Add support for bearer auth with user API tokens

cmsparks · cmsparks · commit ac391eb1d731 · 2025-05-19T15:19:23.000-05:00
diff --git a/apps/ai-gateway/src/ai-gateway.app.ts b/apps/ai-gateway/src/ai-gateway.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const AIGatewayScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(AIGatewayMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(AIGatewayMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/auditlogs/src/auditlogs.app.ts b/apps/auditlogs/src/auditlogs.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const AuditlogScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(AuditlogMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(AuditlogMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/autorag/src/autorag.app.ts b/apps/autorag/src/autorag.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const LogPushScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(AutoRAGMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(AutoRAGMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/browser-rendering/src/browser.app.ts b/apps/browser-rendering/src/browser.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const BrowserScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(BrowserMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(BrowserMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/cloudflare-one-casb/src/cf1-casb.app.ts b/apps/cloudflare-one-casb/src/cf1-casb.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -93,8 +93,8 @@ const CloudflareOneCasbScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(CASBMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(CASBMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/dex-analysis/src/dex-analysis.app.ts b/apps/dex-analysis/src/dex-analysis.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -95,8 +95,8 @@ const DexScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(CloudflareDEXMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(CloudflareDEXMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/dns-analytics/src/dns-analytics.app.ts b/apps/dns-analytics/src/dns-analytics.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -102,8 +102,8 @@ const AnalyticsScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(DNSAnalyticsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(DNSAnalyticsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/graphql/src/graphql.app.ts b/apps/graphql/src/graphql.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -103,8 +103,8 @@ const GraphQLScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(GraphQLMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(GraphQLMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/logpush/src/logpush.app.ts b/apps/logpush/src/logpush.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -96,8 +96,8 @@ const LogPushScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(LogsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(LogsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/radar/src/radar.app.ts b/apps/radar/src/radar.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -98,8 +98,8 @@ const RadarScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(RadarMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(RadarMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/sandbox-container/server/sandbox.server.app.ts b/apps/sandbox-container/server/sandbox.server.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 
 import { createApiHandler } from '@repo/mcp-common/src/api-handler'
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
 import { MetricsTracker } from '@repo/mcp-observability'
@@ -39,11 +39,8 @@ const ContainerScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (
-			(env.ENVIRONMENT === 'dev' || env.ENVIRONMENT === 'test') &&
-			env.DEV_DISABLE_OAUTH === 'true'
-		) {
-			return await handleDevMode(ContainerMcpAgent, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(ContainerMcpAgent, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/workers-bindings/src/bindings.app.ts b/apps/workers-bindings/src/bindings.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -108,11 +108,9 @@ const BindingsScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (
-			(env.ENVIRONMENT === 'development' || env.ENVIRONMENT === 'test') &&
-			env.DEV_DISABLE_OAUTH === 'true'
-		) {
-			return await handleDevMode(WorkersBindingsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			console.log('is token mode')
+			return await handleApiTokenMode(WorkersBindingsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/workers-builds/src/workers-builds.app.ts b/apps/workers-builds/src/workers-builds.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { fmt } from '@repo/mcp-common/src/format'
@@ -159,8 +159,8 @@ const BuildsScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(BuildsMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(BuildsMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/apps/workers-observability/src/workers-observability.app.ts b/apps/workers-observability/src/workers-observability.app.ts
@@ -1,11 +1,11 @@
 import OAuthProvider from '@cloudflare/workers-oauth-provider'
 import { McpAgent } from 'agents/mcp'
 
+import { handleApiTokenMode, isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
 import {
 	createAuthHandlers,
 	handleTokenExchangeCallback,
 } from '@repo/mcp-common/src/cloudflare-oauth-handler'
-import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
 import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
 import { getEnv } from '@repo/mcp-common/src/env'
 import { RequiredScopes } from '@repo/mcp-common/src/scopes'
@@ -110,8 +110,8 @@ const ObservabilityScopes = {
 
 export default {
 	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
-		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
-			return await handleDevMode(ObservabilityMCP, req, env, ctx)
+		if (await isApiTokenRequest(req, env)) {
+			return await handleApiTokenMode(ObservabilityMCP, req, env, ctx)
 		}
 
 		return new OAuthProvider({
diff --git a/packages/mcp-common/src/api-token-mode.ts b/packages/mcp-common/src/api-token-mode.ts
diff --git a/packages/mcp-common/src/dev-mode.ts b/packages/mcp-common/src/dev-mode.ts
