()
| 1935 | * token's org (network error, missing profile data), validation fails. |
| 1936 | */ |
| 1937 | export async function validateForceLoginOrg(): Promise<OrgValidationResult> { |
| 1938 | // `claude ssh` remote: real auth lives on the local machine and is injected |
| 1939 | // by the proxy. The placeholder token can't be validated against the profile |
| 1940 | // endpoint. The local side already ran this check before establishing the session. |
| 1941 | if (process.env.ANTHROPIC_UNIX_SOCKET) { |
| 1942 | return { valid: true } |
| 1943 | } |
| 1944 | |
| 1945 | if (!isAnthropicAuthEnabled()) { |
| 1946 | return { valid: true } |
| 1947 | } |
| 1948 | |
| 1949 | const requiredOrgUuid = |
| 1950 | getSettingsForSource('policySettings')?.forceLoginOrgUUID |
| 1951 | if (!requiredOrgUuid) { |
| 1952 | return { valid: true } |
| 1953 | } |
| 1954 | |
| 1955 | // Ensure the access token is fresh before hitting the profile endpoint. |
| 1956 | // No-op for env-var tokens (refreshToken is null). |
| 1957 | await checkAndRefreshOAuthTokenIfNeeded() |
| 1958 | |
| 1959 | const tokens = getClaudeAIOAuthTokens() |
| 1960 | if (!tokens) { |
| 1961 | return { valid: true } |
| 1962 | } |
| 1963 | |
| 1964 | // Always fetch the authoritative org UUID from the profile endpoint. |
| 1965 | // Even keychain-sourced tokens verify server-side: the cached org UUID |
| 1966 | // in ~/.claude.json is user-writable and cannot be trusted. |
| 1967 | const { source } = getAuthTokenSource() |
| 1968 | const isEnvVarToken = |
| 1969 | source === 'CLAUDE_CODE_OAUTH_TOKEN' || |
| 1970 | source === 'CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR' |
| 1971 | |
| 1972 | const profile = await getOauthProfileFromOauthToken(tokens.accessToken) |
| 1973 | if (!profile) { |
| 1974 | // Fail closed — we can't verify the org |
| 1975 | return { |
| 1976 | valid: false, |
| 1977 | message: |
| 1978 | `Unable to verify organization for the current authentication token.\n` + |
| 1979 | `This machine requires organization ${requiredOrgUuid} but the profile could not be fetched.\n` + |
| 1980 | `This may be a network error, or the token may lack the user:profile scope required for\n` + |
| 1981 | `verification (tokens from 'claude setup-token' do not include this scope).\n` + |
| 1982 | `Try again, or obtain a full-scope token via 'claude auth login'.`, |
| 1983 | } |
| 1984 | } |
| 1985 | |
| 1986 | const tokenOrgUuid = profile.organization.uuid |
| 1987 | if (tokenOrgUuid === requiredOrgUuid) { |
| 1988 | return { valid: true } |
| 1989 | } |
| 1990 | |
| 1991 | if (isEnvVarToken) { |
| 1992 | const envVarName = |
| 1993 | source === 'CLAUDE_CODE_OAUTH_TOKEN' |
| 1994 | ? 'CLAUDE_CODE_OAUTH_TOKEN' |
no test coverage detected