Add Cloudflare OAUTH to sandbox container

Author: courtney-sims

apps/sandbox-container/package.json

@@ -10,9 +10,10 @@
 		"build": "docker build .",
 		"start": "wrangler dev",
 		"start:container": "tsx container/index.ts",
-		"postinstall": "mkdir workdir"
+		"postinstall": "mkdir -p workdir"
 	},
 	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.2",
 		"@cloudflare/workers-types": "^4.20250320.0",
 		"@hono/node-server": "^1.13.8",
 		"@hono/zod-validator": "^0.4.3",
@@ -27,7 +28,8 @@
 		"partyserver": "^0.0.65",
 		"tsx": "^4.19.3",
 		"workers-mcp": "0.1.0-3",
-		"zod": "^3.24.2"
+		"zod": "^3.24.2",
+		"@repo/mcp-common": "workspace:*"
 	},
 	"devDependencies": {
 		"concurrently": "^9.1.2",

apps/sandbox-container/server/index.ts

@@ -1,24 +1,40 @@
-import { Hono } from 'hono'
-import { Octokit } from 'octokit'
-import OAuthProvider, {
-	AuthRequest,
-	OAuthHelpers,
-} from 'workers-mcp/vendor/workers-oauth-provider/oauth-provider.js'
+import OAuthProvider from '@cloudflare/workers-oauth-provider';
+import {
+	AccountSchema,
+	CloudflareAuthHandler,
+	handleTokenExchangeCallback,
+	UserSchema,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler';
 
-import { ContainerManager } from './containerManager'
-import { ContainerMcpAgent } from './containerMcp'
+import { ContainerManager } from './containerManager';
+import { ContainerMcpAgent } from './containerMcp';
 
-export { ContainerManager, ContainerMcpAgent }
+export { ContainerManager, ContainerMcpAgent };
 
 export type Env = {
 	CONTAINER_MCP_AGENT: DurableObjectNamespace<ContainerMcpAgent>
 	CONTAINER_MANAGER: DurableObjectNamespace<ContainerManager>
 	ENVIRONMENT: 'dev' | 'prod'
 }
 
-// TODO: add user specific props
-export type Props = {}
-
-const app = new Hono<{ Bindings: Env }>()
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+export type Props = {
+	accessToken: string
+	user: UserSchema['result']
+	accounts: AccountSchema['result']
+}
 
-export default ContainerMcpAgent.mount('/sse', { binding: 'CONTAINER_MCP_AGENT' })
+export default new OAuthProvider({
+	apiRoute: '/workers/sandbox/sse',
+	// @ts-ignore
+	apiHandler: ContainerMcpAgent.mount('/workers/sandbox/sse', { binding: 'CONTAINER_MCP_AGENT' }),
+	// @ts-ignore
+	defaultHandler: CloudflareAuthHandler,
+	authorizeEndpoint: '/oauth/authorize',
+	tokenEndpoint: '/token',
+	tokenExchangeCallback: handleTokenExchangeCallback,
+	// Cloudflare access token TTL
+	accessTokenTTL: 3600,
+	clientRegistrationEndpoint: '/register',
+})

apps/sandbox-container/wrangler.jsonc

@@ -32,5 +32,14 @@
 	],
 	"observability": {
 		"enabled": true
+	},
+	"kv_namespaces": [
+		{
+			"binding": "OAUTH_KV",
+			"id": "DEV_KV"
+		}
+	],
+	"dev": {
+		"port": 8976
 	}
 }