feat(cloud): add cf-storage-cors worker to handle CORS preflight for R2 storage

Adds a Cloudflare Worker that intercepts OPTIONS preflight requests and
returns 200 with CORS headers, forwarding GET/PUT/HEAD directly to the
fireproof-cloud R2 bucket binding. Adds deploy step to CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mabels

.github/workflows/ci-core-cf-deploy.yaml

@@ -23,6 +23,14 @@ jobs:
 
       - uses: ./actions/base
 
+      - name: deploy cloud/backend/cf-storage-cors
+        working-directory: cloud/backend/cf-storage-cors
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
+        run: |
+          pnpm run wrangler:deploy
+
       - name: deploy cloud/backend/cf-d1 - 1
         working-directory: cloud/backend/cf-d1
         env:

cloud/backend/cf-storage-cors/index.ts

@@ -0,0 +1,42 @@
+interface Env {
+  BUCKET: R2Bucket;
+}
+
+const CORS_HEADERS = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "GET, PUT, HEAD",
+  "Access-Control-Allow-Headers": "*",
+};
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    if (request.method === "OPTIONS") {
+      return new Response(null, { status: 200, headers: CORS_HEADERS });
+    }
+
+    const url = new URL(request.url);
+    const key = url.pathname.replace(/^\//, "");
+
+    if (request.method === "HEAD") {
+      const obj = await env.BUCKET.head(key);
+      if (!obj) return new Response(null, { status: 404, headers: CORS_HEADERS });
+      return new Response(null, { status: 200, headers: { ...CORS_HEADERS, etag: obj.etag } });
+    }
+
+    if (request.method === "GET") {
+      const obj = await env.BUCKET.get(key);
+      if (!obj) return new Response("Not Found", { status: 404, headers: CORS_HEADERS });
+      return new Response(obj.body, {
+        status: 200,
+        headers: { ...CORS_HEADERS, etag: obj.etag, "content-type": obj.httpMetadata?.contentType ?? "application/octet-stream" },
+      });
+    }
+
+    if (request.method === "PUT") {
+      await env.BUCKET.put(key, request.body);
+      return new Response(null, { status: 200, headers: CORS_HEADERS });
+    }
+
+    return new Response("Method Not Allowed", { status: 405, headers: CORS_HEADERS });
+  },
+};

cloud/backend/cf-storage-cors/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@fireproof/cloud-backend-cf-storage-cors",
+  "version": "0.0.0",
+  "description": "CORS gateway worker for Fireproof R2 storage.",
+  "type": "module",
+  "scripts": {
+    "build": "core-cli tsc",
+    "pack": "echo cloud need not to pack",
+    "publish": "echo skip",
+    "wrangler:deploy": "wrangler deploy -c ./wrangler.toml --env dev"
+  },
+  "keywords": [
+    "ledger",
+    "JSON",
+    "document",
+    "IPLD",
+    "CID",
+    "IPFS"
+  ],
+  "contributors": [
+    "J Chris Anderson",
+    "Alan Shaw",
+    "Travis Vachon",
+    "Mikeal Rogers",
+    "Meno Abels"
+  ],
+  "author": "J Chris Anderson",
+  "license": "AFL-2.0",
+  "homepage": "https://use-fireproof.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/fireproof-storage/fireproof.git"
+  },
+  "bugs": {
+    "url": "https://github.com/fireproof-storage/fireproof/issues"
+  },
+  "dependencies": {
+    "@cloudflare/workers-types": "^4.20260316.1"
+  },
+  "devDependencies": {
+    "@fireproof/core-cli": "workspace:0.0.0",
+    "wrangler": "^4.73.0"
+  }
+}

cloud/backend/cf-storage-cors/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "allowSyntheticDefaultImports": true,
+    "types": ["@cloudflare/workers-types"]
+  }
+}

cloud/backend/cf-storage-cors/wrangler.toml

@@ -0,0 +1,23 @@
+name = "fireproof-storage-cors"
+main = "index.ts"
+compatibility_date = "2025-02-24"
+
+[observability]
+enabled = true
+head_sampling_rate = 1
+
+# R2 binding points to the existing fireproof-cloud bucket
+# The custom domain storage.fireproof.direct must be re-pointed
+# from direct R2 access to this worker in the Cloudflare dashboard.
+[[r2_buckets]]
+binding = "BUCKET"
+bucket_name = "fireproof-cloud"
+
+[env.dev]
+[[env.dev.r2_buckets]]
+binding = "BUCKET"
+bucket_name = "fireproof-cloud"
+
+[[env.dev.routes]]
+pattern = "storage.fireproof.direct/*"
+zone_name = "fireproof.direct"