Add support for bearer auth with user API tokens

cmsparks · cmsparks · commit 753c8545f7a5 · 2025-05-19T14:03:40.000-05:00
diff --git a/apps/auditlogs/src/auditlogs.app.ts b/apps/auditlogs/src/auditlogs.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const AuditlogScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(AuditlogMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(AuditlogMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/autorag/src/autorag.app.ts b/apps/autorag/src/autorag.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const LogPushScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(AutoRAGMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(AutoRAGMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/cloudflare-one-casb/src/cf1-casb.app.ts b/apps/cloudflare-one-casb/src/cf1-casb.app.ts
@@ -5,8 +5,8 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
@@ -93,8 +93,8 @@ const CloudflareOneCasbScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(CASBMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(CASBMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/dns-analytics/src/dns-analytics.app.ts b/apps/dns-analytics/src/dns-analytics.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -102,8 +102,8 @@ const AnalyticsScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(DNSAnalyticsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(DNSAnalyticsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/radar/src/radar.app.ts b/apps/radar/src/radar.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -98,8 +98,8 @@ const RadarScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(RadarMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(RadarMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/sandbox-container/container/sandbox.container.app.ts b/apps/sandbox-container/container/sandbox.container.app.ts
@@ -137,7 +137,7 @@ app.delete('/files/contents/*', async (c) => {
  */
 app.post('/exec', zValidator('json', ExecParams), (c) => {
 	const execParams = c.req.valid('json')
-	const proc = exec(execParams.args)
+	const proc = exec(execParams.shell_command)
 	return streamText(c, async (stream) => {
 		return new Promise((resolve, reject) => {
 			if (proc.stdout) {
diff --git a/apps/sandbox-container/server/sandbox.server.app.ts b/apps/sandbox-container/server/sandbox.server.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { MetricsTracker } from '@repo/mcp-observability'
@@ -39,11 +39,8 @@ const ContainerScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (
-			(env.ENVIRONMENT === 'dev' || env.ENVIRONMENT === 'test') &&
-			env.DEV_DISABLE_OAUTH === 'true'
-		) {
-			return await handleDevMode(ContainerMcpAgent, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(ContainerMcpAgent, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/sandbox-container/shared/schema.ts b/apps/sandbox-container/shared/schema.ts
@@ -2,7 +2,7 @@ import z from 'zod'
 
 export type ExecParams = z.infer<typeof ExecParams>
 export const ExecParams = z.object({
-	args: z.string(),
+	shell_command: z.string(),
 	timeout: z.number().optional().describe('Timeout in milliseconds'),
 	streamStderr: z.boolean().default(true),
 })
diff --git a/apps/workers-bindings/src/bindings.app.ts b/apps/workers-bindings/src/bindings.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -108,11 +108,8 @@ const BindingsScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (
-			(env.ENVIRONMENT === 'development' || env.ENVIRONMENT === 'test') &&
-			env.DEV_DISABLE_OAUTH === 'true'
-		) {
-			return await handleDevMode(WorkersBindingsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(WorkersBindingsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/workers-observability/src/workers-observability.app.ts b/apps/workers-observability/src/workers-observability.app.ts
@@ -5,7 +5,7 @@ import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -110,8 +110,8 @@ const ObservabilityScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(ObservabilityMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(ObservabilityMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/packages/mcp-common/src/dev-mode.ts b/packages/mcp-common/src/dev-mode.ts
@@ -6,6 +6,7 @@ import type { AuthProps } from './cloudflare-oauth-handler'
 interface RequiredEnv {
 	DEV_CLOUDFLARE_EMAIL: string
 	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_DISABLE_OAUTH: string
 }
 
 export async function handleDevMode<
@@ -22,3 +23,41 @@ export async function handleDevMode<
 	} as AuthProps
 	return agent.mount('/sse').fetch(req, env, ctx)
 }
+
+export async function isApiTokenRequest(req: Request, env: RequiredEnv) {
+	// shortcircuit for dev
+	if (env.DEV_CLOUDFLARE_API_TOKEN && env.DEV_DISABLE_OAUTH === 'true') {
+		return true
+	}
+
+	const authHeader = req.headers.get('Authorization')
+	if (!authHeader) return false
+	
+	const [type, token] = authHeader.split(' ')
+	if (type !== 'Bearer') return false
+	
+	// Return true only if the token doesn't start with 'token:'
+	return !token.startsWith('token:')
+}
+
+export async function handleApiTokenMode<
+	T extends typeof McpAgent<unknown, unknown, Record<string, unknown>>,
+>(agent: T, req: Request, env: RequiredEnv, ctx: ExecutionContext) {
+	const authHeader = req.headers.get('Authorization')
+	if (!authHeader) {
+		throw new Error('Authorization header is required')
+	}
+	
+	const [type, token] = authHeader.split(' ')
+	if (type !== 'Bearer') {
+		throw new Error('Invalid authorization type, must be Bearer')
+	}
+
+	const { user, accounts } = await getUserAndAccounts(token)
+	ctx.props = {
+		accessToken: token,
+		user,
+		accounts,
+	} as AuthProps
+	return agent.mount('/sse').fetch(req, env, ctx)
+}
