Add dev mode auth for all servers and update to root CONTRIBUTING.md

Author: Maximo-Guk

CONTRIBUTING.md

@@ -1,18 +1,32 @@
-## Developing
+# Developing
 
-### Packages
+## Architecture
 
-- eslint-config: Eslint config used by all apps and packages.
-- typescript-config: tsconfig used by all apps and packages.
-- mcp-common: Shared common tools and scripts to help manage this repo.
+The monorepo has two top-level directories:
 
-For more details on development in this monorepo, take a look at apps/workers-observability
+- apps: Contains the Workers for each MCP server
+  - apps/workers-observability
+  - apps/workers-bindings
+  - [apps/radar/CONTRIBUTING.md](apps/radar/CONTRIBUTING.md)
+  - apps/cloudflare-one-casb
+- packages: Contains shared packages used across our various apps.
+  - packages/eslint-config: Eslint config used by all apps and packages.
+  - packages/typescript-config: tsconfig used by all apps and packages.
+  - packages/mcp-common: Shared common tools and scripts to help manage this repo.
 
-## Testing
+We use [TurboRepo](https://turbo.build/) and [pnpm](https://pnpm.io/) to manage this repository. TurboRepo manages the monorepo by ensuring commands are run across all apps.
 
-The project uses Vitest as the testing framework with MSW (Mock Service Worker) for API mocking.
+## Getting Started
 
-### Running Tests
+This section will guide you through setting up your developer environment and running tests.
+
+For more details on development in this monorepo, take a look at apps/workers-observability/CONTRIBUTING.md[/apps/workers-observability/CONTRIBUTING.md]
+
+### Testing
+
+The project uses Vitest as the testing framework with [fetchMock](https://developers.cloudflare.com/workers/testing/vitest-integration/test-apis/) for API mocking.
+
+#### Running Tests
 
 To run all tests:
 
@@ -30,4 +44,4 @@ To run tests in watch mode (useful during development):
 
 ```bash
 pnpm test:watch
-```
+```

apps/radar/src/index.ts

@@ -75,6 +75,7 @@ const RadarScopes = {
 	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
+// TODO: Move this in to wci-common
 async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
 	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
 		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,

apps/sandbox-container/server/context.ts

@@ -12,4 +12,7 @@ export interface Env {
 	CONTAINER_MANAGER: DurableObjectNamespace<ContainerManager>
 	MCP_METRICS: AnalyticsEngineDataset
 	AI: Ai
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/sandbox-container/server/index.ts

@@ -2,6 +2,7 @@ import OAuthProvider from '@cloudflare/workers-oauth-provider'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -39,8 +40,22 @@ const ContainerScopes = {
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 } as const
 
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return ContainerMcpAgent.mount('/sse').fetch(req, env, ctx)
+}
+
 export default {
-	fetch: (req: Request, env: Env, ctx: ExecutionContext) => {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
 		// @ts-ignore
 		if (env.ENVIRONMENT === 'test') {
 			ctx.props = {
@@ -58,6 +73,10 @@ export default {
 			)
 		}
 
+		if (env.ENVIRONMENT === 'dev' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
 		return new OAuthProvider({
 			apiRoute: '/sse',
 			apiHandler: ContainerMcpAgent.mount('/sse', { binding: 'CONTAINER_MCP_AGENT' }),

apps/workers-bindings/src/context.ts

@@ -9,4 +9,7 @@ export interface Env {
 	CLOUDFLARE_CLIENT_SECRET: '<PLACEHOLDER>'
 	MCP_OBJECT: DurableObjectNamespace<WorkersBindingsMCP>
 	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/workers-bindings/src/index.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -103,17 +104,42 @@ const BindingsScopes = {
 	'd1:write': 'Create, read, and write to D1 databases',
 } as const
 
-// Export the OAuth handler as the default
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: WorkersBindingsMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return WorkersBindingsMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: WorkersBindingsMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}

apps/workers-observability/src/context.ts

@@ -3,14 +3,17 @@ import type { ObservabilityMCP } from './index'
 export interface Env {
 	OAUTH_KV: KVNamespace
 	ENVIRONMENT: 'development' | 'staging' | 'production'
-	MCP_SERVER_NAME: 'PLACEHOLDER'
-	MCP_SERVER_VERSION: 'PLACEHOLDER'
-	CLOUDFLARE_CLIENT_ID: 'PLACEHOLDER'
-	CLOUDFLARE_CLIENT_SECRET: 'PLACEHOLDER'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
 	MCP_OBJECT: DurableObjectNamespace<ObservabilityMCP>
 	MCP_METRICS: AnalyticsEngineDataset
-	SENTRY_ACCESS_CLIENT_ID: 'PLACEHOLDER'
-	SENTRY_ACCESS_CLIENT_SECRET: 'PLACEHOLDER'
-	GIT_HASH: 'OVERRIDEN_DURING_DEPLOYMENT'
-	SENTRY_DSN: 'PLACEHOLDER'
+	SENTRY_ACCESS_CLIENT_ID: string
+	SENTRY_ACCESS_CLIENT_SECRET: string
+	GIT_HASH: string
+	SENTRY_DSN: string
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/workers-observability/src/index.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -104,16 +105,42 @@ const ObservabilityScopes = {
 	'workers_observability:read': 'See observability logs for your account',
 } as const
 
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: ObservabilityMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: ObservabilityScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return ObservabilityMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: ObservabilityMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: ObservabilityScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}