Skip to content

Refactor authentication to use separate auth and exchange URLs#4

Closed
sripathikrishnan wants to merge 2 commits into
mainfrom
claude/auth-api-spec-KXlKh
Closed

Refactor authentication to use separate auth and exchange URLs#4
sripathikrishnan wants to merge 2 commits into
mainfrom
claude/auth-api-spec-KXlKh

Conversation

@sripathikrishnan
Copy link
Copy Markdown
Contributor

@sripathikrishnan sripathikrishnan commented Jan 24, 2026

Summary

This PR refactors the ExtraSuite authentication system to use separate, explicit endpoint URLs instead of a single server URL. This change makes the protocol more flexible and implementation-agnostic, allowing organizations to implement the authentication specification using their own infrastructure.

Key Changes

  • API Refactoring: Changed from single --server parameter to separate --auth-url and --exchange-url parameters

    • auth_url: Points to the authentication initiation endpoint (e.g., https://server.com/api/token/auth)
    • exchange_url: Points to the token exchange endpoint (e.g., https://server.com/api/token/exchange)

  • Environment Variables: Updated from EXTRASUITE_SERVER_URL to AUTH_URL and EXCHANGE_URL

  • Gateway Configuration: Updated gateway.json format to store both endpoint URLs instead of a single server URL

    • Updated install scripts (install.sh and install.ps1) to generate the new format

  • Documentation: Added comprehensive auth-spec.md defining the ExtraSuite authentication protocol

    • Includes security requirements, implementation guide, and example flows
    • Makes the protocol implementation-agnostic and organization-friendly

  • Code Updates:

    • Updated CredentialsManager to accept and use separate URLs
    • Updated basic_usage.py example to demonstrate new parameter usage
    • Updated all tests to use new URL parameters
    • Updated CLI argument parsing in both client and skills

Implementation Details

  • The _load_gateway_config() method now returns a dictionary with both URLs instead of a single string
  • URL validation ensures both auth_url and exchange_url are provided together (both required)
  • The authentication flow now uses auth_url directly without appending /api/token/auth
  • The exchange flow now uses exchange_url directly without appending /api/token/exchange
  • Backward compatibility is maintained through environment variable precedence (constructor > env vars > gateway.json)

Benefits

  • Flexibility: Organizations can host auth and exchange endpoints on different servers
  • Clarity: Explicit endpoint URLs make the protocol easier to understand and implement
  • Specification: New auth-spec.md provides a complete, implementation-agnostic protocol definition
  • Compatibility: Reference implementation remains compatible with the new protocol

@claude @sripathikrishnan
Replace server URL with explicit auth_url and exchange_url
8c21aa7 
The client now accepts two explicit endpoint URLs instead of a base
server URL with hardcoded paths. This allows organizations implementing
the API specification to use their own URL structure.

Changes:
- CredentialsManager now takes auth_url and exchange_url parameters
- Environment variables changed from EXTRASUITE_SERVER_URL to AUTH_URL
  and EXCHANGE_URL
- gateway.json now stores AUTH_URL and EXCHANGE_URL with full paths
- Install scripts updated to write new gateway.json format
- Updated tests, examples, and documentation

https://claude.ai/code/session_01KfphVfs8NqMPUgPTZFAiVY
@sripathikrishnan sripathikrishnan force-pushed the claude/auth-api-spec-KXlKh branch from f987e61 to 8c21aa7 Compare January 24, 2026 06:15
@sripathikrishnan @claude
Add EXTRASUITE_ prefix to environment variables
b97fd94 
Rename AUTH_URL and EXCHANGE_URL environment variables to
EXTRASUITE_AUTH_URL and EXTRASUITE_EXCHANGE_URL to avoid potential
conflicts with other tools that may use generic AUTH_URL variable names.

Also fix pyright errors:
- Add assertion for _exchange_url in _exchange_auth_code method
- Add type: ignore comments for gspread imports (runtime dependency)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sripathikrishnan sripathikrishnan deleted the claude/auth-api-spec-KXlKh branch January 24, 2026 09:42
sripathikrishnan added a commit that referenced this pull request Feb 9, 2026
@sripathikrishnan @claude
Fix bugs #3, #4, #12: new tab body, cell styles, tab rename
61cd0a4 
Bug #4: Remove cell- prefix filter in engine.py that prevented
cell style definitions from reaching _generate_cell_style_request().

Bug #12: Detect tab title changes in differ.py and emit
updateDocumentTabProperties in walker.py.

Bug #3: Generate content insertion requests for new tab bodies in
walker.py. Move addDocumentTab to batch 1 in push.py and rewrite
placeholder tab IDs to real IDs from the API response.

All three fixes verified with live push + re-pull round-trip.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sripathikrishnan added a commit that referenced this pull request Feb 27, 2026
@sripathikrishnan @claude
Fix 13 security and correctness issues in v2 auth protocol
c48e5ca 
Security:
- Move session_token from POST body to Authorization: Bearer header to prevent
  proxy/access log exposure (#1)
- Atomic ownership check in revoke_session_token via expected_email param,
  eliminating TOCTOU race (#2)
- Redact full session_hash from list_sessions when admin views another user's
  sessions; self-service callers retain it (#3)
- Fix X-Forwarded-For to use rightmost (infra-injected) IP instead of
  first (spoofable) entry (#7)

Correctness:
- Ensure service account is provisioned at session establishment time
  (exchange_auth_code_for_session), enforcing the invariant that SA always
  exists for any v2 session; remove downstream or-"" fallbacks and 500 guard (#6)
- Validate _server_base_url before opening browser to avoid post-auth failure
  when server URL is not configured (#4)
- Raise ValueError instead of silently dropping extra scopes in v2
  get_oauth_token (#5)
- Apply SA_TOKEN_CACHE_SECONDS cap client-side for SA tokens (#8)

UX:
- Prompt for confirmation before revoking an existing valid session in
  auth login; skip prompt when stdin is not a tty (#9)
- Use timezone.utc in all datetime.fromtimestamp calls in CLI output (#10)

Fakes / tests:
- Fix FakeDatabase.retrieve_auth_code to check flow_type and expiry before
  popping, preventing silent code destruction on type mismatch (#11)
- Update FakeDatabase.revoke_session_token to accept expected_email (#2)

Docs:
- Fix stale pseudo_scope field name in database.py docstring (#12)
- Document _explicit_auth_urls v2 activation edge case (#13)
- Add type safety / None discipline principle to CLAUDE.md files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sripathikrishnan @claude