Fix auth header precedence and prevent conflicting --profile/--header#58
Merged
Fix auth header precedence and prevent conflicting --profile/--header#58
Conversation
…to-detect for explicit header When user provides --header "Authorization: Bearer ..." without --profile, skip auto-detection of the default OAuth profile so the explicit header takes precedence (fixes the original PR #57 bug). When both --profile and --header "Authorization: ..." are specified, return a clear error instead of silently stripping the header. This matches the documented auth precedence (README line 434: "--header flag is highest priority") and follows the "no surprises" design principle. Includes e2e test covering all auth precedence scenarios. https://claude.ai/code/session_016sDR5PmmuDeiwiVDWr5ymi
Adds --no-profile option to the connect command, allowing users to force anonymous connections even when a default OAuth profile exists for the server. Also works combined with --header "Authorization: ..." for explicit bearer token without profile interference. Updates README and CLAUDE.md to document the full auth precedence: - --header Authorization (without --profile) skips profile auto-detection - --profile + --header Authorization is an error - --no-profile skips all profile detection - Default behavior tries the "default" profile if it exists Adds e2e tests covering --no-profile scenarios. https://claude.ai/code/session_016sDR5PmmuDeiwiVDWr5ymi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes authentication header handling in the
connectcommand to ensure explicit--header "Authorization: ..."flags take precedence over auto-detected OAuth profiles, and prevents conflicting combinations of--profileand--header "Authorization: ...".Key Changes
Auth header precedence: When a user explicitly provides
--header "Authorization: Bearer ...", the CLI now skips OAuth profile auto-detection entirely, allowing the explicit header to take precedence over any default profile that might exist for the server.Conflict detection: Added validation to detect and reject the mutually exclusive combination of
--profileand--header "Authorization: ...", returning a clear error message explaining the two valid alternatives.Simplified header storage: Removed the logic that conditionally stripped Authorization headers when a profile was present. Headers are now stored as-is, with the conflict check preventing problematic combinations upfront.
Comprehensive test coverage: Added
auth-header-precedence.test.shwith four test cases covering:--profile+--header "Authorization: ..."returns a clear error (both text and JSON formats)Implementation Details
The fix is implemented in
src/cli/commands/sessions.tsin theconnectSessionfunction:--headerflag--profilewas explicitly specifiedClientErrorif both are present, with guidance on which approach to usehttps://claude.ai/code/session_016sDR5PmmuDeiwiVDWr5ymi