()
| 184 | |
| 185 | // Default to prod config, override with test/staging if enabled |
| 186 | export function getOauthConfig(): OauthConfig { |
| 187 | let config: OauthConfig = (() => { |
| 188 | switch (getOauthConfigType()) { |
| 189 | case 'local': |
| 190 | return getLocalOauthConfig() |
| 191 | case 'staging': |
| 192 | return STAGING_OAUTH_CONFIG ?? PROD_OAUTH_CONFIG |
| 193 | case 'prod': |
| 194 | return PROD_OAUTH_CONFIG |
| 195 | } |
| 196 | })() |
| 197 | |
| 198 | // Allow overriding all OAuth URLs to point to an approved FedStart deployment. |
| 199 | // Only allowlisted base URLs are accepted to prevent credential leakage. |
| 200 | const oauthBaseUrl = process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL |
| 201 | if (oauthBaseUrl) { |
| 202 | const base = oauthBaseUrl.replace(/\/$/, '') |
| 203 | if (!ALLOWED_OAUTH_BASE_URLS.includes(base)) { |
| 204 | throw new Error( |
| 205 | 'CLAUDE_CODE_CUSTOM_OAUTH_URL is not an approved endpoint.', |
| 206 | ) |
| 207 | } |
| 208 | config = { |
| 209 | ...config, |
| 210 | BASE_API_URL: base, |
| 211 | CONSOLE_AUTHORIZE_URL: `${base}/oauth/authorize`, |
| 212 | CLAUDE_AI_AUTHORIZE_URL: `${base}/oauth/authorize`, |
| 213 | CLAUDE_AI_ORIGIN: base, |
| 214 | TOKEN_URL: `${base}/v1/oauth/token`, |
| 215 | API_KEY_URL: `${base}/api/oauth/claude_cli/create_api_key`, |
| 216 | ROLES_URL: `${base}/api/oauth/claude_cli/roles`, |
| 217 | CONSOLE_SUCCESS_URL: `${base}/oauth/code/success?app=claude-code`, |
| 218 | CLAUDEAI_SUCCESS_URL: `${base}/oauth/code/success?app=claude-code`, |
| 219 | MANUAL_REDIRECT_URL: `${base}/oauth/code/callback`, |
| 220 | OAUTH_FILE_SUFFIX: '-custom-oauth', |
| 221 | } |
| 222 | } |
| 223 | |
| 224 | // Allow CLIENT_ID override via environment variable (e.g., for Xcode integration) |
| 225 | const clientIdOverride = process.env.CLAUDE_CODE_OAUTH_CLIENT_ID |
| 226 | if (clientIdOverride) { |
| 227 | config = { |
| 228 | ...config, |
| 229 | CLIENT_ID: clientIdOverride, |
| 230 | } |
| 231 | } |
| 232 | |
| 233 | return config |
| 234 | } |
no test coverage detected