Extract OAuth+bearer auth into @mouryabalabhadra/ts-cloudflare-auth#161
Extract OAuth+bearer auth into @mouryabalabhadra/ts-cloudflare-auth#161mouryabalabhadra wants to merge 1 commit into
Conversation
Auth layer (handlers, bearer, oauth-manager utils, routes) moves to a
shared package so spotter-code (and future MCP servers) can reuse the
same OAuth/bearer flow without copy-paste.
Decoupling done in pkg (not here):
- metrics → injected via `onAuthMetric` + `onBearerMetric` hooks
- branding → passed as `serverInfo` config
- api-version logic → consumer hook `extendProps` (bearer/token) and
`enrichMcpRequestProps` (OAuth /mcp + /sse), reproducing the prior
per-route apiVersion + apiVersionMode + apiRequestedVersion behaviour
Local changes:
- src/index.ts rewritten to call `createOAuthHandler` from the pkg, wire
metric/api-version hooks, mount /hello + openai-apps-challenge as
consumer-specific extra routes, keep OTel + HEADERS_TO_STRIP wrapping
- src/routes.ts layers mcp-server-specific routes (/hello,
openai-apps-challenge) on top of pkg's PUBLIC_ROUTES
- src/utils.ts: McpServerError now extends the pkg base error to retain
OTel span side-effects, validateAndSanitizeUrl re-imported from pkg
(via stdio.ts)
- Tests:
- test/utils.spec.ts: prototype-chain assertion walks one extra level
now that McpServerError extends PkgMcpServerError extends Error
- test/index.header-stripping.spec.ts: mocks the pkg's
createOAuthHandler instead of @cloudflare/workers-oauth-provider
(the nested copy under the pkg's node_modules bypassed the prior
mock target)
Deleted (now in pkg):
- src/handlers.ts, src/bearer.ts, src/oauth-manager/*, paired tests
531/531 tests pass. Smoke-testing the /mcp, /bearer/mcp, /token/mcp
api-version paths in staging is the suggested next verification step
before merge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the authentication and routing logic by replacing local OAuth handlers, token callback utilities, and bearer authentication with the shared @mouryabalabhadra/ts-cloudflare-auth package. Custom error handling in McpServerError has been updated to extend the package's base error class while preserving OpenTelemetry tracing. Feedback on these changes includes wrapping JSON.stringify in a try-catch block within McpServerError to prevent serialization failures from circular references, and defensively checking for the existence of c.env.ASSETS in src/index.ts to avoid runtime errors when the binding is missing.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
1 participant
Auth layer (handlers, bearer, oauth-manager utils, routes) moves to a shared package so spotter-code (and future MCP servers) can reuse the same OAuth/bearer flow without copy-paste.
Decoupling done in pkg (not here):
onAuthMetric+onBearerMetrichooksserverInfoconfigextendProps(bearer/token) andenrichMcpRequestProps(OAuth /mcp + /sse), reproducing the prior per-route apiVersion + apiVersionMode + apiRequestedVersion behaviourLocal changes:
createOAuthHandlerfrom the pkg, wire metric/api-version hooks, mount /hello + openai-apps-challenge as consumer-specific extra routes, keep OTel + HEADERS_TO_STRIP wrappingDeleted (now in pkg):