fix: support Claude Code 2.x authentication detection

[goodhanded]

Summary

• Adds support for detecting Claude Code 2.x authentication
• Claude Code 2.x stores OAuth account info in ~/.claude/.claude.json under the oauthAccount key
• Falls back to legacy ~/.claude/.credentials.json location for backwards compatibility

Problem

Claude Code UI shows Claude as "disconnected" in Settings > Agents for users running Claude Code 2.x, even though Claude is properly authenticated and working.

Solution

Updated checkClaudeCredentials() in server/routes/cli-auth.js to:

1. First check ~/.claude/.claude.json for oauthAccount.emailAddress (Claude Code 2.x)
2. Fall back to ~/.claude/.credentials.json with claudeAiOauth (legacy)

Test plan

• Tested with Claude Code 2.0.76 - Settings > Agents now shows Claude as connected with correct email
• Backwards compatible - legacy auth location still checked as fallback

Summary by CodeRabbit

• New Features
  • Added support for Claude Code 2.x credential format in CLI authentication with automatic fallback to legacy credentials for seamless sign-in.
  • Improved detection of legacy OAuth credentials so valid tokens are recognized and reported as authenticated.
  • Authentication responses now include clearer method indicators to help diagnose which credential source was used.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

checkClaudeCredentials now checks for Claude Code 2.x credentials at ~/.claude/.claude.json (returning method: 'claude_code_2x' when valid), falls back to legacy ~/.claude/.credentials.json (returning method: 'legacy_oauth' when oauth token is valid), and surfaces the chosen method in authenticated responses.

Changes

Cohort / File(s)	Summary
Claude credential locations & response server/routes/cli-auth.js	Added detection of Code 2.x creds at ~/.claude/.claude.json and return of method: 'claude_code_2x' when oauthAccount.emailAddress is present. Fallback to legacy ~/.claude/.credentials.json with method: 'legacy_oauth' when an oauth access token is present and not expired. Authenticated responses now include a method field.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Auth as Auth Handler
    participant FS as File System

    Client->>Auth: Request credentials check
    Auth->>FS: Read ~/.claude/.claude.json
    alt Code 2.x file exists
        FS-->>Auth: File contents
        Auth->>Auth: Inspect oauthAccount.emailAddress
        alt emailAddress present
            Auth-->>Client: authenticated (method: 'claude_code_2x')
        else
            Auth->>FS: Read ~/.claude/.credentials.json
        end
    else no Code 2.x file
        Auth->>FS: Read ~/.claude/.credentials.json
    end
    alt legacy file exists
        FS-->>Auth: File contents
        Auth->>Auth: Check oauth token and expiry
        alt token valid
            Auth-->>Client: authenticated (method: 'legacy_oauth')
        else
            Auth-->>Client: unauthenticated / error
        end
    else no legacy file
        Auth-->>Client: unauthenticated / error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A little hop to a new JSON trail,

.claude.json leads the new tale,
If it skips, the old path sings,
Tokens checked and method rings,
Happy hops for authenticated mail!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding support for Claude Code 2.x authentication detection. It directly aligns with the primary objective of the changeset.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4db0d38 and d228e2a.

📒 Files selected for processing (1)

• server/routes/cli-auth.js

🚧 Files skipped from review as they are similar to previous changes (1)

• server/routes/cli-auth.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/routes/cli-auth.js (1)

9-18: Critical: Method field is incorrectly overwritten.

Line 17 hardcodes method: 'credentials_file', which overwrites the method field returned by checkClaudeCredentials(). This defeats the purpose of distinguishing between 'claude_code_2x' and 'legacy_oauth' authentication methods.

🔎 Proposed fix

     if (credentialsResult.authenticated) {
       return res.json({
         authenticated: true,
         email: credentialsResult.email || 'Authenticated',
-        method: 'credentials_file'
+        method: credentialsResult.method || 'credentials_file'
       });
     }

🧹 Nitpick comments (1)

server/routes/cli-auth.js (1)

81-94: Consider adding debug logging for the fallback path.

The broad try-catch correctly handles both file-not-found and JSON parsing errors by falling back to the legacy credential check. However, for troubleshooting, consider logging the error when the Claude Code 2.x check fails.

🔎 Suggested enhancement

     } catch (e) {
       // .claude.json not found or invalid, try legacy location
+      console.debug('Claude Code 2.x credentials not found or invalid, falling back to legacy:', e.message);
     }

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b066ec4 and 4db0d38.

📒 Files selected for processing (1)

• server/routes/cli-auth.js

🧰 Additional context used

🧬 Code graph analysis (1)

server/routes/cli-auth.js (1)

server/index.js (3)

• path (1327-1327)
• os (1329-1329)
• fs (1328-1328)

🔇 Additional comments (2)

server/routes/cli-auth.js (2)

96-112: LGTM: Legacy fallback correctly enhanced with method field.

The legacy credential check properly adds the method: 'legacy_oauth' field while preserving existing token expiry validation and email fallback logic. This correctly complements the new Claude Code 2.x detection.

---

79-94: Consider adding expiry validation to the Claude Code 2.x authentication path.

The legacy credential check (lines 103–111) validates token expiry using expiresAt, but the new Claude Code 2.x path (lines 79–94) does not perform any expiry validation. Since OAuth credentials typically include expiry information (as shown in the legacy path and standard OAuth structures), verify whether oauthAccount contains an expiresAt field and add an expiry check if present, consistent with the legacy authentication method.

Additionally, consider validating that emailAddress is not an empty string before returning it.

[viper151]

@goodhanded I'm not able to reproduce it. In all my tests with the latest claude code release the .credentials is always created regarldess if it's oauth or API keys. The .claude.json file contains also the auth method however it doesn't look like .credentials is a legacy method. Do you have some sources that its a legacy method?

Moreover what is your system configuration and how have you installed claude code?