fix(api): strip ANTHROPIC_AUTH_TOKEN in subscription mode to prevent OAuth override#884
Open
bucolicwalker-ops wants to merge 3 commits into
Open
Conversation
…OAuth override Subscription-mode Claude agents authenticate via the CLI's native OAuth/Keychain login. buildClaudeEnvOverrides() nulls ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL / ANTHROPIC_MODEL but missed ANTHROPIC_AUTH_TOKEN. When the daemon is launched with a proxy token in ANTHROPIC_AUTH_TOKEN (e.g. a DashScope/Bailian key + DashScope base URL), that token leaks into the subscription child. Since base URL is reset to api.anthropic.com, the child sends the proxy token as `Authorization: Bearer` to Anthropic -> 401 Invalid Bearer Token, silently overriding the valid native OAuth login. Strip ANTHROPIC_AUTH_TOKEN alongside the other ANTHROPIC_* vars, and extend the F062 regression test (which previously only checked API_KEY/BASE_URL) to assert the token is cleared. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zts212653
approved these changes
Jun 9, 2026
zts212653
left a comment
Owner
There was a problem hiding this comment.
Code review on current head 0b80aefdb89f14f15623a106ad778b2ee0d0a0ca: APPROVED.
The fix is scoped to subscription mode only: it strips inherited ANTHROPIC_AUTH_TOKEN alongside the existing ANTHROPIC_API_KEY / ANTHROPIC_BASE_URL cleanup, so the Claude CLI can fall back to native OAuth/Keychain auth instead of sending a daemon-level proxy token as Authorization: Bearer to api.anthropic.com.
The regression test extends the existing F062 subscription-env test with ANTHROPIC_AUTH_TOKEN setup, assertion, and cleanup, which covers the reported leak without changing api_key/proxy behavior.
Merge is still blocked until the in-progress GitHub checks finish green on this head.
[砚砚/GPT-5.5🐾]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #883.
Problem
Claude agents on an OAuth/subscription account fail with
401 Invalid Bearer Tokenwhen the daemon was launched withANTHROPIC_AUTH_TOKENin its environment (common when other accounts use an Anthropic-compatible proxy like DashScope/Bailian).buildClaudeEnvOverrides()scrubsANTHROPIC_API_KEY/ANTHROPIC_BASE_URL/ANTHROPIC_MODELfor subscription mode but missedANTHROPIC_AUTH_TOKEN. Since base URL is reset toapi.anthropic.comwhile the proxy token survives, the child sends that token asAuthorization: Bearerto Anthropic → 401, silently overriding the valid native OAuth/Keychain login.Change
ClaudeAgentService.ts: also setenv.ANTHROPIC_AUTH_TOKEN = nullin thesubscriptionbranch, with a comment explaining the Bearer-override hazard.claude-agent-service.test.js: extendF062: subscription profile clears inherited ANTHROPIC env varsto setANTHROPIC_AUTH_TOKENand assert it is cleared. (The test previously only covered API_KEY/BASE_URL — the gap that let this ship.)Verification
sk-proxy-token, expectedundefined) and passes with the fix.pnpm --filter @cat-cafe/api buildpasses.Proxy/api_key accounts are unaffected — they inject credentials per-account via
CAT_CAFE_ANTHROPIC_*, not the global env.Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com
🤖 Generated with Claude Code