to the credentials file.

Uses method: 'environment', matching the existing convention in
opencode-auth.provider.ts for env-var-sourced static credentials.
Finding: F5 (cosmetic nit) from cloudcli-upstream-auth-prs-2026-07 audit.
Replaces the raw env var name with a human-readable label in the auth
status email field, matching the friendlier style of the other auth
methods ('Auth Token', 'API Key Auth').

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 67adb7dd-764e-488d-86af-1aee689910f6

📥 Commits

Reviewing files that changed from the base of the PR and between 6ee65cc and 3b48ba1.

📒 Files selected for processing (2)
  • server/modules/providers/list/claude/claude-auth.provider.ts
  • server/modules/providers/tests/claude-auth.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • server/modules/providers/list/claude/claude-auth.provider.ts
  • server/modules/providers/tests/claude-auth.test.ts

📝 Walkthrough

Walkthrough

Adds an early CLAUDE_CODE_OAUTH_TOKEN environment check in ClaudeProviderAuth.checkCredentials(). When present, it returns authenticated status with a fixed email label and method: 'environment', and the new tests cover the environment, file fallback, expired credential, and API-key precedence paths.

Changes

OAuth Env Token Support

Layer / File(s) Summary
Add environment OAuth token check
server/modules/providers/list/claude/claude-auth.provider.ts
checkCredentials() now checks process.env.CLAUDE_CODE_OAUTH_TOKEN first and returns authenticated: true with email: 'OAuth Token (long-lived)' and method: 'environment' before falling back to the CLI credentials file.
Add credential path tests
server/modules/providers/tests/claude-auth.test.ts
Adds temp environment and HOME helpers, then verifies the OAuth token path, credentials-file fallback, expired credentials handling, and ANTHROPIC_API_KEY precedence.

Possibly related PRs

  • siteboon/claudecodeui#617: Both modify checkCredentials() auth-status logic in claude-auth.provider.ts around Claude credential resolution.
  • siteboon/claudecodeui#818: Adds a similar early environment-token path ahead of existing credential checks in the same method.

Suggested reviewers: blackmammoth, viper151

Poem

A rabbit found a token in the air,
and hopped right past the file-based lair.
"OAuth long-lived!" the bunny cried,
with tests beside it, truth verified.
🐇✨ hop hop, authenticated!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding CLAUDE_CODE_OAUTH_TOKEN handling in checkCredentials().
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/modules/providers/list/claude/claude-auth.provider.ts`:
- Around line 103-106: The Claude auth check currently only reads
CLAUDE_CODE_OAUTH_TOKEN from process.env, so users who configure it through
Claude settings env may still be marked unauthenticated. Update the
authentication logic in claude-auth.provider.ts, especially the code around the
existing CLAUDE_CODE_OAUTH_TOKEN check in the relevant auth method, to also read
the token from Claude’s settings env source (such as the env block loaded from
settings.json or settings.local.json) before returning unauthenticated.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5fbf5539-0ca1-4c8e-acef-744cf76c341d

📥 Commits

Reviewing files that changed from the base of the PR and between 5884573 and 07b4dc2.

📒 Files selected for processing (1)
  • server/modules/providers/list/claude/claude-auth.provider.ts

Comment thread server/modules/providers/list/claude/claude-auth.provider.ts
Adds coverage for the priority order in checkCredentials(): OAuth token
authenticates independent of a stale credentials file, falls back to
credentials_file when unset, reports unauthenticated on an expired
credentials file, and yields to ANTHROPIC_API_KEY per the documented
precedence order.

checkCredentials() has no dependency on the claude CLI (only env vars
and ~/.claude files), so it's called directly rather than through
getStatus()/checkInstalled() — keeps the test portable across
environments that may not have claude installed.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@TadMSTR

TadMSTR commented Jul 9, 2026

Copy link
Copy Markdown
Author

Added test coverage for the checkCredentials() priority order in server/modules/providers/tests/claude-auth.test.ts: OAuth token authenticates independent of a stale credentials file, falls back to credentials_file when unset, reports unauthenticated on an expired credentials file, and yields to ANTHROPIC_API_KEY per the documented precedence order.

… env block

CodeRabbit review on siteboon#979: Claude Code accepts CLAUDE_CODE_OAUTH_TOKEN
from the settings.json/settings.local.json env block, not just
process.env — same as ANTHROPIC_API_KEY/ANTHROPIC_AUTH_TOKEN, which are
already checked both ways a few lines above. Checking only process.env
missed users who configured the token there, reporting them as
unauthenticated.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant