Test

Author: Maximo-Guk

apps/radar/.dev.vars.example

@@ -1,3 +1,6 @@
 CLOUDFLARE_CLIENT_ID=
 CLOUDFLARE_CLIENT_SECRET=
 URL_SCANNER_API_TOKEN=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/radar/CONTRIBUTING.md

@@ -0,0 +1,67 @@
+# Setup
+
+## Local Development
+
+If you'd like to iterate and test your MCP server, you can do so in local development.
+
+1. Create a `.dev.vars` file in your project root:
+
+   If you're a Cloudflare employee:
+   ```
+   CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
+   CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
+   URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
+   ```
+
+   If you're an external contributor, you can provide a development API token like so:
+   ```
+   DEV_DISABLE_OAUTH=true
+   # This is your global api token
+   DEV_CLOUDFLARE_API_TOKEN=your_development_api_token
+   URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
+   ```
+
+2. Start the local development server:
+
+   ```bash
+   npx wrangler dev
+   ```
+
+3. To test locally, open Inspector, and connect to `http://localhost:8976/sse`.
+   Once you follow the prompts, you'll be able to "List Tools".
+
+   You can also connect to Claude Desktop.
+
+## Deploying the Worker ( Cloudflare employees only )
+
+Set secrets via Wrangler:
+
+```bash
+npx wrangler secret put CLOUDFLARE_CLIENT_ID -e <ENVIRONMENT>
+npx wrangler secret put CLOUDFLARE_CLIENT_SECRET -e <ENVIRONMENT>
+npx wrangler secret put URL_SCANNER_API_TOKEN -e <ENVIRONMENT>
+```
+
+## Set up a KV namespace
+
+Create the KV namespace:
+
+```bash
+npx wrangler kv namespace create "OAUTH_KV"
+```
+
+Then, update the Wrangler file with the generated KV namespace ID.
+
+## Deploy & Test
+
+Deploy the MCP server to make it available on your workers.dev domain:
+
+```bash
+npx wrangler deploy -e <ENVIRONMENT>
+```
+
+Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
+
+```bash
+npx @modelcontextprotocol/inspector@latest
+```

apps/radar/README.md

@@ -56,62 +56,4 @@ Once you restart Claude Desktop, a browser window will open showing your OAuth l
 Complete the authentication flow to grant Claude access to your MCP server.
 After you grant access, the tools will become available for you to use.
 
-## Setup
-
-#### Secrets
-
-Set secrets via Wrangler:
-
-```bash
-npx wrangler secret put CLOUDFLARE_CLIENT_ID -e <ENVIRONMENT>
-npx wrangler secret put CLOUDFLARE_CLIENT_SECRET -e <ENVIRONMENT>
-npx wrangler secret put URL_SCANNER_API_TOKEN -e <ENVIRONMENT>
-```
-
-#### Set up a KV namespace
-
-Create the KV namespace:
-
-```bash
-npx wrangler kv namespace create "OAUTH_KV"
-```
-
-Then, update the Wrangler file with the generated KV namespace ID.
-
-#### Deploy & Test
-
-Deploy the MCP server to make it available on your workers.dev domain:
-
-```bash
-npx wrangler deploy -e <ENVIRONMENT>
-```
-
-Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
-
-```bash
-npx @modelcontextprotocol/inspector@latest
-```
-
-## Local Development
-
-If you'd like to iterate and test your MCP server, you can do so in local development.
-This will require you to create another OAuth App on Cloudflare:
-
-1. Create a `.dev.vars` file in your project root with:
-
-   ```
-   CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
-   CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
-   URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
-   ```
-
-2. Start the local development server:
-
-   ```bash
-   npx wrangler dev
-   ```
-
-3. To test locally, open Inspector, and connect to `http://localhost:8976/sse`.
-   Once you follow the prompts, you'll be able to "List Tools".
-
-   You can also connect to Claude Desktop.
+Interested in contributing, and running this server locally? See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.

apps/radar/src/context.ts

@@ -11,4 +11,7 @@ export interface Env {
 	URL_SCANNER_API_TOKEN: string
 	MCP_OBJECT: DurableObjectNamespace<RadarMCP>
 	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/radar/src/index.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -74,16 +75,41 @@ const RadarScopes = {
 	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: RadarMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: RadarScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return RadarMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: RadarMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: RadarScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env,ctx)
+	},
+}

packages/mcp-common/src/cloudflare-oauth-handler.ts

@@ -63,34 +63,22 @@ const AccountResponseSchema = z.object({
 	),
 })
 
-async function getTokenAndUser(
-	c: Context<AuthContext>,
-	code: string,
-	code_verifier: string
-): Promise<{
-	accessToken: string
-	refreshToken: string
-	user: UserSchema['result']
-	accounts: AccountSchema['result']
-}> {
-	// Exchange the code for an access token
-	const { access_token: accessToken, refresh_token: refreshToken } = await getAuthToken({
-		client_id: c.env.CLOUDFLARE_CLIENT_ID,
-		client_secret: c.env.CLOUDFLARE_CLIENT_SECRET,
-		redirect_uri: new URL('/oauth/callback', c.req.url).href,
-		code,
-		code_verifier,
-	})
+export async function getUserAndAccounts(
+	accessToken: string,
+	devModeHeaders?: HeadersInit
+): Promise<{ user: UserSchema['result']; accounts: AccountSchema['result'] }> {
+	const headers = devModeHeaders
+		? devModeHeaders
+		: {
+				Authorization: `Bearer ${accessToken}`,
+			}
+
 	const [userResponse, accountsResponse] = await Promise.all([
 		fetch('https://api.cloudflare.com/client/v4/user', {
-			headers: {
-				Authorization: `Bearer ${accessToken}`,
-			},
+			headers,
 		}),
 		fetch('https://api.cloudflare.com/client/v4/accounts', {
-			headers: {
-				Authorization: `Bearer ${accessToken}`,
-			},
+			headers,
 		}),
 	])
 
@@ -107,6 +95,30 @@ async function getTokenAndUser(
 	const { result: user } = UserResponseSchema.parse(await userResponse.json())
 	const { result: accounts } = AccountResponseSchema.parse(await accountsResponse.json())
 
+	return { user, accounts }
+}
+
+async function getTokenAndUserDetails(
+	c: Context<AuthContext>,
+	code: string,
+	code_verifier: string
+): Promise<{
+	accessToken: string
+	refreshToken: string
+	user: UserSchema['result']
+	accounts: AccountSchema['result']
+}> {
+	// Exchange the code for an access token
+	const { access_token: accessToken, refresh_token: refreshToken } = await getAuthToken({
+		client_id: c.env.CLOUDFLARE_CLIENT_ID,
+		client_secret: c.env.CLOUDFLARE_CLIENT_SECRET,
+		redirect_uri: new URL('/oauth/callback', c.req.url).href,
+		code,
+		code_verifier,
+	})
+
+	const { user, accounts } = await getUserAndAccounts(accessToken)
+
 	return { accessToken, refreshToken, user, accounts }
 }
 
@@ -217,7 +229,7 @@ export function createAuthHandlers({
 				}
 
 				const [{ accessToken, refreshToken, user, accounts }] = await Promise.all([
-					getTokenAndUser(c, code, oauthReqInfo.codeVerifier),
+					getTokenAndUserDetails(c, code, oauthReqInfo.codeVerifier),
 					c.env.OAUTH_PROVIDER.createClient({
 						clientId: oauthReqInfo.clientId,
 						tokenEndpointAuthMethod: 'none',