Skip to content

[workers-auth] Extract auth into @cloudflare/workers-auth, make it product-agnostic, and add a cf entrypoint#14630

Open
penalosa wants to merge 8 commits into
mainfrom
penalosa/remote-bindings-extraction-take-3
Open

[workers-auth] Extract auth into @cloudflare/workers-auth, make it product-agnostic, and add a cf entrypoint#14630
penalosa wants to merge 8 commits into
mainfrom
penalosa/remote-bindings-extraction-take-3

Conversation

@penalosa

@penalosa penalosa commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Refactor Wrangler's auth machinery into @cloudflare/workers-auth, make the CLI-facing auth layer product-agnostic, and add a second consumer (/cf) on top of the shared core.

What changed

  • Wrangler auth extraction + shim removal — Wrangler's auth machinery now lives in @cloudflare/workers-auth behind createWranglerAuth(ctx) (5-field context: logger, userAgent, prompt, select, isNoDefaultValueProvidedError). Everything previously injected is built in-package: config-cache, the temporary-terms prompt, and paged account fetching (fetchAccountsPaged, avoiding the cfetchuser cycle). The re-export/adapter shim files (preferences, auth-config-file, profile-store, keyring-preference, generate-auth-url, is-interactive, open-in-browser) are deleted and every consumer repointed at the owning package.
  • Product-agnostic core — the shared auth logic (src/product/) is parameterised by an AuthProduct descriptor (client ID, consent pages, config paths, file format, scope catalog, cache namespace, …), so each CLI is a thin descriptor + entrypoint rather than a fork of the factory.
  • New @cloudflare/workers-auth/cf entrypointcreateCfAuth(ctx) for the cf CLI, mirroring its real OAuth app registration: client ID, local callback port 8877, branded cf-oauth-consent-* pages, scoped-token-only auth (no global API key), JSON config files under ~/.config/cloudflare, a dedicated cf scope catalog, and an isolated config-cache namespace.
  • Shared relocationscreateConfigCache, isInteractive / isNonInteractiveOrCI / isCI, and openInBrowser moved to @cloudflare/workers-utils (logger is passed as a parameter — there is no logger singleton there).
  • CI detection fix — the bundled auth layer inlines ci-info, so consumers mock @cloudflare/workers-utils' CI helpers (not ci-info) to fake CI. Wrangler's vitest setup does this, and because @cloudflare/* is external in the workers-auth bundle the seam reaches the bundled auth layer too.
  • Review-driven correctness fixeshasEnvCredentials honours the product's allowGlobalAuthKey (so scoped-token-only cf isn't wrongly blocked by a bare CLOUDFLARE_API_KEY + CLOUDFLARE_EMAIL pair); cf's config cache is namespaced so cf login/logout never purges Wrangler's cache; cf's config dir has no leading dot.
  • Snapshot determinism — login-URL snapshots stay stable by scrubbing the OAuth state / code_challenge query params in workers-utils normalizeString, rather than mocking the URL builder.

No user-facing Wrangler behaviour change. @cloudflare/workers-auth gains a new internal /cf entrypoint (covered by the changeset).


  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: internal packages only — no user-facing Wrangler behaviour change, and @cloudflare/workers-auth is an internal package with no public documentation.

…xport shims

Move Wrangler's auth machinery into the @cloudflare/workers-auth
`/wrangler` layer behind a createWranglerAuth(ctx) factory whose context
is reduced to 5 fields (logger, userAgent, prompt, select,
isNoDefaultValueProvidedError). config-cache, isInteractive and
openInBrowser move to @cloudflare/workers-utils (logger passed as a
param, no singleton there).

Delete the re-export/adapter shim files that only existed to preserve
historical import paths (preferences, auth-config-file, profile-store,
keyring-preference, generate-auth-url, is-interactive, open-in-browser)
and repoint every consumer to the owning package. Slim auth-variables to
its single genuine export (getWranglerR2SqlAuthToken).

Login-URL snapshot determinism is handled by scrubbing the OAuth state /
code_challenge params in workers-utils normalizeString rather than
mocking the URL builder.
@changeset-bot

changeset-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: ff57a0b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@cloudflare/workers-auth Minor
@cloudflare/workers-utils Minor
@cloudflare/autoconfig Patch
@cloudflare/cli-shared-helpers Patch
@cloudflare/deploy-helpers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jul 9, 2026

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/@cloudflare/autoconfig@14630

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14630

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14630

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14630

miniflare

npm i https://pkg.pr.new/miniflare@14630

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14630

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14630

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14630

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14630

@cloudflare/workers-auth

npm i https://pkg.pr.new/@cloudflare/workers-auth@14630

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14630

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14630

wrangler

npm i https://pkg.pr.new/wrangler@14630

commit: ff57a0b

@ask-bonk

ask-bonk Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The deprecatedName: "CF_ACCOUNT_ID" matches exactly. Behavior preserved.

I've now completed a thorough review of the core logic paths, deleted-file consumers, test mocking, cross-package live bindings, function signatures, env var behavior, and telemetry messages. This is a well-executed, faithful internal refactor. The main risks (credential resolution path, paged fetch, scope live binding, config-cache pointing at same files, browser-open logger param) all check out as behavior-preserving.

I did not find any logic bugs, security issues, backward-compatibility violations, or incorrect API behavior. The only observations are stylistic (split imports from the same module) which Prettier/ESLint handle and I'm instructed not to flag.

LGTM

github run

penalosa added 2 commits July 9, 2026 18:59
Importing `open` at module top pulled its default `node:child_process`
import into every consumer of the workers-utils barrel. Tests that
partially mock `node:child_process` (e.g. workers-auth's access.test.ts,
with only `spawnSync` and no default export) then failed at import time.

Import `open` lazily inside openInBrowser so merely importing the barrel
no longer drags child_process into the module graph.
…ed product-agnostic core

Refactor the wrangler-specific auth layer into a product-agnostic
`createCloudflareAuth(product, ctx)` core (`src/product/`) parameterised
by an `AuthProduct` descriptor (identity, config paths, file format,
consent pages, client id, copy). Wrangler becomes a thin descriptor
(`WRANGLER_PRODUCT` + `createWranglerAuth`) with its `/wrangler`
entrypoint exports unchanged.

Add a new `@cloudflare/workers-auth/cf` entrypoint (`createCfAuth`):
the same auth machinery, but JSON files under `~/.config/cloudflare`,
the `cloudflare` OS-keyring service, and `CLOUDFLARE_CLIENT_ID`. The
on-disk format is a new `FileFormat` axis threaded through the credential
store (default TOML, so wrangler is byte-for-byte unchanged).

cf's OAuth app client-id UUIDs, redirect URI, consent page URLs, and the
account-selection config-file hint are placeholders pending real values
(search TODO(cf)).
@penalosa penalosa marked this pull request as ready for review July 9, 2026 18:49
@penalosa penalosa requested a review from workers-devprod as a code owner July 9, 2026 18:49
@workers-devprod workers-devprod requested review from a team and dario-piotrowicz and removed request for a team July 9, 2026 18:49
@workers-devprod

workers-devprod commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/cloudchamber
  • @cloudflare/d1
  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/extract-workers-auth-core.md: [@cloudflare/wrangler]
  • packages/workers-auth/AGENTS.md: [@cloudflare/wrangler]
  • packages/workers-auth/package.json: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/auth-config-file.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/constants.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/env.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/index.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/paths.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/scopes.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/cf/temporary-account-path.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/credential-store/encrypted-file-store.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/credential-store/file-store.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/credential-store/resolver.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/env-vars.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/file-format.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/index.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/auth-config-file.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/factory.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/file-storage.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/keyring-preference.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/preferences.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/profile-store.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/scopes.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/temporary-terms.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/product/types.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/wrangler/auth-config-file.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/wrangler/constants.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/wrangler/env.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/wrangler/index.ts: [@cloudflare/wrangler]
  • packages/workers-auth/src/wrangler/temporary-account-path.ts: [@cloudflare/wrangler]
  • packages/workers-auth/tests/cf/index.test.ts: [@cloudflare/wrangler]
  • packages/workers-auth/tsup.config.ts: [@cloudflare/wrangler]
  • packages/workers-utils/AGENTS.md: [@cloudflare/wrangler]
  • packages/workers-utils/package.json: [@cloudflare/wrangler]
  • packages/workers-utils/src/config-cache.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/environment-variables/factory.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/index.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/is-interactive.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/open-in-browser.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/test-helpers/normalize.ts: [@cloudflare/wrangler]
  • packages/workers-utils/tests/config-cache.test.ts: [@cloudflare/wrangler]
  • packages/workers-utils/tests/open-in-browser.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/e2e/auth-scopes.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/auth-credentials.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/browser-run.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/deploy/core.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/dev/start-dev.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/docs.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/helpers/mock-oauth-flow.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/logout.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/open-in-browser.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/profiles.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/user.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/vitest.setup.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/agents-skills-install.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/ai-search/create.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/api/deploy-helpers-context.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/api/startDevWorker/DevEnv.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/autoconfig-context.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/browser-rendering/create.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/browser-rendering/view.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/common.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/create.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/delete.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/images/images.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/images/registries.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/list.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/modify.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/ssh/ssh.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/config-cache.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/containers/containers.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/containers/images.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/containers/instances.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/containers/list.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/containers/registries.ts: [@cloudflare/cloudchamber @cloudflare/wrangler]
  • packages/wrangler/src/core/register-yargs-command.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/d1/migrations/apply.ts: [@cloudflare/d1 @cloudflare/wrangler]
  • packages/wrangler/src/d1/migrations/helpers.ts: [@cloudflare/d1 @cloudflare/wrangler]
  • packages/wrangler/src/deploy/autoconfig.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/deploy/index.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/dev/hotkeys.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/dev/start-dev.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/dialogs.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/docs/index.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/metrics/metrics-dispatcher.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/deploy.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/deployment-tails.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/deployments.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/download-config.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/run-workers-deploy.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/secret/index.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pages/upload.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/pipelines/client.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/queues/cli/commands/purge.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/r2/lifecycle.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/r2/lock.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/r2/sql.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/turnstile/create.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/turnstile/delete.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/turnstile/get.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/turnstile/list.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/turnstile/update.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/access.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/auth-config-file.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/auth-variables.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/commands.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/fetch-accounts.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/generate-auth-url.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/generate-random-state.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/index.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/keyring-preference.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/preferences.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/profile-store.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/profiles.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/temporary-terms.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/user.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/user/whoami.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/utils/onKeyPress.ts: [@cloudflare/wrangler]
  • pnpm-lock.yaml: [@cloudflare/wrangler]

devin-ai-integration[bot]

This comment was marked as resolved.

@penalosa penalosa marked this pull request as draft July 10, 2026 12:10
penalosa added 3 commits July 10, 2026 14:20
…er tests

Moving isInteractive/isNonInteractiveOrCI into workers-utils (and reading
CI in workers-auth's account-name redaction) meant CI detection now runs
inside packages that wrangler consumes as bundled distributables. The
inlined ci-info copy is a separate, unmockable module instance that reads
the real environment, so in CI (isCI=true) every confirm/select prompt
silently auto-answered non-interactively — breaking ~460 wrangler tests —
and the account-name redaction check ran against the real CI flag instead
of the mocked one, so its test had lost coverage.

- workers-utils: add an isCI() helper alongside isInteractive/
  isNonInteractiveOrCI.
- workers-auth: read isCI() from workers-utils in the account-selection
  redaction path instead of importing ci-info directly (drops workers-auth's
  ci-info dependency).
- wrangler tests: extend the existing @cloudflare/workers-utils partial-mock
  to also route isNonInteractiveOrCI/isCI through the mockable ci-info. This
  reaches every consumer — wrangler source and the bundled workers-auth
  (@cloudflare/* is external in its bundle) — so the existing
  vi.mocked(ci).isCI convention keeps controlling CI-gated behaviour, and
  the redaction test again exercises the real code path (snapshot restored
  to "(redacted)").
…te cf's config cache

- hasEnvCredentials now uses the product's allowGlobalAuthKey, so cf (scoped-token-only) no longer treats a bare CLOUDFLARE_API_KEY+CLOUDFLARE_EMAIL pair as "logged in via env" and wrongly blocks login/logout.
- createConfigCache takes a namespace so each CLI gets an isolated cache dir; cf uses "cloudflare" so cf login/logout never purges wrangler's cache. WRANGLER_CACHE_DIR stays wrangler-only.
- Add regression tests + a changeset for the workers-auth/cf entrypoint.
@github-actions

Copy link
Copy Markdown
Contributor

✅ All changesets look good

@penalosa penalosa changed the title [wrangler] Extract auth into @cloudflare/workers-auth and remove re-export shims [workers-auth] Extract auth into @cloudflare/workers-auth, make it product-agnostic, and add a cf entrypoint Jul 10, 2026
@penalosa penalosa marked this pull request as ready for review July 10, 2026 14:38

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i suppose we don't have to do this now, but we can remove isNonInteractiveOrCI from the deploy-heleprs context entirely and just import directly from workers-utils

@@ -0,0 +1,69 @@
// The Cloudflare OAuth scope catalog, shared by every CLI built on this auth
// layer (wrangler, cf, …). `DefaultScopeKeys` is a mutable live binding:
// `setLoginScopeKeys` reassigns it (wrangler's `--experimental-scopes` / product

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is --experimental-scopes? is it new in this PR? can we get a changeset for it?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we rename this folder 'core'? i was confused by what product meant here (its the non-product specific parts?)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other than the interfaces, is this all just moved from other places? (do i need to review this?)

@@ -0,0 +1,77 @@
import {
getAuthConfigFilePath as getAuthConfigFilePathForConfig,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
getAuthConfigFilePath as getAuthConfigFilePathForConfig,
getAuthConfigFilePath as getAuthConfigFilePathInternal,

something like that? getAuthConfigFilePathForConfig is a bit convoluted 😅

Comment on lines +14 to +28
* A file-on-disk storage backend, parameterised by the on-disk {@link FileFormat}
* (TOML for wrangler, JSON for cf) and the path it reads and writes. Used by the
* temporary-preview-account store and the plaintext auth-profile primitives.
*
* `read()` follows the `ConfigStorage<T>` contract: a missing file *or* a file
* that exists but can't be parsed as `T` is the empty state and returns
* `undefined`, so a corrupt store is treated as "nothing usable here" (e.g. a
* stale temporary-account cache is re-minted instead of hard-erroring). Only
* genuine I/O errors (`EACCES`, `EISDIR`, ...) propagate. This is deliberately
* distinct from `FileCredentialStore`, which surfaces a corrupt *credential*
* file as a throw so the user can fix it.
*
* Files are written with mode `0o600` on creation and re-`chmod`'d on every
* save (the `mode` option only applies on creation) so other local users on
* shared hosts can't read the stored credentials.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* A file-on-disk storage backend, parameterised by the on-disk {@link FileFormat}
* (TOML for wrangler, JSON for cf) and the path it reads and writes. Used by the
* temporary-preview-account store and the plaintext auth-profile primitives.
*
* `read()` follows the `ConfigStorage<T>` contract: a missing file *or* a file
* that exists but can't be parsed as `T` is the empty state and returns
* `undefined`, so a corrupt store is treated as "nothing usable here" (e.g. a
* stale temporary-account cache is re-minted instead of hard-erroring). Only
* genuine I/O errors (`EACCES`, `EISDIR`, ...) propagate. This is deliberately
* distinct from `FileCredentialStore`, which surfaces a corrupt *credential*
* file as a throw so the user can fix it.
*
* Files are written with mode `0o600` on creation and re-`chmod`'d on every
* save (the `mode` option only applies on creation) so other local users on
* shared hosts can't read the stored credentials.
* adapter for writing TOML or JSON files

Comment thread packages/workers-auth/src/product/temporary-terms.ts
* `CLOUDFLARE_ACCOUNT_ID` overrides the account inferred from the current user.
*
* This is a Cloudflare-wide variable (not wrangler-specific), so it lives in the
* shared core rather than a consumer layer. `CF_ACCOUNT_ID` is the deprecated

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the rest of this file is mostly 'WRANGLER_' env vars, which should probably be included in the core product/cf/wrangler refactor?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about moving this into product/, and just making wrangler/cf set fileFormat: 'toml' | 'json' instead of passing in these objects? it's not really extensible as it is, not do we really want to add more file types

// CLOUDFLARE_EMAIL pair (with no CLOUDFLARE_API_TOKEN) must NOT count as
// "logged in via env". Otherwise logout/login would wrongly bail with
// "You are logged in with an API Token" even though cf ignores those creds.
vi.stubEnv("CLOUDFLARE_API_KEY", "deadbeef");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...deadbeef? 😅

* the same regardless of `WRANGLER_API_ENVIRONMENT`; override via the env var
* if a different app is ever needed.
*/
export const getClientIdFromEnv = getEnvironmentVariableFactory({

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any point in having this as an env var and not just hard coding it in?

'CLOUDFLARE_CLIENT_ID' feels like a very generic non-auth specific env var that might be useful for something else at some point in time

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use WRANGLER_CIENT_ID for this in Wrangler, so this is trying to mirror that

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any point in that either, really? it wouldn't be breaking to remove it, given no one external can generate these ids. or we could rename it WRANGLER_OAUTH_CLIENT_ID as well

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not dying on this hill though, feel free to resolve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Untriaged

Development

Successfully merging this pull request may close these issues.

3 participants