fix(auth): hex-decode credentials, close keep-alive sockets, fix MCP list_devices schema#51
Merged
Merged
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…list_devices schema - token-exchange: return decrypted bytes as hex string (verified working with live API) - oauth-callback: call closeAllConnections() in all termination paths so browser keep-alive sockets don't prevent the CLI process from exiting after login - mcp: relax hubDeviceId to nullable().optional() in both deviceList and infraredRemoteList output schemas — fixes list_devices tool schema validation failure when API returns null/missing hubDeviceId - tests: add keep-alive teardown tests that regress the closeAllConnections fix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e with real API
The Wonder API encrypts credentials as raw binary bytes. Calling .toString('utf8')
on the decrypted output produced garbled non-ASCII characters that broke HTTP
header validation. The correct output is .toString('hex').
The previous test fixture used a UTF-8 string as the plaintext credential, which
did not reflect the real API's binary payload format and caused the test to fail
after the encoding fix. Updated the fixture to:
- Use fixed binary buffers as the plaintext (matching actual Wonder API behavior)
- Encrypt raw bytes (not UTF-8-encoded strings) to simulate server-side encryption
- Assert the output is a lowercase hex string safe for HTTP headers and HMAC keys
- Add length assertions matching observed live token/secret sizes (96/32 chars)
- Add a comment block explaining WHY .toString('hex') is correct, to prevent
future reviewers from incorrectly flagging this as a regression
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chenliuyun
pushed a commit
that referenced
this pull request
May 22, 2026
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
token-exchange:decryptFieldreturns decrypted bytes as hex string (.toString('hex')) — verified working against live SwitchBot APIoauth-callback: callcloseAllConnections()in all termination paths (success, OAuth error, timeout) so browser keep-alive sockets don't prevent the CLI process from exiting after loginmcp: relaxhubDeviceIdtoz.string().nullable().optional()in bothdeviceListandinfraredRemoteListoutput schemas — fixeslist_devicesMCP tool schema validation failure when API returnsnull/absenthubDeviceIdTest plan
tests/auth/oauth-callback.test.ts— 3 new keep-alive teardown tests added; regression-verified: removingcloseAllConnectionscauses these tests to failnpm test -- tests/auth/oauth-callback.test.ts)switchbot auth login— browser OAuth flow completes, credentials verified and saved, process exits cleanlyswitchbot devices list— API auth works with hex-decoded credentialslist_devices— schema acceptsnullhubDeviceId without validation error🤖 Generated with Claude Code