entelix-auth-claude-code 0.6.0

entelix Claude Code OAuth credential provider — reuses the Claude.ai access token managed by the Claude Code CLI for direct Anthropic API calls
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251

//! `CredentialStore` trait + the default `FileCredentialStore` impl.
//!
//! The trait keeps backend choice on the operator side. The default
//! reads / writes the JSON file the `claude` CLI uses, but operators
//! that ship credentials through a vault, an env-var-backed
//! in-memory store, or a platform secret API (macOS Keychain, Linux
//! Secret Service, Windows Credential Manager) implement
//! [`CredentialStore`] directly.
//!
//! The store is async — every backend may incur IO or a syscall.

use std::path::{Path, PathBuf};

use async_trait::async_trait;

use crate::credential::CredentialFile;
use crate::error::{ClaudeCodeAuthError, ClaudeCodeAuthResult};

/// Async credential persistence backend.
#[async_trait]
pub trait CredentialStore: Send + Sync + 'static {
    /// Load the current credential envelope, or `None` if the
    /// backend holds no credential yet.
    async fn load(&self) -> ClaudeCodeAuthResult<Option<CredentialFile>>;
    /// Persist a refreshed credential envelope. Backends that
    /// cannot retain state (e.g. a read-only env var) return
    /// [`ClaudeCodeAuthError::Io`] with a descriptive message —
    /// the provider surfaces that to the operator.
    async fn save(&self, file: &CredentialFile) -> ClaudeCodeAuthResult<()>;
}

/// File-backed [`CredentialStore`] at a caller-supplied path.
///
/// The path mirrors the on-disk shape the `claude` CLI writes
/// (`~/.claude/.credentials.json` by convention); use
/// [`FileCredentialStore::default_claude_path`] to resolve that
/// location against the host's home directory.
#[derive(Debug, Clone)]
pub struct FileCredentialStore {
    path: PathBuf,
}

impl FileCredentialStore {
    /// Build a store rooted at the given file path.
    #[must_use]
    pub fn with_path(path: impl Into<PathBuf>) -> Self {
        Self { path: path.into() }
    }

    /// The configured store path.
    #[must_use]
    pub fn path(&self) -> &Path {
        &self.path
    }

    /// Resolve `~/.claude/.credentials.json` against the host's
    /// home directory (`HOME` on Unix, `USERPROFILE` on Windows).
    /// Returns [`ClaudeCodeAuthError::HomeUnresolved`] when neither
    /// is set.
    pub fn default_claude_path() -> ClaudeCodeAuthResult<PathBuf> {
        let home = std::env::var_os("HOME")
            .or_else(|| std::env::var_os("USERPROFILE"))
            .ok_or(ClaudeCodeAuthError::HomeUnresolved)?;
        let mut path = PathBuf::from(home);
        path.push(".claude");
        path.push(".credentials.json");
        Ok(path)
    }
}

#[async_trait]
impl CredentialStore for FileCredentialStore {
    async fn load(&self) -> ClaudeCodeAuthResult<Option<CredentialFile>> {
        let path = self.path.clone();
        let read = tokio::task::spawn_blocking(move || std::fs::read(&path))
            .await
            .map_err(|join_err| ClaudeCodeAuthError::Io {
                path: self.path.display().to_string(),
                source: std::io::Error::other(join_err.to_string()),
            })?;
        let bytes = match read {
            Ok(bytes) => bytes,
            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
            Err(source) => {
                return Err(ClaudeCodeAuthError::Io {
                    path: self.path.display().to_string(),
                    source,
                });
            }
        };
        let file: CredentialFile = serde_json::from_slice(&bytes).map_err(|source| {
            ClaudeCodeAuthError::InvalidStorage {
                path: self.path.display().to_string(),
                source,
            }
        })?;
        Ok(Some(file))
    }

    async fn save(&self, file: &CredentialFile) -> ClaudeCodeAuthResult<()> {
        let path = self.path.clone();
        let display = self.path.display().to_string();
        let bytes = serde_json::to_vec_pretty(file).map_err(|source| {
            ClaudeCodeAuthError::InvalidStorage {
                path: display.clone(),
                source,
            }
        })?;
        let display_for_blocking = display.clone();
        let write = tokio::task::spawn_blocking(move || atomic_write(&path, &bytes))
            .await
            .map_err(|join_err| ClaudeCodeAuthError::Io {
                path: display_for_blocking.clone(),
                source: std::io::Error::other(join_err.to_string()),
            })?;
        write.map_err(|source| ClaudeCodeAuthError::Io {
            path: display,
            source,
        })
    }
}

/// Write `bytes` to `path` atomically: create the parent directory,
/// stream into a sibling `<file>.tmp`, then `rename` over the
/// destination.
///
/// Atomicity: `rename(2)` is atomic on POSIX — readers either see
/// the prior file or the complete new one, never a partial write.
/// On Windows, `MoveFileExW`'s default flags reject overwriting an
/// existing destination; the error propagates so the operator sees
/// the failure rather than silent corruption (a Windows-specific
/// `MOVEFILE_REPLACE_EXISTING` flag would need a `winapi`
/// dependency we deliberately avoid in this minimal companion).
fn atomic_write(path: &std::path::Path, bytes: &[u8]) -> std::io::Result<()> {
    if let Some(parent) = path.parent() {
        std::fs::create_dir_all(parent)?;
    }
    let mut tmp_name = path
        .file_name()
        .ok_or_else(|| std::io::Error::other("destination path has no file name"))?
        .to_owned();
    tmp_name.push(".tmp");
    let tmp_path = path.with_file_name(tmp_name);
    // If a stale `.tmp` lingers from a prior crashed write, ignore
    // the absence-error and proceed — the new write overwrites it.
    let _ = std::fs::remove_file(&tmp_path);
    std::fs::write(&tmp_path, bytes)?;
    std::fs::rename(&tmp_path, path)
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;
    use crate::credential::OAuthCredential;
    use chrono::Utc;

    fn tmp_path(name: &str) -> PathBuf {
        let mut path = std::env::temp_dir();
        path.push(format!(
            "entelix-claude-code-{}-{}.json",
            std::process::id(),
            name
        ));
        path
    }

    #[tokio::test]
    async fn load_returns_none_when_file_absent() {
        let store = FileCredentialStore::with_path(tmp_path("absent"));
        let loaded = store.load().await.unwrap();
        assert!(loaded.is_none());
    }

    #[tokio::test]
    async fn save_overwrites_existing_file_via_rename() {
        // Atomic write must replace any prior credential file —
        // the upstream `claude` CLI shares this path, and a stale
        // refresh-token there would invalidate every subsequent
        // session.
        let path = tmp_path("overwrite");
        let _ = std::fs::remove_file(&path);
        let store = FileCredentialStore::with_path(&path);
        let first = CredentialFile::with_oauth(OAuthCredential::new(
            "first",
            (Utc::now() + chrono::Duration::hours(1)).timestamp_millis(),
        ));
        store.save(&first).await.unwrap();
        let second = CredentialFile::with_oauth(OAuthCredential::new(
            "second",
            (Utc::now() + chrono::Duration::hours(2)).timestamp_millis(),
        ));
        store.save(&second).await.unwrap();
        let loaded = store.load().await.unwrap().unwrap();
        assert_eq!(
            loaded.claude_ai_oauth.unwrap().access_token,
            "second",
            "second save must replace first"
        );
        // No stale `.tmp` sibling should linger after a successful
        // rename — verifies the cleanup contract.
        let mut tmp_sibling = path.clone();
        let mut tmp_name = path.file_name().unwrap().to_owned();
        tmp_name.push(".tmp");
        tmp_sibling.set_file_name(tmp_name);
        assert!(
            !tmp_sibling.exists(),
            "rename must consume the .tmp staging file"
        );
        let _ = std::fs::remove_file(&path);
    }

    #[tokio::test]
    async fn save_then_load_round_trips() {
        let path = tmp_path("round_trip");
        let _ = std::fs::remove_file(&path);
        let store = FileCredentialStore::with_path(&path);
        let envelope = CredentialFile::with_oauth(
            OAuthCredential::new(
                "tok",
                (Utc::now() + chrono::Duration::hours(1)).timestamp_millis(),
            )
            .with_refresh_token("ref")
            .with_subscription_type("pro")
            .with_scopes(["user:inference"]),
        );
        store.save(&envelope).await.unwrap();
        let loaded = store.load().await.unwrap().unwrap();
        let oauth = loaded.claude_ai_oauth.unwrap();
        assert_eq!(oauth.access_token, "tok");
        assert_eq!(oauth.subscription_type.as_deref(), Some("pro"));
        let _ = std::fs::remove_file(&path);
    }

    #[test]
    fn default_path_resolves_from_environment() {
        // Whatever HOME / USERPROFILE the test environment exposes,
        // the helper either succeeds (typical case) or returns
        // `HomeUnresolved` (CI sandboxes). Both paths are valid
        // contract outcomes; the test asserts the success branch
        // produces the documented suffix.
        if let Ok(path) = FileCredentialStore::default_claude_path() {
            assert!(
                path.ends_with(".claude/.credentials.json")
                    || path.ends_with(r".claude\.credentials.json"),
                "unexpected path shape: {}",
                path.display()
            );
        }
    }
}