Initial Commit

Author: frankmeszaros

apps/cloudflare-one-casb/.dev.vars.example

@@ -0,0 +1,2 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=

apps/cloudflare-one-casb/.eslintrc.cjs

@@ -0,0 +1,5 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+	root: true,
+	extends: ['@repo/eslint-config/default.cjs'],
+}

apps/cloudflare-one-casb/README.md

@@ -0,0 +1,36 @@
+# Model Context Protocol (MCP) Server + Cloudflare OAuth
+
+This is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server that supports remote MCP connections, with Cloudflare OAuth built-in.
+
+You should use this as a template to build an MCP server for Cloudflare, provided by Cloudflare at `server-name.mcp.cloudflare.com`. It has a basic set of tools `apps/template-start-here/src/tools/logs.ts` — you can modify these to do what you need
+
+## Getting Started
+
+
+- Set secrets via Wrangler (ask in the `Cloudflare's Own MCP Servers` internal channel to get credentials)
+
+```bash
+wrangler secret put CLOUDFLARE_CLIENT_ID
+wrangler secret put CLOUDFLARE_CLIENT_SECRET
+```
+
+#### Set up a KV namespace
+
+- Create the KV namespace:
+  `wrangler kv:namespace create "OAUTH_KV"`
+- Update the Wrangler file with the KV ID
+
+#### Deploy & Test
+
+Deploy the MCP server to make it available on your workers.dev domain
+` wrangler deploy`
+
+Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
+
+```
+npx @modelcontextprotocol/inspector@latest
+```
+
+## Deploying to production
+
+- You will need to liberate the zone (LTZ) for your `<server-name>.mcp.cloudflare.com`

apps/cloudflare-one-casb/package.json

@@ -0,0 +1,33 @@
+{
+	"name": "example-cloudflare-mcp-server",
+	"version": "0.0.1",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "wrangler deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"cf-typegen": "wrangler types",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.2",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.8.0",
+		"@repo/mcp-common": "workspace:*",
+		"agents": "0.0.49",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"zod": "3.24.2"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@cloudflare/workers-types": "4.20250410.0",
+		"@types/jsonwebtoken": "9.0.9",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}

apps/cloudflare-one-casb/src/index.ts

@@ -0,0 +1,81 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { McpAgent } from 'agents/mcp'
+import { env } from 'cloudflare:workers'
+
+import {
+	CloudflareAuthHandler,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
+
+import { registerIntegrationsTools } from './tools/integrations'
+
+import type { AccountSchema, UserSchema } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+export type Props = {
+	accessToken: string
+	user: UserSchema['result']
+	accounts: AccountSchema['result']
+}
+
+export type State = { activeAccountId: string | null }
+
+export class MyMCP extends McpAgent<Env, State, Props> {
+	server = new McpServer({
+		name: 'Remote MCP Server with Workers Observability',
+		version: '1.0.0',
+	})
+
+	initialState: State = {
+		activeAccountId: null,
+	}
+
+	async init() {
+		registerAccountTools(this)
+
+		registerIntegrationsTools(this, env.CLOUDFLARE_GLOBAL_API_KEY)
+
+		// TODO: registerFindingsTools @mleslie
+	}
+
+	getActiveAccountId() {
+		// TODO: Figure out why this fail sometimes, and why we need to wrap this in a try catch
+		try {
+			return this.state.activeAccountId ?? null
+		} catch (e) {
+			console.error('getActiveAccountId failured: ', e)
+			return null
+		}
+	}
+
+	setActiveAccountId(accountId: string) {
+		console.log('Setting account ID: ', accountId)
+		// TODO: Figure out why this fail sometimes, and why we need to wrap this in a try catch
+		try {
+			this.setState({
+				...this.state,
+				activeAccountId: accountId,
+			})
+		} catch (e) {
+			return null
+		}
+	}
+}
+
+export default new OAuthProvider({
+	apiRoute: '/sse',
+	// @ts-ignore
+	apiHandler: MyMCP.mount('/sse'),
+	// @ts-ignore
+	defaultHandler: CloudflareAuthHandler,
+	authorizeEndpoint: '/oauth/authorize',
+	tokenEndpoint: '/token',
+	tokenExchangeCallback: (options) =>
+		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
+	// Cloudflare access token TTL
+	accessTokenTTL: 3600,
+	clientRegistrationEndpoint: '/register',
+})

apps/cloudflare-one-casb/src/tools/findings.ts

@@ -0,0 +1 @@
+// TODO: @mleslie start here