Skip to content

[workers-auth] Make OAuth identity and token storage injectable for reuse by other CLIs#14185

Draft
penalosa wants to merge 1 commit into
mainfrom
penalosa/workers-auth-injectable
Draft

[workers-auth] Make OAuth identity and token storage injectable for reuse by other CLIs#14185
penalosa wants to merge 1 commit into
mainfrom
penalosa/workers-auth-injectable

Conversation

@penalosa
Copy link
Copy Markdown
Contributor

@penalosa penalosa commented Jun 4, 2026

Makes the OAuth flow in @cloudflare/workers-auth brandable so a second
Cloudflare CLI (cf) can reuse it with its own OAuth identity, instead of
re-implementing the PKCE flow. All new surface is optional and defaults to
Wrangler's current behaviour, so Wrangler is functionally unchanged.

@cloudflare/workers-auth

  • createOAuthFlow's context gains optional clientId, consent
    (granted/denied redirect pages), callback (host/port + registered
    redirect_uri), and storage (a pluggable AuthConfigStorage). Threaded
    through the flow, callback server, token exchange, and auth-URL builder.
  • Hoisted the shared env→credential resolver here: getAuthFromEnv,
    getAPIToken, requireApiToken, and the credential env getters
    (getCloudflareAPITokenFromEnv, getCloudflareGlobalAuthKeyFromEnv,
    getCloudflareGlobalAuthEmailFromEnv). getAuthFromEnv/getAPIToken accept
    allowGlobalAuthKey (so a CLI can opt out of global API key + email) and
    getAPIToken accepts injected storage.

@cloudflare/workers-utils

  • getGlobalWranglerConfigPath(appName = "wrangler", useLegacyHomeDir = true)
    is now parameterized so other first-party CLIs can resolve their own
    XDG-compliant config directory. Existing callers are unaffected.
  • The Node build injects a createRequire-backed globalThis.require via a
    tsup banner so bundled CJS deps (e.g. xdg-app-paths) resolve under pure
    ESM — baking in the fix consumers previously applied via a pnpm patch. The
    browser build is intentionally excluded.

wrangler

  • getAuthFromEnv / getAPIToken / requireApiToken now delegate to the
    shared implementations; the credential env getters are re-exported from
    @cloudflare/workers-auth. No behaviour change — resolution order (global
    API key + email → CLOUDFLARE_API_TOKEN → stored OAuth token) is preserved.
  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: @cloudflare/workers-auth is an internal package (not for external use) and Wrangler's user-facing behaviour is unchanged.

@penalosa
[workers-auth] make OAuth identity + token storage injectable; share …
51c34b6 
…env-credential resolver

- workers-auth: add optional clientId / consent / callback / storage to
  OAuthFlowContext (default to Wrangler's behaviour); thread them through the
  flow, callback server, token exchange, and auth-url builder.
- workers-auth: hoist getAuthFromEnv / getAPIToken / requireApiToken and the
  credential env getters here, with an allowGlobalAuthKey toggle and injectable
  storage, so any Cloudflare CLI shares one resolver.
- workers-utils: parameterize getGlobalWranglerConfigPath(appName, useLegacyHomeDir);
  inject a createRequire-backed require shim via tsup banner (Node build only) so
  bundled CJS deps work under ESM without a downstream patch.
- wrangler: delegate getAuthFromEnv/getAPIToken/requireApiToken to workers-auth;
  re-export the credential env getters. No behaviour change.
- tests + changesets.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Jun 4, 2026

🦋 Changeset detected

Latest commit: 51c34b6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages
Name Type
@cloudflare/workers-auth Minor
@cloudflare/workers-utils Minor
wrangler Patch
@cloudflare/cli-shared-helpers Patch
@cloudflare/deploy-helpers Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch
@cloudflare/wrangler-bundler Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jun 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026

✅ All changesets look good

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk Bot commented Jun 4, 2026

@penalosa Bonk workflow was cancelled.

View workflow run · To retry, trigger Bonk again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@workers-devprod workers-devprod Awaiting requested review from workers-devprod workers-devprod will be requested when the pull request is marked ready for review workers-devprod is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

workers-sdk
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@penalosa @workers-devprod