Merge pull request #45 from cloudflare/wp-1587-courtney

Add Cloudflare OAUTH to Sandbox Container

Author: courtney-sims

apps/sandbox-container/package.json

@@ -9,9 +9,11 @@
 		"dev": "concurrently \"tsx container/index.ts\" \"wrangler dev --var \"ENVIRONMENT:dev\"\"",
 		"build": "docker build .",
 		"start": "wrangler dev",
-		"start:container": "tsx container/index.ts"
+		"start:container": "tsx container/index.ts",
+		"postinstall": "mkdir -p workdir"
 	},
 	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.2",
 		"@cloudflare/workers-types": "^4.20250320.0",
 		"@hono/node-server": "^1.13.8",
 		"@hono/zod-validator": "^0.4.3",
@@ -26,7 +28,8 @@
 		"partyserver": "^0.0.65",
 		"tsx": "^4.19.3",
 		"workers-mcp": "0.1.0-3",
-		"zod": "^3.24.2"
+		"zod": "^3.24.2",
+		"@repo/mcp-common": "workspace:*"
 	},
 	"devDependencies": {
 		"concurrently": "^9.1.2",

apps/sandbox-container/server/index.ts

@@ -1,9 +1,11 @@
-import { Hono } from 'hono'
-import { Octokit } from 'octokit'
-import OAuthProvider, {
-	AuthRequest,
-	OAuthHelpers,
-} from 'workers-mcp/vendor/workers-oauth-provider/oauth-provider.js'
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+
+import {
+	AccountSchema,
+	CloudflareAuthHandler,
+	handleTokenExchangeCallback,
+	UserSchema,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
 
 import { ContainerManager } from './containerManager'
 import { ContainerMcpAgent } from './containerMcp'
@@ -16,9 +18,24 @@ export type Env = {
 	ENVIRONMENT: 'dev' | 'prod'
 }
 
-// TODO: add user specific props
-export type Props = {}
-
-const app = new Hono<{ Bindings: Env }>()
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+export type Props = {
+	accessToken: string
+	user: UserSchema['result']
+	accounts: AccountSchema['result']
+}
 
-export default ContainerMcpAgent.mount('/sse', { binding: 'CONTAINER_MCP_AGENT' })
+export default new OAuthProvider({
+	apiRoute: '/workers/sandbox/sse',
+	// @ts-ignore
+	apiHandler: ContainerMcpAgent.mount('/workers/sandbox/sse', { binding: 'CONTAINER_MCP_AGENT' }),
+	// @ts-ignore
+	defaultHandler: CloudflareAuthHandler,
+	authorizeEndpoint: '/oauth/authorize',
+	tokenEndpoint: '/token',
+	tokenExchangeCallback: handleTokenExchangeCallback,
+	// Cloudflare access token TTL
+	accessTokenTTL: 3600,
+	clientRegistrationEndpoint: '/register',
+})

apps/sandbox-container/wrangler.jsonc

@@ -32,5 +32,14 @@
 	],
 	"observability": {
 		"enabled": true
+	},
+	"kv_namespaces": [
+		{
+			"binding": "OAUTH_KV",
+			"id": "DEV_KV"
+		}
+	],
+	"dev": {
+		"port": 8976
 	}
 }