Skip to content

feat: implement WebSocket authentication system with UUID tokens #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 20, 2025
Merged

feat: implement WebSocket authentication system with UUID tokens #56

merged 3 commits into from
Jun 20, 2025

Conversation

ThomasK33
Copy link
Member

Summary

This PR implements a comprehensive WebSocket authentication system for claudecode.nvim:

UUID Token Generation: Server generates UUID v4 tokens with enhanced entropy for each session
Lock File Integration: Authentication tokens stored in ~/.claude/ide/[port].lock for Claude CLI discovery
Header-based Validation: WebSocket handshake validates x-claude-code-ide-authorization header
Security Controls: Token format validation, length limits, and comprehensive error handling
Enhanced Logging: Detailed authentication event logging for debugging and security auditing

Technical Implementation

  • Server Authentication: Modified server startup to generate and validate auth tokens throughout the connection lifecycle
  • Handshake Security: Updated WebSocket handshake to reject connections with missing/invalid tokens
  • Protocol Compliance: Follows official Claude Code IDE authentication protocol specifications
  • Test Coverage: Added comprehensive test suite including unit tests for handshake validation and integration tests for end-to-end auth flows

Security Features

  • Authentication tokens are 36-character UUIDs with proper format validation
  • Token length limits (10-500 characters) prevent potential abuse
  • Enhanced entropy sources for secure token generation
  • All authentication events logged for security auditing

This implementation ensures secure connections between Claude CLI and the Neovim WebSocket server while maintaining compatibility with the official Claude Code protocol.

@ThomasK33
feat: implement WebSocket authentication system with UUID tokens
b9b7b08 
This commit adds comprehensive authentication support to the claudecode.nvim WebSocket server:

- Generate UUID v4 tokens with enhanced entropy for each server session
- Store authentication tokens in lock files at ~/.claude/ide/[port].lock
- Validate auth tokens via x-claude-code-ide-authorization header during WebSocket handshake
- Reject connections with missing, invalid, or malformed authentication tokens

- Authentication tokens are 36-character UUIDs with proper format validation
- Token length limits (10-500 chars) prevent abuse
- Enhanced logging for authentication events and failures
- Secure token generation with multiple entropy sources

- Modified server startup to generate and pass auth tokens through the stack
- Updated handshake validation to check authentication headers
- Added comprehensive error handling for auth token generation and validation
- Enhanced client connection processing with authentication state tracking

- Added handshake_spec.lua with authentication test coverage
- Updated existing tests to support authenticated and unauthenticated modes
- Added auth token validation tests in lockfile_test.lua
- Enhanced integration tests with authentication flow testing

- Updated CLAUDE.md with authentication testing procedures and manual testing guides
- Updated PROTOCOL.md with authentication flow documentation and examples
- Added logging best practices and authentication debugging guides

This implementation follows the official Claude Code IDE authentication protocol
and ensures secure connections between Claude CLI and the Neovim plugin.

Change-Id: I4632b8e538cff23712a40a79289d10ae314cadec
Signed-off-by: Thomas Kosiewski <[email protected]>
@ThomasK33 ThomasK33 requested a review from Copilot June 20, 2025 15:22
Copilot

This comment was marked as outdated.

Sign in to view

@ThomasK33
fix: align empty auth token error message with test expectations
581d7f3 
Update error message for empty authentication tokens to match test expectations.
This ensures consistency between the validation logic and test suite.

Change-Id: I473d1379fe0362d41384f5f88128b759ad8ae685
Signed-off-by: Thomas Kosiewski <[email protected]>
@ThomasK33 ThomasK33 requested a review from Copilot June 20, 2025 15:33
Copilot

This comment was marked as outdated.

Sign in to view

@ThomasK33
fix: remove unsafe eval usage in WebSocket connection script
7b34f93 
Replace eval-based command construction with direct conditional execution
to prevent potential command injection if auth tokens contain special characters.
This addresses the security concern raised by Copilot review.

Change-Id: Ie1fbef35efd122502fa1d946fbd1bc268a3badb6
Signed-off-by: Thomas Kosiewski <[email protected]>
@ThomasK33 ThomasK33 requested a review from Copilot June 20, 2025 15:59
Copilot
Copilot AI reviewed Jun 20, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a secure WebSocket authentication system for claudecode.nvim by introducing UUID v4 token generation, integrating authentication tokens into lock files, and validating WebSocket upgrade requests via an authentication header. Key changes include:

  • Generating and validating UUID v4 tokens for each session with enhanced entropy.
  • Storing and retrieving authentication tokens via lock files for Claude CLI discovery.
  • Updating handshake, TCP server, and client logic along with extensive tests and documentation updates.

Reviewed Changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/unit/server_spec.lua Added integration tests to verify server auth token state and operations.
tests/unit/server/handshake_spec.lua Expanded tests for handshake validation including auth header cases.
tests/unit/init_spec.lua Updated tests to reflect new lockfile auth token generation.
tests/lockfile_test.lua Extended lockfile tests for auth token generation, reading, and error cases.
tests/integration/mcp_tools_spec.lua Integrated tests covering full authentication flow across the server lifecycle.
scripts/lib_ws_persistent.sh Updated ws_connect to pass the optional auth token.
scripts/lib_claude.sh Added function integration to retrieve auth tokens from lock files.
lua/claudecode/server/tcp.lua Propagated auth token to TCP server creation for connection validation.
lua/claudecode/server/init.lua Stored, logged, and cleared auth tokens and integrated token in server start/stop.
lua/claudecode/server/handshake.lua Enhanced handshake processing to validate expected auth tokens.
lua/claudecode/server/client.lua Improved handshake logging and auth validation during client connection.
lua/claudecode/lockfile.lua Added auth token generation, validation, and propagation with lock files.
lua/claudecode/init.lua Bootstrapped auth token generation and ensured lockfile auth token consistency.
PROTOCOL.md and CLAUDE.md Updated documentation to describe the authentication protocol and testing.

@ThomasK33 ThomasK33 merged commit 3fe2c1b into main Jun 20, 2025
3 checks passed
@ThomasK33 ThomasK33 deleted the feat/add-authentication-system branch June 20, 2025 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ThomasK33