b421457010
All checks were successful
Deploy to Production / deploy (push) Successful in 1m21s
Sovereign-audit Phase 3 caught the next layer of the same bug: form-urlencoded parsing now works, but the AS metadata advertises both `client_secret_basic` and `client_secret_post` while the handler only read credentials from the body. Claude Desktop (and most OAuth SDKs) prefer Basic auth, so every token exchange landed at "401 invalid_client" — visible in prod logs as POST /oauth/token from 160.79.106.37 returning 401 in <4ms (failing the missing-secret check). Parse Authorization: Basic header, decode base64, percent-decode each side (RFC 6749 §2.3.1 mandates pct-encoding of user/pass before the base64 step), and treat the resulting credentials as if they came from the body. Header takes precedence when both are present. |
||
|---|---|---|
| .. | ||
| src | ||
| Dockerfile | ||
| package.json | ||
| tsconfig.json | ||