Add Radar and URL Scanner OAuth scopes

Author: andre-j3sus

apps/radar/.dev.vars.example

@@ -1,6 +1,5 @@
 CLOUDFLARE_CLIENT_ID=
 CLOUDFLARE_CLIENT_SECRET=
-URL_SCANNER_API_TOKEN=
 DEV_DISABLE_OAUTH=
 DEV_CLOUDFLARE_API_TOKEN=
-DEV_CLOUDFLARE_EMAIL=
+DEV_CLOUDFLARE_EMAIL=

apps/radar/CONTRIBUTING.md

@@ -11,7 +11,6 @@ If you'd like to iterate and test your MCP server, you can do so in local develo
    ```
    CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
    CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
-   URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
    ```
 
    If you're an external contributor, you can provide a development API token:
@@ -21,7 +20,6 @@ If you'd like to iterate and test your MCP server, you can do so in local develo
    DEV_CLOUDFLARE_EMAIL=your_cloudflare_email
    # This is your global api token
    DEV_CLOUDFLARE_API_TOKEN=your_development_api_token
-   URL_SCANNER_API_TOKEN=your_development_url_scanner_api_token
    ```
 
 2. Start the local development server:
@@ -40,7 +38,6 @@ Set secrets via Wrangler:
 ```bash
 npx wrangler secret put CLOUDFLARE_CLIENT_ID -e <ENVIRONMENT>
 npx wrangler secret put CLOUDFLARE_CLIENT_SECRET -e <ENVIRONMENT>
-npx wrangler secret put URL_SCANNER_API_TOKEN -e <ENVIRONMENT>
 ```
 
 ## Set up a KV namespace

apps/radar/src/context.ts

@@ -1,15 +1,14 @@
-import type { RadarMCP } from './index'
+import type { RadarMCP, UserDetails } from './index'
 
 export interface Env {
 	OAUTH_KV: KVNamespace
 	ENVIRONMENT: 'development' | 'staging' | 'production'
-	ACCOUNT_ID: '6702657b6aa048cf3081ff3ff3c9c52f'
 	MCP_SERVER_NAME: string
 	MCP_SERVER_VERSION: string
 	CLOUDFLARE_CLIENT_ID: string
 	CLOUDFLARE_CLIENT_SECRET: string
-	URL_SCANNER_API_TOKEN: string
 	MCP_OBJECT: DurableObjectNamespace<RadarMCP>
+	USER_DETAILS: DurableObjectNamespace<UserDetails>
 	MCP_METRICS: AnalyticsEngineDataset
 	DEV_DISABLE_OAUTH: string
 	DEV_CLOUDFLARE_API_TOKEN: string

apps/radar/src/index.ts

@@ -6,9 +6,11 @@ import {
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
 import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
 import { MetricsTracker } from '@repo/mcp-observability'
 
 import { registerRadarTools } from './tools/radar'
@@ -19,6 +21,8 @@ import type { Env } from './context'
 
 const env = getEnv<Env>()
 
+export { UserDetails }
+
 const metrics = new MetricsTracker(env.MCP_METRICS, {
 	name: env.MCP_SERVER_NAME,
 	version: env.MCP_SERVER_VERSION,
@@ -27,15 +31,13 @@ const metrics = new MetricsTracker(env.MCP_METRICS, {
 // Context from the auth process, encrypted & stored in the auth token
 // and provided to the DurableMCP as this.props
 type Props = AuthProps
-
-type State = never
+type State = { activeAccountId: string | null }
 
 export class RadarMCP extends McpAgent<Env, State, Props> {
 	_server: CloudflareMCPServer | undefined
 	set server(server: CloudflareMCPServer) {
 		this._server = server
 	}
-
 	get server(): CloudflareMCPServer {
 		if (!this._server) {
 			throw new Error('Tried to access server before it was initialized')
@@ -44,10 +46,7 @@ export class RadarMCP extends McpAgent<Env, State, Props> {
 		return this._server
 	}
 
-	constructor(
-		public ctx: DurableObjectState,
-		public env: Env
-	) {
+	constructor(ctx: DurableObjectState, env: Env) {
 		super(ctx, env)
 	}
 
@@ -61,15 +60,38 @@ export class RadarMCP extends McpAgent<Env, State, Props> {
 			},
 		})
 
+		registerAccountTools(this)
 		registerRadarTools(this)
 		registerUrlScannerTools(this)
 	}
+
+	async getActiveAccountId() {
+		try {
+			// Get UserDetails Durable Object based off the userId and retrieve the activeAccountId from it
+			// we do this so we can persist activeAccountId across sessions
+			const userDetails = getUserDetails(env, this.props.user.id)
+			return await userDetails.getActiveAccountId()
+		} catch (e) {
+			this.server.recordError(e)
+			return null
+		}
+	}
+
+	async setActiveAccountId(accountId: string) {
+		try {
+			const userDetails = getUserDetails(env, this.props.user.id)
+			await userDetails.setActiveAccountId(accountId)
+		} catch (e) {
+			this.server.recordError(e)
+		}
+	}
 }
 
 const RadarScopes = {
 	...RequiredScopes,
-	// TODO 'radar:read': 'Grants access to read Cloudflare Radar data.',
-	// TODO 'url_scanner:write': 'Grants write level access to URL Scanner', // Remove URL_SCANNER_API_TOKEN env var
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'radar:read': 'Grants access to read Cloudflare Radar data.',
+	'url_scanner:write': 'Grants write level access to URL Scanner',
 } as const
 
 export default {

apps/radar/src/tools/url-scanner.ts

@@ -16,36 +16,42 @@ export function registerUrlScannerTools(agent: RadarMCP) {
 			url: UrlParam,
 		},
 		async ({ url }) => {
+			const accountId = await agent.getActiveAccountId()
+			if (!accountId) {
+				return {
+					content: [
+						{
+							type: 'text',
+							text: 'No currently active accountId. Try listing your accounts (accounts_list) and then setting an active account (set_active_account)',
+						},
+					],
+				}
+			}
+
 			try {
 				const client = getCloudflareClient(agent.props.accessToken)
-				const account_id = agent.env.ACCOUNT_ID
-				const headers = {
-					Authorization: `Bearer ${agent.env.URL_SCANNER_API_TOKEN}`,
-				}
 
-				// TODO search if there are recent scans for the URL
-				const scans = await client.urlScanner.scans.list(
-					{
-						account_id,
-						size: 1,
-						q: `page.url:${url}`,
-					},
-					{ headers }
-				)
-				console.log(scans)
+				// Search if there are recent scans for the URL
+				const scans = await client.urlScanner.scans.list({
+					account_id: accountId,
+					size: 1,
+					q: `page.url:${url}`,
+				})
 
 				let scanId = scans.results.length > 0 ? scans.results[0]._id : null
 
 				if (!scanId) {
 					// Submit scan
-					// TODO investigate why this does not work
+					// TODO theres an issue (reported) with this method in the cloudflare TS lib
 					// const scan = await (client.urlScanner.scans.create({ account_id, url: "https://www.example.com" }, { headers })).withResponse()
 
 					const res = await fetch(
-						`https://api.cloudflare.com/client/v4/accounts/${account_id}/urlscanner/v2/scan`,
+						`https://api.cloudflare.com/client/v4/accounts/${accountId}/urlscanner/v2/scan`,
 						{
 							method: 'POST',
-							headers,
+							headers: {
+								Authorization: `Bearer ${agent.props.accessToken}`,
+							},
 							body: JSON.stringify({ url }),
 						}
 					)
@@ -59,7 +65,7 @@ export function registerUrlScannerTools(agent: RadarMCP) {
 				}
 
 				const r = await pollUntilReady({
-					taskFn: () => client.urlScanner.scans.get(scanId, { account_id }, { headers }),
+					taskFn: () => client.urlScanner.scans.get(scanId, { account_id: accountId }),
 					intervalSeconds: INTERVAL_SECONDS,
 					maxWaitSeconds: MAX_WAIT_SECONDS,
 				})

apps/radar/wrangler.jsonc

@@ -33,7 +33,6 @@
 	],
 	"vars": {
 		"ENVIRONMENT": "development",
-		"ACCOUNT_ID": "6702657b6aa048cf3081ff3ff3c9c52f",
 		"MCP_SERVER_NAME": "Cloudflare Radar Remote MCP Server - Dev",
 		"MCP_SERVER_VERSION": "1.0.0"
 	},
@@ -58,6 +57,11 @@
 					{
 						"class_name": "RadarMCP",
 						"name": "MCP_OBJECT"
+					},
+					{
+						"class_name": "UserDetails",
+						"name": "USER_DETAILS",
+						"script_name": "mcp-cloudflare-workers-observability-staging"
 					}
 				]
 			},
@@ -69,7 +73,6 @@
 			],
 			"vars": {
 				"ENVIRONMENT": "staging",
-				"ACCOUNT_ID": "6702657b6aa048cf3081ff3ff3c9c52f",
 				"MCP_SERVER_NAME": "Cloudflare Radar Remote MCP Server - Staging",
 				"MCP_SERVER_VERSION": "1.0.0"
 			},
@@ -89,6 +92,11 @@
 					{
 						"class_name": "RadarMCP",
 						"name": "MCP_OBJECT"
+					},
+					{
+						"class_name": "UserDetails",
+						"name": "USER_DETAILS",
+						"script_name": "mcp-cloudflare-workers-observability-production"
 					}
 				]
 			},
@@ -100,7 +108,6 @@
 			],
 			"vars": {
 				"ENVIRONMENT": "production",
-				"ACCOUNT_ID": "6702657b6aa048cf3081ff3ff3c9c52f",
 				"MCP_SERVER_NAME": "Cloudflare Radar Remote MCP Server",
 				"MCP_SERVER_VERSION": "1.0.0"
 			},