()
| 1921 | * token's org (network error, missing profile data), validation fails. |
| 1922 | */ |
| 1923 | export async function validateForceLoginOrg(): Promise<OrgValidationResult> { |
| 1924 | // `claude ssh` remote: real auth lives on the local machine and is injected |
| 1925 | // by the proxy. The placeholder token can't be validated against the profile |
| 1926 | // endpoint. The local side already ran this check before establishing the session. |
| 1927 | if (process.env.ANTHROPIC_UNIX_SOCKET) { |
| 1928 | return { valid: true } |
| 1929 | } |
| 1930 | |
| 1931 | if (!isAnthropicAuthEnabled()) { |
| 1932 | return { valid: true } |
| 1933 | } |
| 1934 | |
| 1935 | const requiredOrgUuid = |
| 1936 | getSettingsForSource('policySettings')?.forceLoginOrgUUID |
| 1937 | if (!requiredOrgUuid) { |
| 1938 | return { valid: true } |
| 1939 | } |
| 1940 | |
| 1941 | // Ensure the access token is fresh before hitting the profile endpoint. |
| 1942 | // No-op for env-var tokens (refreshToken is null). |
| 1943 | await checkAndRefreshOAuthTokenIfNeeded() |
| 1944 | |
| 1945 | const tokens = getClaudeAIOAuthTokens() |
| 1946 | if (!tokens) { |
| 1947 | return { valid: true } |
| 1948 | } |
| 1949 | |
| 1950 | // Always fetch the authoritative org UUID from the profile endpoint. |
| 1951 | // Even keychain-sourced tokens verify server-side: the cached org UUID |
| 1952 | // in ~/.claude.json is user-writable and cannot be trusted. |
| 1953 | const { source } = getAuthTokenSource() |
| 1954 | const isEnvVarToken = |
| 1955 | source === 'CLAUDE_CODE_OAUTH_TOKEN' || |
| 1956 | source === 'CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR' |
| 1957 | |
| 1958 | const profile = await getOauthProfileFromOauthToken(tokens.accessToken) |
| 1959 | if (!profile) { |
| 1960 | // Fail closed — we can't verify the org |
| 1961 | return { |
| 1962 | valid: false, |
| 1963 | message: |
| 1964 | `Unable to verify organization for the current authentication token.\n` + |
| 1965 | `This machine requires organization ${requiredOrgUuid} but the profile could not be fetched.\n` + |
| 1966 | `This may be a network error, or the token may lack the user:profile scope required for\n` + |
| 1967 | `verification (tokens from 'claude setup-token' do not include this scope).\n` + |
| 1968 | `Try again, or obtain a full-scope token via 'claude auth login'.`, |
| 1969 | } |
| 1970 | } |
| 1971 | |
| 1972 | const tokenOrgUuid = profile.organization.uuid |
| 1973 | if (tokenOrgUuid === requiredOrgUuid) { |
| 1974 | return { valid: true } |
| 1975 | } |
| 1976 | |
| 1977 | if (isEnvVarToken) { |
| 1978 | const envVarName = |
| 1979 | source === 'CLAUDE_CODE_OAUTH_TOKEN' |
| 1980 | ? 'CLAUDE_CODE_OAUTH_TOKEN' |
no test coverage detected