zhanj/claude-hud
1
0
Fork 0
mirror of https://github.com/jarrodwatts/claude-hud.git synced 2026-05-07 13:12:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c4582e9831bdaed6dfe2cc079f1d42e926fef39b
claude-hud/tests/usage-api.test.js
Rareș T. Gosman c36738d63c fix: read OAuth credentials from macOS Keychain (Claude Code 2.x) (#50) 
* fix: read OAuth credentials from macOS Keychain (Claude Code 2.x)

Claude Code 2.x stores OAuth credentials in the macOS Keychain under
"Claude Code-credentials" instead of ~/.claude/.credentials.json.

This caused the usage tracker to silently fail on macOS since the
credentials file doesn't exist.

Changes:
- Add readKeychainCredentials() to read from macOS Keychain via security CLI
- Add 1.5s timeout to prevent HUD hangs if Keychain is slow
- Fall back to file-based credentials if Keychain lacks subscriptionType
- Extract parseCredentialsData() to share validation logic
- Add readKeychain to UsageApiDeps for test isolation
- Add test for Keychain-to-file fallback behavior

The credential lookup order is now:
1. macOS Keychain (Claude Code 2.x on darwin)
2. File-based ~/.claude/.credentials.json (older versions, non-macOS)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: address review feedback for keychain credentials

- Increase keychain timeout from 1.5s to 5s to allow time for macOS
  permission prompts (user needs to click "Allow")
- Fix fallback logic: always use keychain token (authoritative) when
  present, supplement subscriptionType from file if needed
- Add happy-path test for complete keychain credentials
- Add test verifying keychain token is used even when subscriptionType
  comes from file

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* security: harden keychain credential reading

- Use execFileSync with absolute path (/usr/bin/security) instead of
  execSync with shell - prevents PATH hijacking and shell injection
- Sanitize debug logging to only log error.message, not full error
  object which may contain stdout/stderr with credential data
- Add 60s backoff on keychain failures to prevent re-prompting user
  on every render cycle after a timeout/denial

Addresses security review feedback from Codex.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Jarrod Watts <jarrod@cubelabs.xyz>
2026-01-14 11:26:16 +11:00

11 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink