Add dev mode auth to our mcp servers

Author: Maximo-Guk

apps/docs-autorag/.dev.vars.example

@@ -1,3 +1,6 @@
 CLOUDFLARE_CLIENT_ID=
 CLOUDFLARE_CLIENT_SECRET=
 URL_SCANNER_API_TOKEN=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/radar/.dev.vars.example

@@ -11,4 +11,7 @@ export interface Env {
 	URL_SCANNER_API_TOKEN: string
 	MCP_OBJECT: DurableObjectNamespace<RadarMCP>
 	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/radar/src/context.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -74,16 +75,42 @@ const RadarScopes = {
 	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: RadarMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: RadarScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return RadarMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: RadarMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: RadarScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}

apps/radar/src/index.ts

@@ -1,2 +1,5 @@
 CLOUDFLARE_CLIENT_ID=
-CLOUDFLARE_CLIENT_SECRET=
+CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/sandbox-container/.dev.vars.example

@@ -12,4 +12,7 @@ export interface Env {
 	CONTAINER_MANAGER: DurableObjectNamespace<ContainerManager>
 	MCP_METRICS: AnalyticsEngineDataset
 	AI: Ai
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/sandbox-container/server/context.ts

@@ -2,6 +2,7 @@ import OAuthProvider from '@cloudflare/workers-oauth-provider'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -39,8 +40,22 @@ const ContainerScopes = {
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 } as const
 
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return ContainerMcpAgent.mount('/sse').fetch(req, env, ctx)
+}
+
 export default {
-	fetch: (req: Request, env: Env, ctx: ExecutionContext) => {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
 		// @ts-ignore
 		if (env.ENVIRONMENT === 'test') {
 			ctx.props = {
@@ -58,6 +73,10 @@ export default {
 			)
 		}
 
+		if (env.ENVIRONMENT === 'dev' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
 		return new OAuthProvider({
 			apiRoute: '/sse',
 			apiHandler: ContainerMcpAgent.mount('/sse', { binding: 'CONTAINER_MCP_AGENT' }),

apps/sandbox-container/server/index.ts

@@ -1,2 +1,5 @@
 CLOUDFLARE_CLIENT_ID=
 CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/workers-bindings/.dev.vars.example

@@ -9,4 +9,7 @@ export interface Env {
 	CLOUDFLARE_CLIENT_SECRET: '<PLACEHOLDER>'
 	MCP_OBJECT: DurableObjectNamespace<WorkersBindingsMCP>
 	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/workers-bindings/src/context.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -103,17 +104,42 @@ const BindingsScopes = {
 	'd1:write': 'Create, read, and write to D1 databases',
 } as const
 
-// Export the OAuth handler as the default
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: WorkersBindingsMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return WorkersBindingsMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: WorkersBindingsMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}