Skip to content

[workers-auth] Add shared pluggable auth storage and delegated-auth env vars#14444

Draft
penalosa wants to merge 4 commits into
mainfrom
penalosa/remote-bindings-auth-foundation
Draft

[workers-auth] Add shared pluggable auth storage and delegated-auth env vars#14444
penalosa wants to merge 4 commits into
mainfrom
penalosa/remote-bindings-auth-foundation

Conversation

@penalosa

@penalosa penalosa commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Foundational auth/storage work for Cloudflare CLIs and the tools they delegate to. This is PR 1 of a 2-PR stack; PR 2 (the @cloudflare/remote-bindings extraction) builds on it: #14443.

The headline change: @cloudflare/workers-auth now configures auth storage by location (path + format), not by an injected storage object — workers-auth owns the file I/O. Because a location is just plain values, a CLI (wrangler, or cf) can configure it entirely from environment variables, with no code injection.

What changed

  • @cloudflare/workers-utils
    • CLOUDFLARE_CONFIG_DIR pins the global config directory for the whole process tree (getGlobalConfigPath), so a top-level CLI and its delegated tools resolve the same stored OAuth token.
    • Registers the delegated-auth env-var names: CLOUDFLARE_AUTH_CONFIG_FILE, CLOUDFLARE_OAUTH_CLIENT_ID, CLOUDFLARE_ALLOW_GLOBAL_API_KEY, CLOUDFLARE_LOGIN_COMMAND.
  • @cloudflare/workers-auth
    • The DI surface (createOAuthFlow, readStoredAuthState) takes a ConfigFileLocation ({ getPath, format }) instead of an AuthConfigStorage implementation. workers-auth owns parsing, serialization, and owner-only (0o600) permissions. createFileStorage(location) is exported for consumers needing direct read/write. Format is toml | json | jsonc (inferred from the file extension via CLOUDFLARE_AUTH_CONFIG_FILE).
    • createEnvApiTokenResolver: an environment-driven API-token resolver (env credentials, or the stored OAuth token refreshed on expiry; refresh-only, never interactive). Discovers the file location/format from the environment and honours CLOUDFLARE_ALLOW_GLOBAL_API_KEY / CLOUDFLARE_LOGIN_COMMAND.
    • getClientIdFromEnv prefers the CLI-neutral CLOUDFLARE_OAUTH_CLIENT_ID over WRANGLER_CLIENT_ID.
  • wrangler
    • Adopts the location-based API: wires createOAuthFlow / readStoredAuthState with defaultAuthConfigLocation() and backs writeAuthConfigFile/readAuthConfigFile with the shared createFileStorage. Sources getClientIdFromEnv from workers-auth so it honours CLOUDFLARE_OAUTH_CLIENT_ID. No user-facing behaviour change.

Why this shape

A delegated tool deep in a cf dev → vite dev → @cloudflare/remote-bindings chain (PR 2) can refresh the correct OAuth token purely from inherited environment variables — including a CLI like cf that stores its token as JSON/JSONC in a different location — without injecting any storage code.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: internal plumbing — these packages are internal/prerelease (not user-facing APIs), wrangler's auth behaviour and configuration are unchanged, and the new environment variables are internal delegation knobs for the cf → vite → remote-bindings chain.

@penalosa
[workers-utils] Add config-dir and delegated-auth environment variables
3cce997 
Add CLOUDFLARE_CONFIG_DIR, which pins the global config directory for the
whole process tree via getGlobalConfigPath so a top-level CLI and the tools
it delegates to resolve the same stored OAuth token. Also register the
delegated-auth variable names CLOUDFLARE_AUTH_CONFIG_FILE,
CLOUDFLARE_OAUTH_CLIENT_ID, CLOUDFLARE_ALLOW_GLOBAL_API_KEY and
CLOUDFLARE_LOGIN_COMMAND.
@changeset-bot

changeset-bot Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: c8616c1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@cloudflare/workers-auth Minor
@cloudflare/workers-utils Minor
@cloudflare/autoconfig Patch
@cloudflare/cli-shared-helpers Patch
@cloudflare/deploy-helpers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jun 26, 2026
@github-actions

github-actions Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

✅ All changesets look good

@penalosa penalosa mentioned this pull request Jun 26, 2026
Draft
5 tasks
@ask-bonk

ask-bonk Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

All exports resolve correctly.

My review summary: The PR is additive, well-tested, and the exports all resolve. I examined for logic bugs, security, backward-compat, and API behavior:

  • Env var factory semantics work correctly with the tests (vitest stubEnv(undefined) deletes the key).
  • File permissions (0o600 + chmodSync) match wrangler's existing secure pattern.
  • The empty-string-env-var edge case (?? ) matches existing repo semantics; not worth flagging.
  • The orphaned/duplicate JSDoc block (lines 6-16 of env-vars.ts) is cosmetic — not actionable per nitpick guidance.
  • Code duplication with wrangler's auth-config-file.ts is an architectural maintenance concern, not a logic bug, and is consistent with the stated plan to consume from the lower-level package.

No logic bugs, security issues, backward-compatibility violations, or incorrect API behavior found.

LGTM

github run

@pkg-pr-new

pkg-pr-new Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/@cloudflare/autoconfig@14444

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14444

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14444

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14444

miniflare

npm i https://pkg.pr.new/miniflare@14444

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14444

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14444

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14444

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14444

@cloudflare/workers-auth

npm i https://pkg.pr.new/@cloudflare/workers-auth@14444

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14444

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14444

wrangler

npm i https://pkg.pr.new/wrangler@14444

commit: c8616c1

@penalosa penalosa force-pushed the penalosa/remote-bindings-auth-foundation branch from cc2f4bc to 0540500 Compare June 26, 2026 16:43
penalosa added 3 commits June 26, 2026 18:33
@penalosa
[workers-auth] Configure auth storage by location (path + format)
4620c7e 
Replace the injected AuthConfigStorage object at the DI boundary with a
ConfigFileLocation ({ getPath, format }); workers-auth now owns all file I/O
(parsing, serialization, owner-only permissions). createOAuthFlow and
readStoredAuthState take a location; createFileStorage(location) is exported for
direct read/write. Because a location is plain values, it can be configured
entirely from environment variables (e.g. CLOUDFLARE_AUTH_CONFIG_FILE, whose
extension selects TOML/JSON/JSONC). getClientIdFromEnv now prefers the
CLI-neutral CLOUDFLARE_OAUTH_CLIENT_ID over WRANGLER_CLIENT_ID.
@penalosa
[workers-auth] Add env-driven API-token resolver
254d969 
Add createEnvApiTokenResolver: resolves env credentials or the stored OAuth
token (refreshed when expired), discovering the file location/format via
CLOUDFLARE_AUTH_CONFIG_FILE / CLOUDFLARE_CONFIG_DIR and honouring
CLOUDFLARE_ALLOW_GLOBAL_API_KEY and CLOUDFLARE_LOGIN_COMMAND. Refresh-only — it
never starts an interactive login. Shared so delegated tools (e.g.
@cloudflare/remote-bindings) don't reimplement env/OAuth token resolution.
@penalosa
[wrangler] Adopt @cloudflare/workers-auth location-based auth storage
c8616c1 
Wire createOAuthFlow / readStoredAuthState with a ConfigFileLocation
(defaultAuthConfigLocation) instead of constructing a storage object, and back
writeAuthConfigFile/readAuthConfigFile with the shared createFileStorage. Source
getClientIdFromEnv from workers-auth so wrangler honours CLOUDFLARE_OAUTH_CLIENT_ID.
@penalosa penalosa force-pushed the penalosa/remote-bindings-auth-foundation branch from 0540500 to c8616c1 Compare June 26, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@workers-devprod workers-devprod Awaiting requested review from workers-devprod workers-devprod will be requested when the pull request is marked ready for review workers-devprod is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

workers-sdk
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@penalosa @workers-devprod