auth worker for login

kunwarsaluja · kunwarsaluja · commit 39efe4530446 · 2026-03-13T11:58:42.000-04:00
diff --git a/package.json b/package.json
@@ -13,6 +13,9 @@
     "build:json:definitions": "merge-json-cli -i \"ue/models/component-definition.json\" -o \"component-definition.json\"",
     "build:json:filters": "merge-json-cli -i \"ue/models/component-filters.json\" -o \"component-filters.json\"",
     "prepare": "husky",
+    "dev:auth": "wrangler dev --config ./workers/auth/wrangler.toml",
+    "deploy:auth": "wrangler deploy --config ./workers/auth/wrangler.toml",
+    "tail:auth": "wrangler tail --config ./workers/auth/wrangler.toml",
     "dev:contact-us": "wrangler dev --config ./workers/contact_us/wrangler.toml",
     "deploy:contact-us": "wrangler deploy --config ./workers/contact_us/wrangler.toml",
     "tail:contact-us": "wrangler tail --config ./workers/contact_us/wrangler.toml"
diff --git a/scripts/shared/auth-api.js b/scripts/shared/auth-api.js
@@ -0,0 +1,40 @@
+const AUTH_ORIGIN = 'https://demo-bbird-auth.aem-poc-lab.workers.dev';
+const AUTH_PATHS = {
+  login: '/auth/login',
+  session: '/auth/session',
+};
+
+const AUTH_LABELS = {
+  login: 'Login',
+  logout: 'Logout',
+};
+
+function authUrl(path) {
+  return new URL(path, AUTH_ORIGIN).toString();
+}
+
+export function getDefaultAuthLabel(type) {
+  return AUTH_LABELS[type] || '';
+}
+
+export function getLoginUrl(returnTo = window.location.href) {
+  const target = new URL(AUTH_PATHS.login, AUTH_ORIGIN);
+  target.searchParams.set('returnTo', returnTo);
+  return target.toString();
+}
+
+export function getLogoutUrl() {
+  return authUrl('/auth/logout');
+}
+
+export async function getSessionState() {
+  const response = await fetch(authUrl(AUTH_PATHS.session), {
+    method: 'GET',
+    credentials: 'include',
+    headers: { Accept: 'application/json' },
+  });
+  if (!response.ok) {
+    throw new Error(`Auth session request failed: ${response.status}`);
+  }
+  return response.json();
+}
diff --git a/workers/auth/README.md b/workers/auth/README.md
@@ -0,0 +1,58 @@
+# Auth Test Worker
+
+Lightweight Cloudflare Worker to drive login/logout/session state for the header auth button.
+
+## Endpoints
+
+- `GET /auth/login?returnTo=<url-or-path>` -> triggers Access and redirects to `returnTo`
+- `GET /auth/logout` -> logs out via app domain `/cdn-cgi/access/logout` (logout success page)
+- `GET /auth/session` -> returns `{ authenticated, email, hasJwtAssertion }`
+
+## Setup
+
+1. Make sure your Cloudflare Access application protects the same hostname and `/auth/*` path.
+2. Use the configured worker name in `wrangler.toml` (`demo-bbird-auth`) or change it.
+3. Deploy from the project root:
+
+```bash
+npm install
+npm run deploy:auth
+```
+
+## Local dev
+
+```bash
+npm run dev:auth
+```
+
+## Test flow
+
+1. Open an incognito window.
+2. Visit the login endpoint, for example:
+
+```text
+https://demo-bbird-auth.aem-poc-lab.workers.dev/auth/login?returnTo=http://localhost:3000/
+```
+
+3. Enter an allowed email address on the Access screen.
+4. Enter the one-time PIN.
+5. Confirm your site loads and `/auth/session` shows `authenticated: true`.
+
+## Logout
+
+Visit:
+
+```text
+https://demo-bbird-auth.aem-poc-lab.workers.dev/auth/logout
+```
+
+## Site integration
+
+Header auth URLs are centralized in:
+
+`scripts/shared/auth-api.js`
+
+Update `AUTH_ORIGIN` there if your worker hostname changes.
+
+Logout uses app-domain endpoint: `https://demo-bbird-auth.aem-poc-lab.workers.dev/cdn-cgi/access/logout`
+without additional redirect parameters for demo simplicity.
diff --git a/workers/auth/index.js b/workers/auth/index.js
@@ -0,0 +1,107 @@
+const JSON_HEADERS = {
+  'Cache-Control': 'no-store',
+  'Content-Type': 'application/json; charset=utf-8',
+};
+
+const DEFAULT_RETURN_PATH = '/auth/session';
+
+function getAccessContext(request) {
+  const email = request.headers.get('Cf-Access-Authenticated-User-Email');
+  const jwt = request.headers.get('Cf-Access-Jwt-Assertion');
+
+  return {
+    authenticated: Boolean(email || jwt),
+    email: email || '',
+    hasJwtAssertion: Boolean(jwt),
+  };
+}
+
+function getSafeReturnTo(requestUrl) {
+  const returnTo = requestUrl.searchParams.get('returnTo');
+
+  if (!returnTo) return `${requestUrl.origin}${DEFAULT_RETURN_PATH}`;
+
+  try {
+    const absolute = new URL(returnTo, requestUrl.origin);
+    if (absolute.protocol === 'http:' || absolute.protocol === 'https:') return absolute.toString();
+  } catch (e) {
+    // no-op
+  }
+
+  return `${requestUrl.origin}${DEFAULT_RETURN_PATH}`;
+}
+
+function getCorsHeaders(request) {
+  const origin = request.headers.get('Origin');
+  return origin ? {
+    'Access-Control-Allow-Credentials': 'true',
+    'Access-Control-Allow-Headers': 'Content-Type',
+    'Access-Control-Allow-Methods': 'GET, OPTIONS',
+    'Access-Control-Allow-Origin': origin,
+    Vary: 'Origin',
+  } : {};
+}
+
+function json(request, body, init = {}) {
+  return new Response(JSON.stringify(body, null, 2), {
+    ...init,
+    headers: {
+      ...JSON_HEADERS,
+      ...getCorsHeaders(request),
+      ...(init.headers || {}),
+    },
+  });
+}
+
+function redirect(location) {
+  const headers = { Location: location };
+  return new Response(null, {
+    status: 302,
+    headers,
+  });
+}
+
+export default {
+  async fetch(request) {
+    const url = new URL(request.url);
+    const { pathname } = url;
+    const access = getAccessContext(request);
+
+    if (request.method === 'OPTIONS') {
+      return new Response(null, {
+        status: 204,
+        headers: {
+          ...getCorsHeaders(request),
+        },
+      });
+    }
+
+    if (request.method !== 'GET') {
+      return json(request, { error: 'Method not allowed' }, {
+        status: 405,
+        headers: { Allow: 'GET' },
+      });
+    }
+
+    if (pathname === '/auth/login') {
+      return redirect(getSafeReturnTo(url));
+    }
+
+    if (pathname === '/auth/logout') {
+      const logoutUrl = new URL('/cdn-cgi/access/logout', url.origin);
+      return redirect(logoutUrl.toString());
+    }
+
+    if (pathname === '/auth/session') {
+      return json(request, {
+        ...access,
+        path: pathname,
+      });
+    }
+
+    return json(request, {
+      error: 'Not found',
+      availablePaths: ['/auth/login', '/auth/logout', '/auth/session'],
+    }, { status: 404 });
+  },
+};
diff --git a/workers/auth/wrangler.toml b/workers/auth/wrangler.toml
@@ -0,0 +1,8 @@
+name = "demo-bbird-auth"
+main = "index.js"
+compatibility_date = "2026-03-13"
+workers_dev = true
+account_id = "ac7ee4615628005dc5ba0a22f0aae2a6"
+
+[observability.logs]
+enabled = true
