()
| 98 | /** Whether we are supporting direct 1P auth. */ |
| 99 | // this code is closely related to getAuthTokenSource |
| 100 | export function isAnthropicAuthEnabled(): boolean { |
| 101 | // --bare: API-key-only, never OAuth. |
| 102 | if (isBareMode()) return false |
| 103 | |
| 104 | // `claude ssh` remote: ANTHROPIC_UNIX_SOCKET tunnels API calls through a |
| 105 | // local auth-injecting proxy. The launcher sets CLAUDE_CODE_OAUTH_TOKEN as a |
| 106 | // placeholder iff the local side is a subscriber (so the remote includes the |
| 107 | // oauth-2025 beta header to match what the proxy will inject). The remote's |
| 108 | // ~/.claude settings (apiKeyHelper, settings.env.ANTHROPIC_API_KEY) MUST NOT |
| 109 | // flip this — they'd cause a header mismatch with the proxy and a bogus |
| 110 | // "invalid x-api-key" from the API. See src/ssh/sshAuthProxy.ts. |
| 111 | if (process.env.ANTHROPIC_UNIX_SOCKET) { |
| 112 | return !!process.env.CLAUDE_CODE_OAUTH_TOKEN |
| 113 | } |
| 114 | |
| 115 | const is3P = |
| 116 | isEnvTruthy(process.env.CLAUDE_CODE_USE_BEDROCK) || |
| 117 | isEnvTruthy(process.env.CLAUDE_CODE_USE_VERTEX) || |
| 118 | isEnvTruthy(process.env.CLAUDE_CODE_USE_FOUNDRY) |
| 119 | |
| 120 | // Check if user has configured an external API key source |
| 121 | // This allows externally-provided API keys to work (without requiring proxy configuration) |
| 122 | const settings = getSettings_DEPRECATED() || {} |
| 123 | const apiKeyHelper = settings.apiKeyHelper |
| 124 | const hasExternalAuthToken = |
| 125 | process.env.ANTHROPIC_AUTH_TOKEN || |
| 126 | apiKeyHelper || |
| 127 | process.env.CLAUDE_CODE_API_KEY_FILE_DESCRIPTOR |
| 128 | |
| 129 | // Check if API key is from an external source (not managed by /login) |
| 130 | const { source: apiKeySource } = getAnthropicApiKeyWithSource({ |
| 131 | skipRetrievingKeyFromApiKeyHelper: true, |
| 132 | }) |
| 133 | const hasExternalApiKey = |
| 134 | apiKeySource === 'ANTHROPIC_API_KEY' || apiKeySource === 'apiKeyHelper' |
| 135 | |
| 136 | // Disable Anthropic auth if: |
| 137 | // 1. Using 3rd party services (Bedrock/Vertex/Foundry) |
| 138 | // 2. User has an external API key (regardless of proxy configuration) |
| 139 | // 3. User has an external auth token (regardless of proxy configuration) |
| 140 | // this may cause issues if users have complex proxy / gateway "client-side creds" auth scenarios, |
| 141 | // e.g. if they want to set X-Api-Key to a gateway key but use Anthropic OAuth for the Authorization |
| 142 | // if we get reports of that, we should probably add an env var to force OAuth enablement |
| 143 | const shouldDisableAuth = |
| 144 | is3P || |
| 145 | (hasExternalAuthToken && !isManagedOAuthContext()) || |
| 146 | (hasExternalApiKey && !isManagedOAuthContext()) |
| 147 | |
| 148 | return !shouldDisableAuth |
| 149 | } |
| 150 | |
| 151 | /** Where the auth token is being sourced from, if any. */ |
| 152 | // this code is closely related to isAnthropicAuthEnabled |
no test coverage detected