Add dev mode auth for all servers and update to root CONTRIBUTING.md

Author: Maximo-Guk

CONTRIBUTING.md

@@ -1,18 +1,32 @@
-## Developing
+# Developing
 
-### Packages
+## Architecture
 
-- eslint-config: Eslint config used by all apps and packages.
-- typescript-config: tsconfig used by all apps and packages.
-- mcp-common: Shared common tools and scripts to help manage this repo.
+The monorepo has two top-level directories:
 
-For more details on development in this monorepo, take a look at apps/workers-observability
+- apps: Contains the Workers for each MCP server
+  - apps/workers-observability
+  - apps/workers-bindings
+  - [apps/radar/CONTRIBUTING.md](apps/radar/CONTRIBUTING.md)
+  - apps/cloudflare-one-casb
+- packages: Contains shared packages used across our various apps.
+  - packages/eslint-config: Eslint config used by all apps and packages.
+  - packages/typescript-config: tsconfig used by all apps and packages.
+  - packages/mcp-common: Shared common tools and scripts to help manage this repo.
 
-## Testing
+We use [TurboRepo](https://turbo.build/) and [pnpm](https://pnpm.io/) to manage this repository. TurboRepo manages the monorepo by ensuring commands are run across all apps.
 
-The project uses Vitest as the testing framework with MSW (Mock Service Worker) for API mocking.
+## Getting Started
 
-### Running Tests
+This section will guide you through setting up your developer environment and running tests.
+
+For more details on development in this monorepo, take a look at apps/workers-observability/CONTRIBUTING.md[/apps/workers-observability/CONTRIBUTING.md]
+
+### Testing
+
+The project uses Vitest as the testing framework with [fetchMock](https://developers.cloudflare.com/workers/testing/vitest-integration/test-apis/) for API mocking.
+
+#### Running Tests
 
 To run all tests:
 
@@ -30,4 +44,4 @@ To run tests in watch mode (useful during development):
 
 ```bash
 pnpm test:watch
-```
+```

README.md

@@ -1,15 +1,15 @@
 # Cloudflare MCP Server
 
-Model Context Protocol (MCP) is a [new, standardized protocol](https://modelcontextprotocol.io/introduction) for managing context between large language models (LLMs) and external systems. In this repository, you can find several MCP servers allowing you to connect to Cloudflare's service from an MCP client (e.g. Cursor, Claude Desktop) and use natural language to accomplish things on your Cloudflare account. The following servers are included in this repository: 
+Model Context Protocol (MCP) is a [new, standardized protocol](https://modelcontextprotocol.io/introduction) for managing context between large language models (LLMs) and external systems. In this repository, you can find several MCP servers allowing you to connect to Cloudflare's service from an MCP client (e.g. Cursor, Claude Desktop) and use natural language to accomplish things on your Cloudflare account. The following servers are included in this repository:
 
-| Server Name              | Description                                                                 | Server URL |
-|--------------------------|-----------------------------------------------------------------------------|-------|
-| [**Documentation server**](/apps/docs-autorag) | Get up to date reference information on Cloudflare                         | `https://docs.mcp.cloudflare.com/sse`      |
-| [**Workers Bindings server**](/apps/bindings) | Build Workers applications with storage, AI, and compute primitives     | `https://bindings.mcp.cloudflare.com/sse`       |
-| [**Observability server**](/apps/observability) | Debug and get insight into your application’s logs and analytics           |  `https://observability.mcp.cloudflare.com/sse`      |
-| [**Radar server**](/apps/radar)       | Get global Internet traffic insights, trends, URL scans, and other utilities |  `https://radar.mcp.cloudflare.com/sse`    |
+| Server Name                                     | Description                                                                  | Server URL                                     |
+| ----------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------- |
+| [**Documentation server**](/apps/docs-autorag)  | Get up to date reference information on Cloudflare                           | `https://docs.mcp.cloudflare.com/sse`          |
+| [**Workers Bindings server**](/apps/bindings)   | Build Workers applications with storage, AI, and compute primitives          | `https://bindings.mcp.cloudflare.com/sse`      |
+| [**Observability server**](/apps/observability) | Debug and get insight into your application’s logs and analytics             | `https://observability.mcp.cloudflare.com/sse` |
+| [**Radar server**](/apps/radar)                 | Get global Internet traffic insights, trends, URL scans, and other utilities | `https://radar.mcp.cloudflare.com/sse`         |
 
-## Access the remote MCP server from any MCP client 
+## Access the remote MCP server from any MCP client
 
 If your MCP client has first class support for remote MCP servers, the client will provide a way to accept the server URL directly within its interface (e.g. [Cloudflare AI Playground](https://playground.ai.cloudflare.com/))
 
@@ -21,23 +21,23 @@ If your client does not yet support remote MCP servers, you will need to set up
 		"cloudflare-observability": {
 			"command": "npx",
 			"args": ["mcp-remote", "https://observability.mcp.cloudflare.com/sse"]
-		}, 
+		},
 		"cloudflare-bindings": {
 			"command": "npx",
 			"args": ["mcp-remote", "https://bindings.mcp.cloudflare.com/sse"]
-		}, 
+		}
 	}
 }
 ```
 
 ## Need access to more Cloudflare tools?
 
-We're continuing to add more functionality to this remote MCP server repo. If you'd like to leave feedback, file a bug or provide a feature request, [please open an issue](https://github.com/cloudflare/mcp-server-cloudflare/issues/new/choose) on this repository 
+We're continuing to add more functionality to this remote MCP server repo. If you'd like to leave feedback, file a bug or provide a feature request, [please open an issue](https://github.com/cloudflare/mcp-server-cloudflare/issues/new/choose) on this repository
 
 ## Paid Features
 
 Some features may require a paid Cloudflare Workers plan. Ensure your Cloudflare account has the necessary subscription level for the features you intend to use.
 
 ## Contributing
 
-Interested in contributing, and running this server locally? See [CONTRIBUTING.md](CONTRIBUTING.md) to get started. 
+Interested in contributing, and running this server locally? See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.

apps/radar/CONTRIBUTING.md

@@ -7,13 +7,15 @@ If you'd like to iterate and test your MCP server, you can do so in local develo
 1. Create a `.dev.vars` file in your project root:
 
    If you're a Cloudflare employee:
+
    ```
    CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
    CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
    URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
    ```
 
    If you're an external contributor, you can provide a development API token:
+
    ```
    DEV_DISABLE_OAUTH=true
    # This is your global api token

apps/radar/src/index.ts

@@ -75,6 +75,7 @@ const RadarScopes = {
 	offline_access: 'Grants refresh tokens for long-lived access.',
 } as const
 
+// TODO: Move this in to wci-common
 async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
 	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
 		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
@@ -110,6 +111,6 @@ export default {
 			// Cloudflare access token TTL
 			accessTokenTTL: 3600,
 			clientRegistrationEndpoint: '/register',
-		}).fetch(req, env,ctx)
+		}).fetch(req, env, ctx)
 	},
 }

apps/sandbox-container/server/context.ts

@@ -12,4 +12,7 @@ export interface Env {
 	CONTAINER_MANAGER: DurableObjectNamespace<ContainerManager>
 	MCP_METRICS: AnalyticsEngineDataset
 	AI: Ai
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/sandbox-container/server/index.ts

@@ -2,6 +2,7 @@ import OAuthProvider from '@cloudflare/workers-oauth-provider'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -39,8 +40,22 @@ const ContainerScopes = {
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 } as const
 
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return ContainerMcpAgent.mount('/sse').fetch(req, env, ctx)
+}
+
 export default {
-	fetch: (req: Request, env: Env, ctx: ExecutionContext) => {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
 		// @ts-ignore
 		if (env.ENVIRONMENT === 'test') {
 			ctx.props = {
@@ -58,6 +73,10 @@ export default {
 			)
 		}
 
+		if (env.ENVIRONMENT === 'dev' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
 		return new OAuthProvider({
 			apiRoute: '/sse',
 			apiHandler: ContainerMcpAgent.mount('/sse', { binding: 'CONTAINER_MCP_AGENT' }),

apps/workers-bindings/src/context.ts

@@ -9,4 +9,7 @@ export interface Env {
 	CLOUDFLARE_CLIENT_SECRET: '<PLACEHOLDER>'
 	MCP_OBJECT: DurableObjectNamespace<WorkersBindingsMCP>
 	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/workers-bindings/src/index.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -103,17 +104,42 @@ const BindingsScopes = {
 	'd1:write': 'Create, read, and write to D1 databases',
 } as const
 
-// Export the OAuth handler as the default
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: WorkersBindingsMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return WorkersBindingsMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: WorkersBindingsMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: BindingsScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}

apps/workers-observability/src/context.ts

@@ -3,14 +3,17 @@ import type { ObservabilityMCP } from './index'
 export interface Env {
 	OAUTH_KV: KVNamespace
 	ENVIRONMENT: 'development' | 'staging' | 'production'
-	MCP_SERVER_NAME: 'PLACEHOLDER'
-	MCP_SERVER_VERSION: 'PLACEHOLDER'
-	CLOUDFLARE_CLIENT_ID: 'PLACEHOLDER'
-	CLOUDFLARE_CLIENT_SECRET: 'PLACEHOLDER'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
 	MCP_OBJECT: DurableObjectNamespace<ObservabilityMCP>
 	MCP_METRICS: AnalyticsEngineDataset
-	SENTRY_ACCESS_CLIENT_ID: 'PLACEHOLDER'
-	SENTRY_ACCESS_CLIENT_SECRET: 'PLACEHOLDER'
-	GIT_HASH: 'OVERRIDEN_DURING_DEPLOYMENT'
-	SENTRY_DSN: 'PLACEHOLDER'
+	SENTRY_ACCESS_CLIENT_ID: string
+	SENTRY_ACCESS_CLIENT_SECRET: string
+	GIT_HASH: string
+	SENTRY_DSN: string
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
 }

apps/workers-observability/src/index.ts

@@ -3,6 +3,7 @@ import { McpAgent } from 'agents/mcp'
 
 import {
 	createAuthHandlers,
+	getUserAndAccounts,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { getEnv } from '@repo/mcp-common/src/env'
@@ -104,16 +105,42 @@ const ObservabilityScopes = {
 	'workers_observability:read': 'See observability logs for your account',
 } as const
 
-export default new OAuthProvider({
-	apiRoute: '/sse',
-	apiHandler: ObservabilityMCP.mount('/sse'),
-	// @ts-ignore
-	defaultHandler: createAuthHandlers({ scopes: ObservabilityScopes, metrics }),
-	authorizeEndpoint: '/oauth/authorize',
-	tokenEndpoint: '/token',
-	tokenExchangeCallback: (options) =>
-		handleTokenExchangeCallback(options, env.CLOUDFLARE_CLIENT_ID, env.CLOUDFLARE_CLIENT_SECRET),
-	// Cloudflare access token TTL
-	accessTokenTTL: 3600,
-	clientRegistrationEndpoint: '/register',
-})
+// TODO: Move this in to wci-common
+async function handleDevMode(req: Request, env: Env, ctx: ExecutionContext) {
+	const { user, accounts } = await getUserAndAccounts(env.DEV_CLOUDFLARE_API_TOKEN, {
+		'X-Auth-Email': env.DEV_CLOUDFLARE_EMAIL,
+		'X-Auth-Key': env.DEV_CLOUDFLARE_API_TOKEN,
+	})
+	ctx.props = {
+		accessToken: env.DEV_CLOUDFLARE_API_TOKEN,
+		user,
+		accounts,
+	} as Props
+	return ObservabilityMCP.mount('/sse').fetch(req, env, ctx)
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiRoute: '/sse',
+			apiHandler: ObservabilityMCP.mount('/sse'),
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: ObservabilityScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}