clauth 0.3.1

Simple Claude Code account switcher and usage monitor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353

use std::sync::LazyLock;
use std::time::Duration;

use anyhow::Result;
use serde::Deserialize;

use crate::claude::{LinkState, classify_credentials_link};
use crate::lock::with_state_lock;
use crate::profile::{AppConfig, save_app_state, save_profile};
use crate::usage::{UsageStore, now_ms};

/// Anthropic's OAuth token endpoint. Same one Claude Code uses on startup
/// to mint a fresh access token from the stored refresh token.
const TOKEN_ENDPOINT: &str = "https://api.anthropic.com/v1/oauth/token";

/// UUID of the "Claude Code" OAuth application; required for refresh.
const CLIENT_ID: &str = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";

/// Minimal inference endpoint we use to "kick" the 5-hour usage window.
/// Token refresh alone does NOT start the timer — only a real `/v1/messages`
/// call does. Probing with `count_tokens`, `oauth/usage`, or session
/// endpoints all confirmed this experimentally.
const MESSAGES_ENDPOINT: &str = "https://api.anthropic.com/v1/messages";

/// Cheapest available model — single token costs ~0.001¢.
const KICK_MODEL: &str = "claude-haiku-4-5-20251001";

/// OAuth tokens require the "Claude Code" system prefix or the server rejects
/// the call as an unauthorized non-CC inference.
const KICK_SYSTEM_PROMPT: &str = "You are Claude Code, Anthropic's official CLI for Claude.";

/// Refuse to re-ping a profile until this long after its last auto-start.
/// Sized just under the 5-hour window so a ping whose follow-up usage fetch
/// failed (network blip, stale endpoint) doesn't cause us to re-fire on
/// every refresh, while still allowing a fresh ping once the window has
/// elapsed.
const AUTO_START_COOLDOWN_MS: u64 = 4 * 3600 * 1000 + 30 * 60 * 1000;

#[derive(Deserialize)]
pub(crate) struct TokenResponse {
    pub(crate) access_token: String,
    pub(crate) refresh_token: String,
    pub(crate) expires_in: u64,
    #[serde(default)]
    pub(crate) scope: Option<String>,
}

static AGENT: LazyLock<ureq::Agent> = LazyLock::new(|| {
    ureq::Agent::config_builder()
        .timeout_connect(Some(Duration::from_secs(4)))
        .timeout_recv_response(Some(Duration::from_secs(15)))
        .build()
        .into()
});

pub(crate) fn refresh(refresh_token: &str) -> Result<TokenResponse> {
    let body = serde_json::to_string(&serde_json::json!({
        "grant_type": "refresh_token",
        "refresh_token": refresh_token,
        "client_id": CLIENT_ID,
    }))?;

    let text = AGENT
        .post(TOKEN_ENDPOINT)
        .header("Content-Type", "application/json")
        .send(&body)
        .map_err(crate::ureq_error::into_anyhow)?
        .body_mut()
        .read_to_string()
        .map_err(crate::ureq_error::into_anyhow)?;

    serde_json::from_str(&text).map_err(|e| anyhow::anyhow!("{e}: {text}"))
}

/// Sends a 1-token Haiku message to start the 5-hour usage window. Mirrors
/// what Claude Code does silently on launch.
fn kick(access_token: &str) -> Result<()> {
    let body = serde_json::to_string(&serde_json::json!({
        "model": KICK_MODEL,
        "max_tokens": 1,
        "system": [{ "type": "text", "text": KICK_SYSTEM_PROMPT }],
        "messages": [{ "role": "user", "content": "x" }],
    }))?;

    AGENT
        .post(MESSAGES_ENDPOINT)
        .header("Content-Type", "application/json")
        .header("Authorization", &format!("Bearer {access_token}"))
        .header("anthropic-version", "2023-06-01")
        .header("anthropic-beta", "oauth-2025-04-20")
        .send(&body)
        .map_err(crate::ureq_error::into_anyhow)?;
    Ok(())
}

/// Refreshes every profile's OAuth token pair (rotated pair saved to disk).
/// Mirrors what Claude Code does silently on launch — minus the kick.
///
/// Profiles without a stored refresh token are skipped. Network or revocation
/// failures are swallowed per-profile; cached state stays put for those.
///
/// Returns the names of profiles whose token rotation succeeded so the caller
/// can target follow-up work (usage re-fetch, kick) at the same set.
pub(crate) fn refresh_all(config: &mut AppConfig) -> Vec<String> {
    let skip_active = active_link_diverged(config);
    let snapshots: Vec<(String, String)> = config
        .profiles
        .iter()
        .filter_map(|p| {
            if skip_active && config.is_active(&p.name) {
                return None;
            }
            Some((p.name.clone(), p.refresh_token()?.to_string()))
        })
        .collect();

    if snapshots.is_empty() {
        return Vec::new();
    }

    let handles: Vec<_> = snapshots
        .into_iter()
        .map(|(name, rt)| std::thread::spawn(move || (name, refresh(&rt))))
        .collect();

    let mut refreshed = Vec::new();
    for h in handles {
        let Ok((name, Ok(tok))) = h.join() else {
            continue;
        };
        let saved = with_state_lock(|| {
            let Some(profile) = config.find_mut(&name) else {
                return Ok::<_, anyhow::Error>(false);
            };
            let Some(creds) = profile.credentials.as_mut() else {
                return Ok(false);
            };
            let Some(oauth) = creds.claude_ai_oauth.as_mut() else {
                return Ok(false);
            };
            oauth.access_token = tok.access_token;
            oauth.refresh_token = Some(tok.refresh_token);
            oauth.expires_at = Some((now_ms() + tok.expires_in * 1000) as i64);
            if let Some(scope) = tok.scope {
                oauth.scopes = Some(scope.split_whitespace().map(String::from).collect());
            }
            Ok(save_profile(profile).is_ok())
        })
        .unwrap_or(false);
        if saved {
            refreshed.push(name);
        }
    }
    refreshed
}

/// For every profile that opted in via `auto_start = true` and currently has
/// no 5-hour usage window, refreshes its OAuth tokens (rotated pair saved to
/// disk) and fires a 1-token Haiku ping to start the window.
///
/// Returns the names of profiles whose ping succeeded so the caller can
/// re-fetch usage and confirm the window now shows up.
pub(crate) fn auto_start_windows(config: &mut AppConfig, store: &UsageStore) -> Vec<String> {
    // Claim cooldown slots under the lock BEFORE any network work. A competing
    // clauth process that starts up a moment later will observe our recorded
    // `last_auto_start_at` and skip the same profile, so the refresh token
    // rotates exactly once even when two instances race startup.
    //
    // Holding the lock during the OAuth/messages HTTP round trips would stall
    // every other instance for seconds, so we release between claim and work.
    let skip_active = active_link_diverged(config);
    let snapshots: Vec<(String, String)> = match with_state_lock(|| {
        let now = now_ms();
        let mut claimed = Vec::new();
        for profile in &config.profiles {
            if !profile.auto_start {
                continue;
            }
            if skip_active && config.is_active(&profile.name) {
                continue;
            }
            let resets_at = {
                let usage = store.lock().ok();
                usage
                    .as_ref()
                    .and_then(|s| s.get(&profile.name))
                    .and_then(|u| u.five_hour.as_ref())
                    .and_then(|w| w.resets_at.clone())
            };
            if resets_at.is_some() {
                continue;
            }
            let last = config
                .state
                .last_auto_start_at
                .get(&profile.name)
                .copied()
                .unwrap_or(0);
            if now.saturating_sub(last) < AUTO_START_COOLDOWN_MS {
                continue;
            }
            let Some(token) = profile.refresh_token().map(str::to_string) else {
                continue;
            };
            claimed.push((profile.name.clone(), token));
        }

        for (name, _) in &claimed {
            config.state.last_auto_start_at.insert(name.clone(), now);
        }
        if !claimed.is_empty() {
            let _ = save_app_state(&config.state);
        }
        Ok::<_, anyhow::Error>(claimed)
    }) {
        Ok(s) => s,
        Err(_) => return Vec::new(),
    };

    // Refresh and kick are reported separately. Anthropic rotates the refresh
    // token on every successful refresh, so the new pair MUST be persisted
    // before the kick is attempted — otherwise a kick-only failure leaves the
    // stored refresh token permanently invalid.
    let handles: Vec<_> = snapshots
        .into_iter()
        .map(|(name, rt)| std::thread::spawn(move || (name, refresh(&rt))))
        .collect();

    let mut kicked = Vec::new();
    for h in handles {
        let Ok((name, Ok(tok))) = h.join() else {
            continue;
        };
        let saved_access = with_state_lock(|| {
            let Some(profile) = config.find_mut(&name) else {
                return Ok::<_, anyhow::Error>(None);
            };
            let Some(creds) = profile.credentials.as_mut() else {
                return Ok(None);
            };
            let Some(oauth) = creds.claude_ai_oauth.as_mut() else {
                return Ok(None);
            };
            oauth.access_token = tok.access_token.clone();
            oauth.refresh_token = Some(tok.refresh_token);
            oauth.expires_at = Some((now_ms() + tok.expires_in * 1000) as i64);
            if let Some(scope) = tok.scope {
                oauth.scopes = Some(scope.split_whitespace().map(String::from).collect());
            }
            if save_profile(profile).is_err() {
                return Ok(None);
            }
            Ok(Some(tok.access_token))
        })
        .unwrap_or(None);
        let Some(access_token) = saved_access else {
            continue;
        };
        if kick(&access_token).is_ok() {
            kicked.push(name);
        }
    }
    kicked
}

/// Refresh tokens and kick the 5h window for one named profile. Same
/// cooldown + persistence semantics as `auto_start_windows`, just scoped to
/// a single name and without a usage-store check — callers use this where
/// no fresh `UsageStore` is on hand (e.g. one-shot CLI switch). The 4.5h
/// cooldown stops repeated invocations from re-firing inside an open
/// window. Returns true iff the kick HTTP call succeeded.
pub(crate) fn auto_start_named(config: &mut AppConfig, name: &str) -> bool {
    let now = now_ms();
    let token = match with_state_lock(|| {
        let Some(profile) = config.find(name) else {
            return Ok::<_, anyhow::Error>(None);
        };
        if !profile.auto_start {
            return Ok(None);
        }
        if active_link_diverged(config) && config.is_active(name) {
            return Ok(None);
        }
        let last = config
            .state
            .last_auto_start_at
            .get(name)
            .copied()
            .unwrap_or(0);
        if now.saturating_sub(last) < AUTO_START_COOLDOWN_MS {
            return Ok(None);
        }
        let Some(rt) = profile.refresh_token().map(str::to_string) else {
            return Ok(None);
        };
        config
            .state
            .last_auto_start_at
            .insert(name.to_string(), now);
        let _ = save_app_state(&config.state);
        Ok(Some(rt))
    }) {
        Ok(Some(t)) => t,
        _ => return false,
    };

    let Ok(tok) = refresh(&token) else {
        return false;
    };
    let access_token = tok.access_token.clone();
    if !apply_rotated_tokens(config, name, tok) {
        return false;
    }
    kick(&access_token).is_ok()
}

/// Write a rotated token pair into the named profile's OAuth block and
/// persist. Returns true on success. No-op when the profile or OAuth block
/// is missing — callers that care can refuse to act on `false`.
pub(crate) fn apply_rotated_tokens(config: &mut AppConfig, name: &str, tok: TokenResponse) -> bool {
    with_state_lock(|| {
        let Some(profile) = config.find_mut(name) else {
            return Ok::<_, anyhow::Error>(false);
        };
        let Some(creds) = profile.credentials.as_mut() else {
            return Ok(false);
        };
        let Some(oauth) = creds.claude_ai_oauth.as_mut() else {
            return Ok(false);
        };
        oauth.access_token = tok.access_token;
        oauth.refresh_token = Some(tok.refresh_token);
        oauth.expires_at = Some((now_ms() + tok.expires_in * 1000) as i64);
        if let Some(scope) = tok.scope {
            oauth.scopes = Some(scope.split_whitespace().map(String::from).collect());
        }
        Ok(save_profile(profile).is_ok())
    })
    .unwrap_or(false)
}

/// True when an active profile is set and its live .credentials.json no
/// longer resolves to that profile's stored credentials. In that state, the
/// in-memory tokens are stale relative to whatever CC just wrote, so
/// rotating them would leak a refresh chain nobody will use.
fn active_link_diverged(config: &AppConfig) -> bool {
    config.state.active_profile.as_deref().is_some_and(|name| {
        matches!(
            classify_credentials_link(name).ok(),
            Some(LinkState::Diverged)
        )
    })
}