Setup auth-server to handle callbacks for sandbox-container and workers-bindings

Author: Maximo-Guk

apps/auth-server/wrangler.jsonc

@@ -20,12 +20,12 @@
 		"staging": {
 			"name": "mcp-cloudflare-auth-server-staging",
 			"account_id": "8995c0f49cdcf57eb54d2c1e52b7d2f3",
-			"routes": ["staging.mcp.cloudflare.com/oauth/callback"],
+			"routes": ["staging.mcp.cloudflare.com/oauth/callback"]
 		},
 		"production": {
 			"name": "mcp-cloudflare-auth-server-production",
 			"account_id": "8995c0f49cdcf57eb54d2c1e52b7d2f3",
-			"routes": ["mcp.cloudflare.com/oauth/callback"],
+			"routes": ["mcp.cloudflare.com/oauth/callback"]
 		}
 	}
 }

apps/sandbox-container/container/index.ts

@@ -7,8 +7,8 @@ import { Hono } from 'hono'
 import { streamText } from 'hono/streaming'
 import mime from 'mime'
 
-import { ExecParams, FilesWrite } from '../shared/schema.ts'
-import { get_file_name_from_path } from './fileUtils.ts'
+import { ExecParams, FilesWrite } from '../shared/schema'
+import { get_file_name_from_path } from './fileUtils'
 
 import type { FileList } from '../shared/schema.ts'
 

apps/sandbox-container/package.json

@@ -20,6 +20,7 @@
 		"@hono/node-server": "^1.13.8",
 		"@hono/zod-validator": "^0.4.3",
 		"@modelcontextprotocol/sdk": "^1.7.0",
+		"@repo/mcp-common": "workspace:*",
 		"@types/node": "^22.13.10",
 		"agents": "^0.0.42",
 		"cron-schedule": "^5.0.4",
@@ -30,10 +31,10 @@
 		"partyserver": "^0.0.65",
 		"tsx": "^4.19.3",
 		"workers-mcp": "0.1.0-3",
-		"zod": "^3.24.2",
-		"@repo/mcp-common": "workspace:*"
+		"zod": "^3.24.2"
 	},
 	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
 		"concurrently": "^9.1.2",
 		"wrangler": "^4.9.1"
 	}

apps/sandbox-container/server/index.ts

@@ -2,9 +2,10 @@ import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { env } from 'cloudflare:workers'
 
 import {
-	CloudflareAuthHandler,
+	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { getEnvironment } from '@repo/mcp-common/src/config'
 
 import { ContainerManager } from './containerManager'
 import { ContainerMcpAgent } from './containerMcp'
@@ -32,7 +33,10 @@ export default new OAuthProvider({
 	// @ts-ignore
 	apiHandler: ContainerMcpAgent.mount('/workers/sandbox/sse', { binding: 'CONTAINER_MCP_AGENT' }),
 	// @ts-ignore
-	defaultHandler: CloudflareAuthHandler,
+	defaultHandler: createAuthHandlers({
+		serverPath: 'workers/containers',
+		environment: getEnvironment(env.ENVIRONMENT),
+	}),
 	authorizeEndpoint: '/oauth/authorize',
 	tokenEndpoint: '/token',
 	tokenExchangeCallback: (options) =>

apps/sandbox-container/tsconfig.json

@@ -1,16 +1,3 @@
 {
-	"compilerOptions": {
-		"target": "ESNext",
-		"lib": ["ESNext", "DOM"],
-		"jsx": "react-jsx",
-		"module": "ESNext",
-		"moduleResolution": "bundler",
-		"types": ["./worker-configuration.d.ts", "@cloudflare/workers-types/2023-07-01"],
-		"noEmit": true,
-		"esModuleInterop": true,
-		"forceConsistentCasingInFileNames": true,
-		"strict": true,
-		"skipLibCheck": true
-	},
-	"include": ["server/**.ts", "shared/**.ts"]
+	"extends": "@repo/typescript-config/workers.json"
 }

apps/sandbox-container/worker-configuration.d.ts

@@ -2,11 +2,14 @@
 // Runtime types generated with [email protected] 2025-04-03
 declare namespace Cloudflare {
 	interface Env {
-		OAUTH_KV: KVNamespace
-		CONTAINER_MCP_AGENT: DurableObjectNamespace<import('./server/index').ContainerMcpAgent>
-		CONTAINER_MANAGER: DurableObjectNamespace<import('./server/index').ContainerManager>
-		CLOUDFLARE_CLIENT_ID: string
-		CLOUDFLARE_CLIENT_SECRET: string
+		OAUTH_KV: KVNamespace;
+		// eslint-disable-next-line @typescript-eslint/consistent-type-imports
+		CONTAINER_MCP_AGENT: DurableObjectNamespace<import("./server/index").ContainerMcpAgent>;
+		// eslint-disable-next-line @typescript-eslint/consistent-type-imports
+		CONTAINER_MANAGER: DurableObjectNamespace<import("./server/index").ContainerManager>;
+		CLOUDFLARE_CLIENT_ID: string;
+		CLOUDFLARE_CLIENT_SECRET: string;
+        ENVIRONMENT: string
 	}
 }
 interface Env extends Cloudflare.Env {}

apps/sandbox-container/wrangler.jsonc

@@ -1,6 +1,6 @@
 {
 	"$schema": "node_modules/wrangler/config-schema.json",
-	"name": "sandbox-container",
+	"name": "sandbox-container-dev",
 	"main": "server/index.ts",
 	"compatibility_date": "2025-04-03",
 	"containers": [
@@ -41,5 +41,8 @@
 	],
 	"dev": {
 		"port": 8976
+	},
+	"vars": {
+		"ENVIRONMENT": "development"
 	}
 }

apps/workers-bindings/src/index.ts

@@ -4,9 +4,10 @@ import { McpAgent } from 'agents/mcp'
 import { env } from 'cloudflare:workers'
 
 import {
-	CloudflareAuthHandler,
+	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { getEnvironment } from '@repo/mcp-common/src/config'
 import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
 import { registerKVTools } from '@repo/mcp-common/src/tools/kv_namespace'
 import { registerWorkersTools } from '@repo/mcp-common/src/tools/worker'
@@ -66,11 +67,18 @@ export default new OAuthProvider({
 	// @ts-ignore
 	apiHandler: WorkersBindingsMCP.mount('/workers/bindings/sse'),
 	// @ts-ignore
-	defaultHandler: CloudflareAuthHandler,
+	defaultHandler: createAuthHandlers({
+		serverPath: 'workers/containers',
+		environment: getEnvironment(env.ENVIRONMENT),
+	}),
 	authorizeEndpoint: '/oauth/authorize',
 	tokenEndpoint: '/token',
 	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
+		handleTokenExchangeCallback(
+			options,
+			env.CLOUDFLARE_CLIENT_ID,
+			env.CLOUDFLARE_CLIENT_SECRET
+		),
 	// Cloudflare access token TTL
 	accessTokenTTL: 3600,
 	clientRegistrationEndpoint: '/register',

apps/workers-bindings/vitest.config.ts

@@ -1,5 +1,7 @@
 import { defineWorkersConfig } from '@cloudflare/vitest-pool-workers/config'
 
+import type { Env } from './worker-configuration'
+
 export interface TestEnv extends Env {
 	CLOUDFLARE_MOCK_ACCOUNT_ID: string
 	CLOUDFLARE_MOCK_API_TOKEN: string

apps/workers-bindings/worker-configuration.d.ts

@@ -1,11 +1,14 @@
 // Generated by Wrangler by running `wrangler types` (hash: 83b65e4226fcf5092146edc626681982)
+
 // Runtime types generated with [email protected] 2025-03-10 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		OAUTH_KV: KVNamespace;
 		CLOUDFLARE_CLIENT_ID: string;
 		CLOUDFLARE_CLIENT_SECRET: string;
+		// eslint-disable-next-line @typescript-eslint/consistent-type-imports
 		MCP_OBJECT: DurableObjectNamespace<import("./src/index").WorkersBindingsMCP>;
+        ENVIRONMENT: string
 	}
 }
 interface Env extends Cloudflare.Env {}