MCPcopy
hub / github.com/claude-code-best/claude-code / validateForceLoginOrg

Function validateForceLoginOrg

src/utils/auth.ts:1937–2014  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1935 * token's org (network error, missing profile data), validation fails.
1936 */
1937export async function validateForceLoginOrg(): Promise<OrgValidationResult> {
1938 // `claude ssh` remote: real auth lives on the local machine and is injected
1939 // by the proxy. The placeholder token can't be validated against the profile
1940 // endpoint. The local side already ran this check before establishing the session.
1941 if (process.env.ANTHROPIC_UNIX_SOCKET) {
1942 return { valid: true }
1943 }
1944
1945 if (!isAnthropicAuthEnabled()) {
1946 return { valid: true }
1947 }
1948
1949 const requiredOrgUuid =
1950 getSettingsForSource('policySettings')?.forceLoginOrgUUID
1951 if (!requiredOrgUuid) {
1952 return { valid: true }
1953 }
1954
1955 // Ensure the access token is fresh before hitting the profile endpoint.
1956 // No-op for env-var tokens (refreshToken is null).
1957 await checkAndRefreshOAuthTokenIfNeeded()
1958
1959 const tokens = getClaudeAIOAuthTokens()
1960 if (!tokens) {
1961 return { valid: true }
1962 }
1963
1964 // Always fetch the authoritative org UUID from the profile endpoint.
1965 // Even keychain-sourced tokens verify server-side: the cached org UUID
1966 // in ~/.claude.json is user-writable and cannot be trusted.
1967 const { source } = getAuthTokenSource()
1968 const isEnvVarToken =
1969 source === 'CLAUDE_CODE_OAUTH_TOKEN' ||
1970 source === 'CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR'
1971
1972 const profile = await getOauthProfileFromOauthToken(tokens.accessToken)
1973 if (!profile) {
1974 // Fail closed — we can't verify the org
1975 return {
1976 valid: false,
1977 message:
1978 `Unable to verify organization for the current authentication token.\n` +
1979 `This machine requires organization ${requiredOrgUuid} but the profile could not be fetched.\n` +
1980 `This may be a network error, or the token may lack the user:profile scope required for\n` +
1981 `verification (tokens from 'claude setup-token' do not include this scope).\n` +
1982 `Try again, or obtain a full-scope token via 'claude auth login'.`,
1983 }
1984 }
1985
1986 const tokenOrgUuid = profile.organization.uuid
1987 if (tokenOrgUuid === requiredOrgUuid) {
1988 return { valid: true }
1989 }
1990
1991 if (isEnvVarToken) {
1992 const envVarName =
1993 source === 'CLAUDE_CODE_OAUTH_TOKEN'
1994 ? 'CLAUDE_CODE_OAUTH_TOKEN'

Callers 3

runFunction · 0.85
ConsoleOAuthFlowFunction · 0.85
authLoginFunction · 0.85

Calls 5

isAnthropicAuthEnabledFunction · 0.85
getSettingsForSourceFunction · 0.85
getAuthTokenSourceFunction · 0.85

Tested by

no test coverage detected