@authhero/cloudflare-adapter 2.34.1 → 2.35.0

package/dist/types/wfp/dispatch-sync-defaults.d.ts

@@ -0,0 +1,33 @@
+import type { DataAdapters } from "@authhero/adapter-interfaces";
+import { type DefaultsPayloadEntities } from "@authhero/multi-tenancy";
+import type { DispatchNamespace } from "../code-executor";
+export interface DispatchSyncDefaultsOptions {
+    /** The dispatch namespace binding the tenant workers live in. */
+    dispatcher: DispatchNamespace;
+    /** Script-name convention. Supports `{tenant_id}`. */
+    scriptNameTemplate?: string;
+    /**
+     * Shared secret the tenant worker checks on `/internal/sync-defaults`
+     * (`WFP_INTERNAL_SYNC_SECRET`). Sent as a bearer token.
+     */
+    internalSecret: string;
+    /** The control-plane tenant id whose defaults are projected. */
+    controlPlaneTenantId: string;
+    /** Adapters for reading the control plane's rows (secrets decrypted). */
+    controlPlaneAdapters: DataAdapters;
+    /** Which entities to include in the payload. Defaults to all. */
+    entities?: DefaultsPayloadEntities;
+    /** Per-push timeout. Defaults to 30s. */
+    timeoutMs?: number;
+}
+/**
+ * Builds a **push** function that projects the control plane's defaults into a
+ * single tenant's database over a dispatch namespace.
+ *
+ * Pure push: the control plane builds the payload with
+ * `buildControlPlaneDefaultsPayload` and POSTs it to the tenant worker's
+ * `/internal/sync-defaults` route (which applies it). The tenant worker never
+ * calls back to the control plane. Use the returned function as the
+ * provision-time seed and for on-change / rotation re-syncs.
+ */
+export declare function createDispatchSyncDefaults(options: DispatchSyncDefaultsOptions): (tenantId: string) => Promise<void>;

package/dist/types/wfp/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * `@authhero/cloudflare-adapter/wfp` — the Workers-for-Platforms control-plane
+ * sync surface. Kept out of the package's main entry because it imports the
+ * app-level packages (`authhero`, `@authhero/multi-tenancy`), which are
+ * **optional peer dependencies**: install them only if you import this subpath.
+ */
+export { createDispatchSyncDefaults, type DispatchSyncDefaultsOptions, } from "./dispatch-sync-defaults";
+export { createWfpTenantApp, type WfpTenantEnv, type WfpTenantAppOptions, } from "./tenant-app";

package/dist/types/wfp/tenant-app.d.ts

@@ -0,0 +1,62 @@
+import { type ExecutionContext } from "hono";
+import { type AuthHeroConfig, type DataAdapters } from "authhero";
+/**
+ * Env contract for a WFP tenant worker — the bindings + secrets
+ * `createCloudflareWfpD1Provisioner` (and the host's `secrets` resolver) set on
+ * each tenant script. `AUTH_DB` is the D1 binding; the rest are plain
+ * text / secret text.
+ */
+export interface WfpTenantEnv {
+    /** Per-tenant D1 binding. Consumed by the host's `createDataAdapter`. */
+    AUTH_DB: unknown;
+    /** This tenant's own at-rest encryption key (base64, 32 bytes). */
+    ENCRYPTION_KEY: string;
+    /** This tenant's JWT `iss`. */
+    ISSUER: string;
+    /** Control-plane tenant id whose projected defaults this worker inherits. */
+    CONTROL_PLANE_TENANT_ID: string;
+    /**
+     * The control plane's own issuer. Accepted in addition to `ISSUER` so a
+     * control-plane-minted admin token forwarded here verifies — its signature is
+     * checked against the control plane's PUBLIC keys, which are projected into
+     * this tenant's DB (no runtime JWKS fetch).
+     */
+    CONTROL_PLANE_ISSUER: string;
+    /**
+     * Key for the `cp` key-ring id — encrypts inherited control-plane rows so the
+     * tenant operator can hold but not read them. When omitted, a single key is
+     * used for everything.
+     */
+    CONTROL_PLANE_ENCRYPTION_KEY?: string;
+    /** Shared secret authenticating control-plane pushes to `/internal/sync-defaults`. */
+    WFP_INTERNAL_SYNC_SECRET?: string;
+    [key: string]: unknown;
+}
+export interface WfpTenantAppOptions<Env extends WfpTenantEnv = WfpTenantEnv> {
+    /**
+     * Builds the tenant's **base** data adapters from its env (typically
+     * `createAdapters(drizzle(env.AUTH_DB))`). Injected so this package carries no
+     * ORM dependency — the host owns the `@authhero/drizzle` (or other) import.
+     */
+    createDataAdapter: (env: Env) => DataAdapters;
+    /**
+     * Hook to extend or override the authhero config before `init` — add custom
+     * hooks, code executors, `signingKeyMode`, extra issuers, etc. Receives the
+     * scaffold's base config and the env.
+     */
+    configure?: (base: AuthHeroConfig, env: Env) => AuthHeroConfig;
+}
+/**
+ * Builds a WFP tenant worker `{ fetch }` handler: key-ring encryption over the
+ * tenant's own D1, runtime fallback for inherited control-plane defaults, the
+ * `/internal/sync-defaults` push receiver, and the control-plane issuer gate —
+ * all from one factory.
+ *
+ * Pure push: this worker never calls the control plane at request time. Defaults
+ * and the control plane's public verify keys arrive only via
+ * `/internal/sync-defaults`. The built app is cached per `env` (one build per
+ * isolate).
+ */
+export declare function createWfpTenantApp<Env extends WfpTenantEnv = WfpTenantEnv>(options: WfpTenantAppOptions<Env>): {
+    fetch: (request: Request, env: Env, ctx: ExecutionContext) => Promise<Response>;
+};

package/dist/types/wfp-provisioner/cf-api.d.ts

@@ -33,12 +33,24 @@ export interface D1QueryResult {
     meta?: Record<string, unknown>;
     results?: unknown[];
 }
-export interface ScriptBinding {
-    type: "d1" | "plain_text" | "secret_text";
+export type ScriptBinding = {
+    type: "d1";
     name: string;
-    id?: string;
-    text?: string;
-}
+    id: string;
+} | {
+    type: "plain_text";
+    name: string;
+    text: string;
+} | {
+    type: "secret_text";
+    name: string;
+    text: string;
+} | {
+    type: "service";
+    name: string;
+    service: string;
+    environment?: string;
+};
 export interface ScriptUploadOptions {
     /** Script source (JavaScript ES module). */
     script: string;

package/dist/types/wfp-provisioner/index.d.ts

@@ -2,5 +2,7 @@ export { createCloudflareWfpD1Provisioner } from "./provisioner";
 export type { CloudflareWfpD1Provisioner, CloudflareWfpD1ProvisionerOptions, ProvisionResult, ProvisionerMigration, TenantSecretsResolver, } from "./types";
 export { createWfpTenantProvisioningHook } from "./tenant-hook";
 export type { WfpTenantProvisioningHook, WfpTenantProvisioningHookOptions, } from "./tenant-hook";
+export { createWfpForwardMiddleware } from "./wfp-forward";
+export type { WfpForwardOptions } from "./wfp-forward";
 export { CloudflareApiClient, CloudflareApiError } from "./cf-api";
 export type { CfApiClientOptions, D1Database, D1QueryResult, ScriptBinding, ScriptUploadOptions, } from "./cf-api";

package/dist/types/wfp-provisioner/types.d.ts

@@ -1,3 +1,4 @@
+import type { ScriptBinding } from "./cf-api";
 /**
  * Public types for the Workers-for-Platforms + D1 tenant provisioner.
  *
@@ -90,6 +91,17 @@ export interface CloudflareWfpD1ProvisionerOptions {
      * the per-script secrets API.
      */
     secrets: TenantSecretsResolver;
+    /**
+     * Extra bindings to attach to every provisioned tenant worker, appended
+     * after the always-present `AUTH_DB` (d1) and `CONTROL_PLANE_BASE_URL`
+     * (plain_text) bindings. Use this to wire e.g. a `service` binding to a
+     * shared upstream worker, or additional `plain_text` config the tenant
+     * bundle expects. Secrets still go through the `secrets` resolver, not here.
+     *
+     * `uploadNamespacedScript` forwards these verbatim into the CF script
+     * metadata, so any binding type the CF API accepts is valid.
+     */
+    extraBindings?: ScriptBinding[];
     /**
      * Naming convention for the namespaced script. Supports `{tenant_id}`
      * placeholder. Defaults to `"{tenant_id}"`.

package/dist/types/wfp-provisioner/wfp-forward.d.ts

@@ -0,0 +1,37 @@
+import type { Context, MiddlewareHandler } from "hono";
+import type { TenantsDataAdapter } from "@authhero/adapter-interfaces";
+export interface WfpForwardOptions {
+    /** Tenants adapter, used to look up the resolved tenant's `deployment_type`. */
+    tenants: TenantsDataAdapter;
+    /**
+     * The control-plane tenant id. Requests for this tenant (and anything not a
+     * `wfp` tenant) fall through to the local app instead of being dispatched.
+     */
+    controlPlaneTenantId: string;
+    /** Env binding name of the dispatch namespace. Defaults to `"DISPATCHER"`. */
+    dispatcherBinding?: string;
+    /**
+     * Script-name convention for a tenant's worker. Supports `{tenant_id}`.
+     * Defaults to `"tenant-{tenant_id}-auth"` — must match the provisioner's
+     * `scriptNameTemplate`.
+     */
+    scriptNameTemplate?: string;
+    /**
+     * Resolves the tenant id for the incoming request. Defaults to reading the
+     * `tenant-id` header (legacy compatibility). Replace it to resolve from a
+     * subdomain or custom domain. Return `undefined` to fall through locally.
+     */
+    resolveTenantId?: (c: Context) => string | undefined | Promise<string | undefined>;
+}
+/**
+ * Hono middleware that forwards a request to its tenant's WFP worker over a
+ * dispatch namespace, instead of serving it from the current (control-plane)
+ * worker.
+ *
+ * For each request it resolves a tenant id, and **only** dispatches when that
+ * tenant exists and has `deployment_type === "wfp"`. The control-plane tenant,
+ * unknown tenants, and shared (colocated) tenants all fall through to the next
+ * handler so the local app serves them. The tenant worker receives the original
+ * request verbatim and owns the full response.
+ */
+export declare function createWfpForwardMiddleware(options: WfpForwardOptions): MiddlewareHandler;

package/dist/wfp.cjs

@@ -0,0 +1 @@
+Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});let e=require("@authhero/multi-tenancy"),t=require("hono"),n=require("authhero");var r=`tenant-{tenant_id}-auth`,i=3e4,a=`/internal/sync-defaults`;function o(e,t){return e.replace(/\{tenant_id\}/g,t)}function s(t){let{dispatcher:n,scriptNameTemplate:s=r,internalSecret:c,controlPlaneTenantId:l,controlPlaneAdapters:u,entities:d,timeoutMs:f=i}=t;return async t=>{let r=await(0,e.buildControlPlaneDefaultsPayload)(u,l,d),i=o(s,t),p=new AbortController,m=setTimeout(()=>p.abort(),f),h;try{h=await n.get(i).fetch(`https://tenant.internal${a}`,{method:`POST`,headers:{"content-type":`application/json`,authorization:`Bearer ${c}`},body:JSON.stringify(r),signal:p.signal})}finally{clearTimeout(m)}if(!h.ok){let e=await h.text().catch(()=>``);throw Error(`sync-defaults push to "${i}" failed: ${h.status} ${e.slice(0,256)}`)}}}var c=`cp`,l=`/internal/sync-defaults`;async function u(r,i){let a=r.CONTROL_PLANE_TENANT_ID,o=await(0,n.loadEncryptionKey)(r.ENCRYPTION_KEY),s=r.CONTROL_PLANE_ENCRYPTION_KEY?{default:o,keys:{[c]:await(0,n.loadEncryptionKey)(r.CONTROL_PLANE_ENCRYPTION_KEY)}}:{default:o},u=(0,n.createEncryptedDataAdapterWithKeyRing)(i.createDataAdapter(r),s,{resolveEncryptKeyId:e=>e===a?c:void 0}),d={dataAdapter:(0,e.withRuntimeFallback)(u,{controlPlaneTenantId:a}),additionalIssuers:()=>[r.CONTROL_PLANE_ISSUER]},{app:f}=(0,n.init)(i.configure?i.configure(d,r):d),p=new t.Hono;return p.post(l,async t=>{let n=r.WFP_INTERNAL_SYNC_SECRET,i=t.req.header(`authorization`);if(!n||i!==`Bearer ${n}`)return t.json({error:`unauthorized`},401);let o;try{o=await t.req.json()}catch{return t.json({error:`invalid JSON`},400)}let s=await(0,e.applyControlPlaneDefaultsPayload)(o,u,a);return t.json(s)}),p.route(`/`,f),p}function d(e){let t=new WeakMap;return{fetch(n,r,i){let a=t.get(r);return a||(a=u(r,e),t.set(r,a)),a.then(e=>e.fetch(n,r,i))}}}exports.createDispatchSyncDefaults=s,exports.createWfpTenantApp=d;

package/dist/wfp.d.ts

@@ -0,0 +1,120 @@
+import { DataAdapters } from '@authhero/adapter-interfaces';
+import { DefaultsPayloadEntities } from '@authhero/multi-tenancy';
+import { ExecutionContext } from 'hono';
+import { DataAdapters as DataAdapters$1, AuthHeroConfig } from 'authhero';
+
+/**
+ * Cloudflare Workers for Platforms dispatch namespace binding type.
+ * This is the type of `env.DISPATCHER` when configured in wrangler.toml:
+ *
+ * ```toml
+ * [[dispatch_namespaces]]
+ * binding = "DISPATCHER"
+ * namespace = "authhero-hooks"
+ * ```
+ */
+interface DispatchNamespace {
+    get(name: string, options?: Record<string, unknown>, init?: {
+        limits?: {
+            cpuMs?: number;
+            subrequests?: number;
+        };
+    }): {
+        fetch(request: Request | string, init?: RequestInit): Promise<Response>;
+    };
+}
+
+interface DispatchSyncDefaultsOptions {
+    /** The dispatch namespace binding the tenant workers live in. */
+    dispatcher: DispatchNamespace;
+    /** Script-name convention. Supports `{tenant_id}`. */
+    scriptNameTemplate?: string;
+    /**
+     * Shared secret the tenant worker checks on `/internal/sync-defaults`
+     * (`WFP_INTERNAL_SYNC_SECRET`). Sent as a bearer token.
+     */
+    internalSecret: string;
+    /** The control-plane tenant id whose defaults are projected. */
+    controlPlaneTenantId: string;
+    /** Adapters for reading the control plane's rows (secrets decrypted). */
+    controlPlaneAdapters: DataAdapters;
+    /** Which entities to include in the payload. Defaults to all. */
+    entities?: DefaultsPayloadEntities;
+    /** Per-push timeout. Defaults to 30s. */
+    timeoutMs?: number;
+}
+/**
+ * Builds a **push** function that projects the control plane's defaults into a
+ * single tenant's database over a dispatch namespace.
+ *
+ * Pure push: the control plane builds the payload with
+ * `buildControlPlaneDefaultsPayload` and POSTs it to the tenant worker's
+ * `/internal/sync-defaults` route (which applies it). The tenant worker never
+ * calls back to the control plane. Use the returned function as the
+ * provision-time seed and for on-change / rotation re-syncs.
+ */
+declare function createDispatchSyncDefaults(options: DispatchSyncDefaultsOptions): (tenantId: string) => Promise<void>;
+
+/**
+ * Env contract for a WFP tenant worker — the bindings + secrets
+ * `createCloudflareWfpD1Provisioner` (and the host's `secrets` resolver) set on
+ * each tenant script. `AUTH_DB` is the D1 binding; the rest are plain
+ * text / secret text.
+ */
+interface WfpTenantEnv {
+    /** Per-tenant D1 binding. Consumed by the host's `createDataAdapter`. */
+    AUTH_DB: unknown;
+    /** This tenant's own at-rest encryption key (base64, 32 bytes). */
+    ENCRYPTION_KEY: string;
+    /** This tenant's JWT `iss`. */
+    ISSUER: string;
+    /** Control-plane tenant id whose projected defaults this worker inherits. */
+    CONTROL_PLANE_TENANT_ID: string;
+    /**
+     * The control plane's own issuer. Accepted in addition to `ISSUER` so a
+     * control-plane-minted admin token forwarded here verifies — its signature is
+     * checked against the control plane's PUBLIC keys, which are projected into
+     * this tenant's DB (no runtime JWKS fetch).
+     */
+    CONTROL_PLANE_ISSUER: string;
+    /**
+     * Key for the `cp` key-ring id — encrypts inherited control-plane rows so the
+     * tenant operator can hold but not read them. When omitted, a single key is
+     * used for everything.
+     */
+    CONTROL_PLANE_ENCRYPTION_KEY?: string;
+    /** Shared secret authenticating control-plane pushes to `/internal/sync-defaults`. */
+    WFP_INTERNAL_SYNC_SECRET?: string;
+    [key: string]: unknown;
+}
+interface WfpTenantAppOptions<Env extends WfpTenantEnv = WfpTenantEnv> {
+    /**
+     * Builds the tenant's **base** data adapters from its env (typically
+     * `createAdapters(drizzle(env.AUTH_DB))`). Injected so this package carries no
+     * ORM dependency — the host owns the `@authhero/drizzle` (or other) import.
+     */
+    createDataAdapter: (env: Env) => DataAdapters$1;
+    /**
+     * Hook to extend or override the authhero config before `init` — add custom
+     * hooks, code executors, `signingKeyMode`, extra issuers, etc. Receives the
+     * scaffold's base config and the env.
+     */
+    configure?: (base: AuthHeroConfig, env: Env) => AuthHeroConfig;
+}
+/**
+ * Builds a WFP tenant worker `{ fetch }` handler: key-ring encryption over the
+ * tenant's own D1, runtime fallback for inherited control-plane defaults, the
+ * `/internal/sync-defaults` push receiver, and the control-plane issuer gate —
+ * all from one factory.
+ *
+ * Pure push: this worker never calls the control plane at request time. Defaults
+ * and the control plane's public verify keys arrive only via
+ * `/internal/sync-defaults`. The built app is cached per `env` (one build per
+ * isolate).
+ */
+declare function createWfpTenantApp<Env extends WfpTenantEnv = WfpTenantEnv>(options: WfpTenantAppOptions<Env>): {
+    fetch: (request: Request, env: Env, ctx: ExecutionContext) => Promise<Response>;
+};
+
+export { createDispatchSyncDefaults, createWfpTenantApp };
+export type { DispatchSyncDefaultsOptions, WfpTenantAppOptions, WfpTenantEnv };

package/dist/wfp.mjs

@@ -0,0 +1,64 @@
+import { applyControlPlaneDefaultsPayload as e, buildControlPlaneDefaultsPayload as t, withRuntimeFallback as n } from "@authhero/multi-tenancy";
+import { Hono as r } from "hono";
+import { createEncryptedDataAdapterWithKeyRing as i, init as a, loadEncryptionKey as o } from "authhero";
+//#region src/wfp/dispatch-sync-defaults.ts
+var s = "tenant-{tenant_id}-auth", c = 3e4, l = "/internal/sync-defaults";
+function u(e, t) {
+	return e.replace(/\{tenant_id\}/g, t);
+}
+function d(e) {
+	let { dispatcher: n, scriptNameTemplate: r = s, internalSecret: i, controlPlaneTenantId: a, controlPlaneAdapters: o, entities: d, timeoutMs: f = c } = e;
+	return async (e) => {
+		let s = await t(o, a, d), c = u(r, e), p = new AbortController(), m = setTimeout(() => p.abort(), f), h;
+		try {
+			h = await n.get(c).fetch(`https://tenant.internal${l}`, {
+				method: "POST",
+				headers: {
+					"content-type": "application/json",
+					authorization: `Bearer ${i}`
+				},
+				body: JSON.stringify(s),
+				signal: p.signal
+			});
+		} finally {
+			clearTimeout(m);
+		}
+		if (!h.ok) {
+			let e = await h.text().catch(() => "");
+			throw Error(`sync-defaults push to "${c}" failed: ${h.status} ${e.slice(0, 256)}`);
+		}
+	};
+}
+//#endregion
+//#region src/wfp/tenant-app.ts
+var f = "cp", p = "/internal/sync-defaults";
+async function m(t, s) {
+	let c = t.CONTROL_PLANE_TENANT_ID, l = await o(t.ENCRYPTION_KEY), u = t.CONTROL_PLANE_ENCRYPTION_KEY ? {
+		default: l,
+		keys: { [f]: await o(t.CONTROL_PLANE_ENCRYPTION_KEY) }
+	} : { default: l }, d = i(s.createDataAdapter(t), u, { resolveEncryptKeyId: (e) => e === c ? f : void 0 }), m = {
+		dataAdapter: n(d, { controlPlaneTenantId: c }),
+		additionalIssuers: () => [t.CONTROL_PLANE_ISSUER]
+	}, { app: h } = a(s.configure ? s.configure(m, t) : m), g = new r();
+	return g.post(p, async (n) => {
+		let r = t.WFP_INTERNAL_SYNC_SECRET, i = n.req.header("authorization");
+		if (!r || i !== `Bearer ${r}`) return n.json({ error: "unauthorized" }, 401);
+		let a;
+		try {
+			a = await n.req.json();
+		} catch {
+			return n.json({ error: "invalid JSON" }, 400);
+		}
+		let o = await e(a, d, c);
+		return n.json(o);
+	}), g.route("/", h), g;
+}
+function h(e) {
+	let t = /* @__PURE__ */ new WeakMap();
+	return { fetch(n, r, i) {
+		let a = t.get(r);
+		return a || (a = m(r, e), t.set(r, a)), a.then((e) => e.fetch(n, r, i));
+	} };
+}
+//#endregion
+export { d as createDispatchSyncDefaults, h as createWfpTenantApp };

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "2.34.1",
+  "version": "2.35.0",
   "files": [
     "dist"
   ],
@@ -23,6 +23,11 @@
       "types": "./dist/cloudflare-adapter.d.ts",
       "require": "./dist/cloudflare-adapter.cjs",
       "import": "./dist/cloudflare-adapter.mjs"
+    },
+    "./wfp": {
+      "types": "./dist/wfp.d.ts",
+      "require": "./dist/wfp.cjs",
+      "import": "./dist/wfp.mjs"
     }
   },
   "devDependencies": {
@@ -36,12 +41,24 @@
     "rollup-plugin-dts": "^6.4.1",
     "typescript": "^5.9.3",
     "vite": "^8.0.14",
-    "vitest": "^4.1.7"
+    "vitest": "^4.1.7",
+    "@authhero/multi-tenancy": "14.25.0",
+    "authhero": "8.5.0"
   },
   "peerDependencies": {
+    "@authhero/multi-tenancy": "^14.0.0",
     "@hono/zod-openapi": "^1.4.0",
+    "authhero": "^3.0.0",
     "hono": "^4.6.8"
   },
+  "peerDependenciesMeta": {
+    "@authhero/multi-tenancy": {
+      "optional": true
+    },
+    "authhero": {
+      "optional": true
+    }
+  },
   "dependencies": {
     "nanoid": "^5.1.11",
     "wretch": "^3.0.8",