Merge pull request #724 from runtimed/dev/jroberts/projects-artifacts

Dev/jroberts/projects artifacts

Author: JacobRoberts

.dev.vars.example

@@ -1,7 +1,7 @@
 # This is an example file for local Worker development.
 # Copy this file to .dev.vars and fill in the values.
 # This file SHOULD NOT contain real production secrets.
-AUTH_ISSUER="http://localhost:8787/local_oidc"
+AUTH_ISSUER="https://auth.stage.anaconda.com/api/auth"
 
 # Local authentication control
 # Set to "true" to enable local OIDC endpoints for development
@@ -19,3 +19,8 @@ ALLOW_LOCAL_AUTH="true"
 # - VITE_CLIENT_ID: Your OAuth client ID
 #
 # The backend expects RS256 JWT tokens from the OIDC provider.
+
+# Cloudflare Access headers for service-to-service authentication with Projects service
+# These are optional - only needed if you want to test Cloudflare Access authentication locally
+# CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID="your-client-id"
+# CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET="your-client-secret"

.github/workflows/.deploy-reusable.yml

@@ -22,6 +22,10 @@ on:
         required: true
       CLOUDFLARE_ACCOUNT_ID:
         required: true
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID:
+        required: false
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET:
+        required: false
 
 jobs:
   deploy:
@@ -78,6 +82,7 @@ jobs:
           VITE_GIT_COMMIT_HASH: ${{ github.sha }}
           VITE_LS_DEV: "true"
           ENABLE_LIVESTORE_DEVTOOLS: ${{ vars.ENABLE_LIVESTORE_DEVTOOLS }}
+          VITE_USE_PROJECTS_ARTIFACTS: ${{ vars.VITE_USE_PROJECTS_ARTIFACTS }}
 
       - name: Build iframe outputs
         run: pnpm run build:iframe
@@ -99,6 +104,24 @@ jobs:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
+      - name: Set Cloudflare service token secrets from GitHub
+        # Set secrets in Cloudflare Workers from GitHub environment secrets
+        # This approach is compatible with future Kubernetes deployment where
+        # these would be set as environment variables in the pod/deployment
+        run: |
+          if [ -n "$CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID" ] && [ -n "$CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET" ]; then
+            echo "Setting Cloudflare service token secrets from GitHub environment secrets..."
+            echo "$CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID" | pnpm wrangler secret put CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID --env ${{ inputs.environment }}
+            echo "$CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET" | pnpm wrangler secret put CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET --env ${{ inputs.environment }}
+          else
+            echo "Cloudflare service token secrets not provided in GitHub environment, skipping..."
+          fi
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID }}
+          CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET }}
+
       - name: Deploy base app (with retry)
         run: |
           # Retry deployment up to 3 times with exponential backoff

.github/workflows/auto-deploy-preview.yml

@@ -14,3 +14,5 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET }}

.github/workflows/deploy-preview-manually.yml

@@ -20,3 +20,5 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET }}

.github/workflows/deploy-production.yml

@@ -37,3 +37,5 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET }}

.github/workflows/validate-preview.yml

@@ -14,3 +14,5 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_ID }}
+      CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET: ${{ secrets.CLOUDFLARE_SERVICE_TOKEN_CLIENT_SECRET }}

backend/api-key-routes.ts

@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import { type Env } from "./types.ts";
-import { authMiddleware, type AuthContext } from "./middleware.ts";
+import { authMiddleware, type RequestContext } from "./middleware.ts";
 import {
   createApiKeyProvider,
   isUsingLocalProvider,
@@ -16,8 +16,9 @@ import {
 import { RuntError, ErrorType } from "./types.ts";
 import { D1Driver } from "@japikey/cloudflare";
 import { JSONWebKeySet } from "jose";
+import { getBearerToken } from "./utils/request-utils.ts";
 
-const apiKeyRoutes = new Hono<{ Bindings: Env; Variables: AuthContext }>();
+const apiKeyRoutes = new Hono<{ Bindings: Env; Variables: RequestContext }>();
 
 /**
  * Middleware to ensure OAuth authentication (not API key) for sensitive operations
@@ -38,7 +39,7 @@ const oauthOnlyMiddleware = async (c: any, next: any) => {
   }
 
   // Check if this was authenticated via API key
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
   if (authToken) {
     const provider = createApiKeyProvider(c.env);
     const providerContext = createProviderContext(c.env, authToken);
@@ -85,7 +86,7 @@ apiKeyRoutes.get("/:kid/.well-known/jwks.json", async (c) => {
  */
 apiKeyRoutes.post("/", oauthOnlyMiddleware, async (c) => {
   const passport = c.get("passport");
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
 
   if (!passport || !authToken) {
     return c.json(
@@ -138,7 +139,7 @@ apiKeyRoutes.post("/", oauthOnlyMiddleware, async (c) => {
 apiKeyRoutes.get("/:id", authMiddleware, async (c) => {
   const keyId = c.req.param("id");
   const passport = c.get("passport");
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
 
   if (!passport || !authToken) {
     return c.json(
@@ -193,7 +194,7 @@ apiKeyRoutes.get("/:id", authMiddleware, async (c) => {
  */
 apiKeyRoutes.get("/", authMiddleware, async (c) => {
   const passport = c.get("passport");
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
 
   if (!passport || !authToken) {
     return c.json(
@@ -271,7 +272,7 @@ apiKeyRoutes.get("/", authMiddleware, async (c) => {
 apiKeyRoutes.delete("/:id", authMiddleware, async (c) => {
   const keyId = c.req.param("id");
   const passport = c.get("passport");
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
 
   if (!passport || !authToken) {
     return c.json(
@@ -335,7 +336,7 @@ apiKeyRoutes.delete("/:id", authMiddleware, async (c) => {
 apiKeyRoutes.patch("/:id", authMiddleware, async (c) => {
   const keyId = c.req.param("id");
   const passport = c.get("passport");
-  const authToken = c.req.header("Authorization")?.replace("Bearer ", "");
+  const authToken = getBearerToken(c.req);
 
   if (!passport || !authToken) {
     return c.json(