npm - @authhero/cloudflare-adapter - Versions diffs - 2.34.1 → 2.35.0 - Mend

@authhero/cloudflare-adapter 2.34.1 → 2.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/cloudflare-adapter.cjs +35 -99
package/dist/cloudflare-adapter.d.ts +140 -80
package/dist/cloudflare-adapter.mjs +367 -11670
package/dist/tsconfig.types.tsbuildinfo +1 -1
package/dist/types/index.d.ts +2 -2
package/dist/types/wfp/dispatch-sync-defaults.d.ts +33 -0
package/dist/types/wfp/index.d.ts +8 -0
package/dist/types/wfp/tenant-app.d.ts +62 -0
package/dist/types/wfp-provisioner/cf-api.d.ts +17 -5
package/dist/types/wfp-provisioner/index.d.ts +2 -0
package/dist/types/wfp-provisioner/types.d.ts +12 -0
package/dist/types/wfp-provisioner/wfp-forward.d.ts +37 -0
package/dist/wfp.cjs +1 -0
package/dist/wfp.d.ts +120 -0
package/dist/wfp.mjs +64 -0
package/package.json +19 -2

package/dist/cloudflare-adapter.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { StatsAdapter, LogsDataAdapter, AnalyticsAdapter, ActionExecutionsAdapter, RateLimitScope, RateLimitAdapter, CustomDomainsAdapter, CodeExecutor, CodeExecutionResult, TenantsDataAdapter, CacheAdapter, GeoAdapter } from '@authhero/adapter-interfaces';
+import { Context, MiddlewareHandler } from 'hono';
 interface R2SQLLogsAdapterConfig {
     /**
@@ -508,6 +509,102 @@ declare class WorkerLoaderCodeExecutor implements CodeExecutor {
     }): Promise<CodeExecutionResult>;
 }
+/**
+ * Thin Cloudflare REST API client for the WFP+D1 provisioner.
+ *
+ * Each method maps 1:1 to a documented CF endpoint and returns the parsed
+ * response body. Errors surface as `CloudflareApiError` carrying the HTTP
+ * status, endpoint, and (when JSON) the CF error array — making them easy
+ * to log without re-fetching the response.
+ *
+ * Idempotency is the caller's responsibility — the provisioner sequences
+ * calls and tolerates "already exists" / "not found" depending on the
+ * operation (see `provisioner.ts`).
+ */
+declare class CloudflareApiError extends Error {
+    readonly status: number;
+    readonly endpoint: string;
+    readonly errors: unknown[];
+    readonly body: string;
+    constructor(status: number, endpoint: string, body: string, errors?: unknown[]);
+}
+interface CfApiClientOptions {
+    accountId: string;
+    apiToken: string;
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    baseUrl?: string;
+}
+interface D1Database {
+    uuid: string;
+    name: string;
+}
+interface D1QueryResult {
+    success: boolean;
+    meta?: Record<string, unknown>;
+    results?: unknown[];
+}
+type ScriptBinding = {
+    type: "d1";
+    name: string;
+    id: string;
+} | {
+    type: "plain_text";
+    name: string;
+    text: string;
+} | {
+    type: "secret_text";
+    name: string;
+    text: string;
+} | {
+    type: "service";
+    name: string;
+    service: string;
+    environment?: string;
+};
+interface ScriptUploadOptions {
+    /** Script source (JavaScript ES module). */
+    script: string;
+    /** Main module filename (must match part name in form data). */
+    mainModule: string;
+    /** Compatibility date, ISO yyyy-mm-dd. */
+    compatibilityDate: string;
+    /** Compatibility flags (e.g. `["nodejs_compat"]`). */
+    compatibilityFlags?: string[];
+    /** Bindings to attach (D1, plain_text, etc.). Secrets go via setSecret(). */
+    bindings?: ScriptBinding[];
+    /** Optional tags, stored on the script for operator-side lookup. */
+    tags?: string[];
+}
+declare class CloudflareApiClient {
+    private readonly accountId;
+    private readonly apiToken;
+    private readonly fetchImpl;
+    private readonly timeoutMs;
+    private readonly baseUrl;
+    constructor(options: CfApiClientOptions);
+    createD1Database(name: string): Promise<D1Database>;
+    listD1Databases(name?: string): Promise<D1Database[]>;
+    deleteD1Database(databaseId: string): Promise<void>;
+    /**
+     * Execute a single SQL statement (or batch of `;`-separated statements
+     * permitted by D1) against the given database. Use for applying
+     * migrations one file at a time — the per-call response size cap means
+     * very large single calls can fail; splitting per file keeps each call
+     * bounded by the migration author.
+     */
+    execD1(databaseId: string, sql: string): Promise<D1QueryResult[]>;
+    uploadNamespacedScript(namespace: string, scriptName: string, options: ScriptUploadOptions): Promise<void>;
+    deleteNamespacedScript(namespace: string, scriptName: string): Promise<void>;
+    /**
+     * Set a single secret on a namespaced script. The CF API replaces the
+     * value if a secret with that name already exists, so this is safely
+     * re-runnable.
+     */
+    setNamespacedScriptSecret(namespace: string, scriptName: string, secretName: string, secretValue: string): Promise<void>;
+    private request;
+}
 /**
  * Public types for the Workers-for-Platforms + D1 tenant provisioner.
  *
@@ -600,6 +697,17 @@ interface CloudflareWfpD1ProvisionerOptions {
      * the per-script secrets API.
      */
     secrets: TenantSecretsResolver;
+    /**
+     * Extra bindings to attach to every provisioned tenant worker, appended
+     * after the always-present `AUTH_DB` (d1) and `CONTROL_PLANE_BASE_URL`
+     * (plain_text) bindings. Use this to wire e.g. a `service` binding to a
+     * shared upstream worker, or additional `plain_text` config the tenant
+     * bundle expects. Secrets still go through the `secrets` resolver, not here.
+     *
+     * `uploadNamespacedScript` forwards these verbatim into the CF script
+     * metadata, so any binding type the CF API accepts is valid.
+     */
+    extraBindings?: ScriptBinding[];
     /**
      * Naming convention for the namespaced script. Supports `{tenant_id}`
      * placeholder. Defaults to `"{tenant_id}"`.
@@ -763,89 +871,41 @@ interface WfpTenantProvisioningHook {
 }
 declare function createWfpTenantProvisioningHook(options: WfpTenantProvisioningHookOptions): WfpTenantProvisioningHook;
-/**
- * Thin Cloudflare REST API client for the WFP+D1 provisioner.
- *
- * Each method maps 1:1 to a documented CF endpoint and returns the parsed
- * response body. Errors surface as `CloudflareApiError` carrying the HTTP
- * status, endpoint, and (when JSON) the CF error array — making them easy
- * to log without re-fetching the response.
- *
- * Idempotency is the caller's responsibility — the provisioner sequences
- * calls and tolerates "already exists" / "not found" depending on the
- * operation (see `provisioner.ts`).
- */
-declare class CloudflareApiError extends Error {
-    readonly status: number;
-    readonly endpoint: string;
-    readonly errors: unknown[];
-    readonly body: string;
-    constructor(status: number, endpoint: string, body: string, errors?: unknown[]);
-}
-interface CfApiClientOptions {
-    accountId: string;
-    apiToken: string;
-    fetch?: typeof fetch;
-    timeoutMs?: number;
-    baseUrl?: string;
-}
-interface D1Database {
-    uuid: string;
-    name: string;
-}
-interface D1QueryResult {
-    success: boolean;
-    meta?: Record<string, unknown>;
-    results?: unknown[];
-}
-interface ScriptBinding {
-    type: "d1" | "plain_text" | "secret_text";
-    name: string;
-    id?: string;
-    text?: string;
-}
-interface ScriptUploadOptions {
-    /** Script source (JavaScript ES module). */
-    script: string;
-    /** Main module filename (must match part name in form data). */
-    mainModule: string;
-    /** Compatibility date, ISO yyyy-mm-dd. */
-    compatibilityDate: string;
-    /** Compatibility flags (e.g. `["nodejs_compat"]`). */
-    compatibilityFlags?: string[];
-    /** Bindings to attach (D1, plain_text, etc.). Secrets go via setSecret(). */
-    bindings?: ScriptBinding[];
-    /** Optional tags, stored on the script for operator-side lookup. */
-    tags?: string[];
-}
-declare class CloudflareApiClient {
-    private readonly accountId;
-    private readonly apiToken;
-    private readonly fetchImpl;
-    private readonly timeoutMs;
-    private readonly baseUrl;
-    constructor(options: CfApiClientOptions);
-    createD1Database(name: string): Promise<D1Database>;
-    listD1Databases(name?: string): Promise<D1Database[]>;
-    deleteD1Database(databaseId: string): Promise<void>;
+interface WfpForwardOptions {
+    /** Tenants adapter, used to look up the resolved tenant's `deployment_type`. */
+    tenants: TenantsDataAdapter;
     /**
-     * Execute a single SQL statement (or batch of `;`-separated statements
-     * permitted by D1) against the given database. Use for applying
-     * migrations one file at a time — the per-call response size cap means
-     * very large single calls can fail; splitting per file keeps each call
-     * bounded by the migration author.
+     * The control-plane tenant id. Requests for this tenant (and anything not a
+     * `wfp` tenant) fall through to the local app instead of being dispatched.
      */
-    execD1(databaseId: string, sql: string): Promise<D1QueryResult[]>;
-    uploadNamespacedScript(namespace: string, scriptName: string, options: ScriptUploadOptions): Promise<void>;
-    deleteNamespacedScript(namespace: string, scriptName: string): Promise<void>;
+    controlPlaneTenantId: string;
+    /** Env binding name of the dispatch namespace. Defaults to `"DISPATCHER"`. */
+    dispatcherBinding?: string;
     /**
-     * Set a single secret on a namespaced script. The CF API replaces the
-     * value if a secret with that name already exists, so this is safely
-     * re-runnable.
+     * Script-name convention for a tenant's worker. Supports `{tenant_id}`.
+     * Defaults to `"tenant-{tenant_id}-auth"` — must match the provisioner's
+     * `scriptNameTemplate`.
      */
-    setNamespacedScriptSecret(namespace: string, scriptName: string, secretName: string, secretValue: string): Promise<void>;
-    private request;
+    scriptNameTemplate?: string;
+    /**
+     * Resolves the tenant id for the incoming request. Defaults to reading the
+     * `tenant-id` header (legacy compatibility). Replace it to resolve from a
+     * subdomain or custom domain. Return `undefined` to fall through locally.
+     */
+    resolveTenantId?: (c: Context) => string | undefined | Promise<string | undefined>;
 }
+/**
+ * Hono middleware that forwards a request to its tenant's WFP worker over a
+ * dispatch namespace, instead of serving it from the current (control-plane)
+ * worker.
+ *
+ * For each request it resolves a tenant id, and **only** dispatches when that
+ * tenant exists and has `deployment_type === "wfp"`. The control-plane tenant,
+ * unknown tenants, and shared (colocated) tenants all fall through to the next
+ * handler so the local app serves them. The tenant worker receives the original
+ * request verbatim and owns the full response.
+ */
+declare function createWfpForwardMiddleware(options: WfpForwardOptions): MiddlewareHandler;
 interface CloudflareAdapters {
     customDomains: CustomDomainsAdapter;
@@ -858,5 +918,5 @@ interface CloudflareAdapters {
 }
 declare function createAdapters(config: CloudflareConfig): CloudflareAdapters;
-export { CloudflareApiClient, CloudflareApiError, CloudflareCodeExecutor, DispatchNamespaceCodeExecutor, WorkerLoaderCodeExecutor, createAnalyticsEngineActionExecutionsAdapter, createAnalyticsEngineAnalyticsAdapter, createAnalyticsEngineLogsAdapter, createAnalyticsEngineStatsAdapter, createCloudflareRateLimitAdapter, createCloudflareWfpD1Provisioner, createR2SQLLogsAdapter, createR2SQLStatsAdapter, createWfpTenantProvisioningHook, createAdapters as default, generateWorkerScript };
-export type { AnalyticsEngineActionExecutionsAdapterConfig, AnalyticsEngineDataset, AnalyticsEngineLogsAdapterConfig, CfApiClientOptions, CloudflareAdapters, CloudflareCodeExecutorConfig, CloudflareConfig, CloudflareRateLimitBinding, CloudflareRateLimitBindings, CloudflareWfpD1Provisioner, CloudflareWfpD1ProvisionerOptions, D1Database, D1QueryResult, DispatchNamespace, DispatchNamespaceCodeExecutorConfig, ProvisionResult, ProvisionerMigration, R2SQLLogsAdapterConfig, ScriptBinding, ScriptUploadOptions, TenantSecretsResolver, WfpTenantProvisioningHook, WfpTenantProvisioningHookOptions, WorkerCode, WorkerLoader, WorkerLoaderCodeExecutorOptions, WorkerStub };
+export { CloudflareApiClient, CloudflareApiError, CloudflareCodeExecutor, DispatchNamespaceCodeExecutor, WorkerLoaderCodeExecutor, createAnalyticsEngineActionExecutionsAdapter, createAnalyticsEngineAnalyticsAdapter, createAnalyticsEngineLogsAdapter, createAnalyticsEngineStatsAdapter, createCloudflareRateLimitAdapter, createCloudflareWfpD1Provisioner, createR2SQLLogsAdapter, createR2SQLStatsAdapter, createWfpForwardMiddleware, createWfpTenantProvisioningHook, createAdapters as default, generateWorkerScript };
+export type { AnalyticsEngineActionExecutionsAdapterConfig, AnalyticsEngineDataset, AnalyticsEngineLogsAdapterConfig, CfApiClientOptions, CloudflareAdapters, CloudflareCodeExecutorConfig, CloudflareConfig, CloudflareRateLimitBinding, CloudflareRateLimitBindings, CloudflareWfpD1Provisioner, CloudflareWfpD1ProvisionerOptions, D1Database, D1QueryResult, DispatchNamespace, DispatchNamespaceCodeExecutorConfig, ProvisionResult, ProvisionerMigration, R2SQLLogsAdapterConfig, ScriptBinding, ScriptUploadOptions, TenantSecretsResolver, WfpForwardOptions, WfpTenantProvisioningHook, WfpTenantProvisioningHookOptions, WorkerCode, WorkerLoader, WorkerLoaderCodeExecutorOptions, WorkerStub };