MCPcopy
hub / github.com/codeaashu/claude-code / validateForceLoginOrg

Function validateForceLoginOrg

src/utils/auth.ts:1923–2000  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1921 * token's org (network error, missing profile data), validation fails.
1922 */
1923export async function validateForceLoginOrg(): Promise<OrgValidationResult> {
1924 // `claude ssh` remote: real auth lives on the local machine and is injected
1925 // by the proxy. The placeholder token can't be validated against the profile
1926 // endpoint. The local side already ran this check before establishing the session.
1927 if (process.env.ANTHROPIC_UNIX_SOCKET) {
1928 return { valid: true }
1929 }
1930
1931 if (!isAnthropicAuthEnabled()) {
1932 return { valid: true }
1933 }
1934
1935 const requiredOrgUuid =
1936 getSettingsForSource('policySettings')?.forceLoginOrgUUID
1937 if (!requiredOrgUuid) {
1938 return { valid: true }
1939 }
1940
1941 // Ensure the access token is fresh before hitting the profile endpoint.
1942 // No-op for env-var tokens (refreshToken is null).
1943 await checkAndRefreshOAuthTokenIfNeeded()
1944
1945 const tokens = getClaudeAIOAuthTokens()
1946 if (!tokens) {
1947 return { valid: true }
1948 }
1949
1950 // Always fetch the authoritative org UUID from the profile endpoint.
1951 // Even keychain-sourced tokens verify server-side: the cached org UUID
1952 // in ~/.claude.json is user-writable and cannot be trusted.
1953 const { source } = getAuthTokenSource()
1954 const isEnvVarToken =
1955 source === 'CLAUDE_CODE_OAUTH_TOKEN' ||
1956 source === 'CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR'
1957
1958 const profile = await getOauthProfileFromOauthToken(tokens.accessToken)
1959 if (!profile) {
1960 // Fail closed — we can't verify the org
1961 return {
1962 valid: false,
1963 message:
1964 `Unable to verify organization for the current authentication token.\n` +
1965 `This machine requires organization ${requiredOrgUuid} but the profile could not be fetched.\n` +
1966 `This may be a network error, or the token may lack the user:profile scope required for\n` +
1967 `verification (tokens from 'claude setup-token' do not include this scope).\n` +
1968 `Try again, or obtain a full-scope token via 'claude auth login'.`,
1969 }
1970 }
1971
1972 const tokenOrgUuid = profile.organization.uuid
1973 if (tokenOrgUuid === requiredOrgUuid) {
1974 return { valid: true }
1975 }
1976
1977 if (isEnvVarToken) {
1978 const envVarName =
1979 source === 'CLAUDE_CODE_OAUTH_TOKEN'
1980 ? 'CLAUDE_CODE_OAUTH_TOKEN'

Callers 3

runFunction · 0.85
ConsoleOAuthFlowFunction · 0.85
authLoginFunction · 0.85

Calls 5

isAnthropicAuthEnabledFunction · 0.85
getSettingsForSourceFunction · 0.85
getAuthTokenSourceFunction · 0.85

Tested by

no test coverage detected