npm - @cloudflare/workers-auth - Versions diffs - 0.1.0 → 0.2.0 - Mend

@cloudflare/workers-auth 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/{chunk-PAWJFY3S.mjs → chunk-O6YSETKJ.mjs} +0 -2
package/dist/index.d.mts +170 -42
package/dist/index.mjs +305 -1288
package/dist/metafile-esm.json +1 -1
package/dist/test-helpers/index.mjs +1 -3
package/package.json +2 -2
package/dist/chunk-PAWJFY3S.mjs.map +0 -1
package/dist/index.mjs.map +0 -1
package/dist/test-helpers/index.mjs.map +0 -1

package/dist/index.mjs CHANGED Viewed

@@ -1,7 +1,5 @@
-import { __name } from './chunk-PAWJFY3S.mjs';
-import { mkdirSync, writeFileSync, rmSync } from 'node:fs';
-import path from 'node:path';
-import { getEnvironmentVariableFactory, getCloudflareApiEnvironmentFromEnv, UserError, getGlobalWranglerConfigPath, parseTOML, readFileSync, getCloudflareComplianceRegion } from '@cloudflare/workers-utils';
+import { __name } from './chunk-O6YSETKJ.mjs';
+import { getEnvironmentVariableFactory, getCloudflareApiEnvironmentFromEnv, UserError, getCloudflareComplianceRegion } from '@cloudflare/workers-utils';
 import { spawnSync } from 'node:child_process';
 import { fetch } from 'undici';
 import assert2 from 'node:assert';
@@ -10,909 +8,101 @@ import url from 'node:url';
 import { webcrypto } from 'node:crypto';
 import { TextEncoder } from 'node:util';
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/error.js
-function getLineColFromPtr(string, ptr) {
-  let lines = string.slice(0, ptr).split(/\r\n|\n|\r/g);
-  return [lines.length, lines.pop().length + 1];
-}
-__name(getLineColFromPtr, "getLineColFromPtr");
-function makeCodeBlock(string, line, column) {
-  let lines = string.split(/\r\n|\n|\r/g);
-  let codeblock = "";
-  let numberLen = (Math.log10(line + 1) | 0) + 1;
-  for (let i = line - 1; i <= line + 1; i++) {
-    let l = lines[i - 1];
-    if (!l)
-      continue;
-    codeblock += i.toString().padEnd(numberLen, " ");
-    codeblock += ":  ";
-    codeblock += l;
-    codeblock += "\n";
-    if (i === line) {
-      codeblock += " ".repeat(numberLen + column + 2);
-      codeblock += "^\n";
-    }
-  }
-  return codeblock;
-}
-__name(makeCodeBlock, "makeCodeBlock");
-var TomlError = class extends Error {
-  static {
-    __name(this, "TomlError");
-  }
-  line;
-  column;
-  codeblock;
-  constructor(message, options) {
-    const [line, column] = getLineColFromPtr(options.toml, options.ptr);
-    const codeblock = makeCodeBlock(options.toml, line, column);
-    super(`Invalid TOML document: ${message}
-${codeblock}`, options);
-    this.line = line;
-    this.column = column;
-    this.codeblock = codeblock;
-  }
-};
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/util.js
-function isEscaped(str, ptr) {
-  let i = 0;
-  while (str[ptr - ++i] === "\\")
-    ;
-  return --i && i % 2;
-}
-__name(isEscaped, "isEscaped");
-function indexOfNewline(str, start = 0, end = str.length) {
-  let idx = str.indexOf("\n", start);
-  if (str[idx - 1] === "\r")
-    idx--;
-  return idx <= end ? idx : -1;
-}
-__name(indexOfNewline, "indexOfNewline");
-function skipComment(str, ptr) {
-  for (let i = ptr; i < str.length; i++) {
-    let c = str[i];
-    if (c === "\n")
-      return i;
-    if (c === "\r" && str[i + 1] === "\n")
-      return i + 1;
-    if (c < " " && c !== "	" || c === "\x7F") {
-      throw new TomlError("control characters are not allowed in comments", {
-        toml: str,
-        ptr
-      });
-    }
-  }
-  return str.length;
-}
-__name(skipComment, "skipComment");
-function skipVoid(str, ptr, banNewLines, banComments) {
-  let c;
-  while ((c = str[ptr]) === " " || c === "	" || !banNewLines && (c === "\n" || c === "\r" && str[ptr + 1] === "\n"))
-    ptr++;
-  return banComments || c !== "#" ? ptr : skipVoid(str, skipComment(str, ptr), banNewLines);
-}
-__name(skipVoid, "skipVoid");
-function skipUntil(str, ptr, sep, end, banNewLines = false) {
-  if (!end) {
-    ptr = indexOfNewline(str, ptr);
-    return ptr < 0 ? str.length : ptr;
-  }
-  for (let i = ptr; i < str.length; i++) {
-    let c = str[i];
-    if (c === "#") {
-      i = indexOfNewline(str, i);
-    } else if (c === sep) {
-      return i + 1;
-    } else if (c === end || banNewLines && (c === "\n" || c === "\r" && str[i + 1] === "\n")) {
-      return i;
-    }
-  }
-  throw new TomlError("cannot find end of structure", {
-    toml: str,
-    ptr
-  });
-}
-__name(skipUntil, "skipUntil");
-function getStringEnd(str, seek) {
-  let first = str[seek];
-  let target = first === str[seek + 1] && str[seek + 1] === str[seek + 2] ? str.slice(seek, seek + 3) : first;
-  seek += target.length - 1;
-  do
-    seek = str.indexOf(target, ++seek);
-  while (seek > -1 && first !== "'" && isEscaped(str, seek));
-  if (seek > -1) {
-    seek += target.length;
-    if (target.length > 1) {
-      if (str[seek] === first)
-        seek++;
-      if (str[seek] === first)
-        seek++;
-    }
-  }
-  return seek;
-}
-__name(getStringEnd, "getStringEnd");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/date.js
-var DATE_TIME_RE = /^(\d{4}-\d{2}-\d{2})?[T ]?(?:(\d{2}):\d{2}:\d{2}(?:\.\d+)?)?(Z|[-+]\d{2}:\d{2})?$/i;
-var TomlDate = class _TomlDate extends Date {
-  static {
-    __name(this, "TomlDate");
-  }
-  #hasDate = false;
-  #hasTime = false;
-  #offset = null;
-  constructor(date) {
-    let hasDate = true;
-    let hasTime = true;
-    let offset = "Z";
-    if (typeof date === "string") {
-      let match = date.match(DATE_TIME_RE);
-      if (match) {
-        if (!match[1]) {
-          hasDate = false;
-          date = `0000-01-01T${date}`;
-        }
-        hasTime = !!match[2];
-        hasTime && date[10] === " " && (date = date.replace(" ", "T"));
-        if (match[2] && +match[2] > 23) {
-          date = "";
-        } else {
-          offset = match[3] || null;
-          date = date.toUpperCase();
-          if (!offset && hasTime)
-            date += "Z";
-        }
-      } else {
-        date = "";
-      }
-    }
-    super(date);
-    if (!isNaN(this.getTime())) {
-      this.#hasDate = hasDate;
-      this.#hasTime = hasTime;
-      this.#offset = offset;
-    }
-  }
-  isDateTime() {
-    return this.#hasDate && this.#hasTime;
-  }
-  isLocal() {
-    return !this.#hasDate || !this.#hasTime || !this.#offset;
-  }
-  isDate() {
-    return this.#hasDate && !this.#hasTime;
-  }
-  isTime() {
-    return this.#hasTime && !this.#hasDate;
-  }
-  isValid() {
-    return this.#hasDate || this.#hasTime;
-  }
-  toISOString() {
-    let iso = super.toISOString();
-    if (this.isDate())
-      return iso.slice(0, 10);
-    if (this.isTime())
-      return iso.slice(11, 23);
-    if (this.#offset === null)
-      return iso.slice(0, -1);
-    if (this.#offset === "Z")
-      return iso;
-    let offset = +this.#offset.slice(1, 3) * 60 + +this.#offset.slice(4, 6);
-    offset = this.#offset[0] === "-" ? offset : -offset;
-    let offsetDate = new Date(this.getTime() - offset * 6e4);
-    return offsetDate.toISOString().slice(0, -1) + this.#offset;
-  }
-  static wrapAsOffsetDateTime(jsDate, offset = "Z") {
-    let date = new _TomlDate(jsDate);
-    date.#offset = offset;
-    return date;
-  }
-  static wrapAsLocalDateTime(jsDate) {
-    let date = new _TomlDate(jsDate);
-    date.#offset = null;
-    return date;
-  }
-  static wrapAsLocalDate(jsDate) {
-    let date = new _TomlDate(jsDate);
-    date.#hasTime = false;
-    date.#offset = null;
-    return date;
-  }
-  static wrapAsLocalTime(jsDate) {
-    let date = new _TomlDate(jsDate);
-    date.#hasDate = false;
-    date.#offset = null;
-    return date;
+// src/state.ts
+var hasWarnedAboutDeprecatedV1ApiToken = false;
+function readStoredAuthState(options) {
+  const { configOverride, warningLogger, storage } = options;
+  let parsed;
+  try {
+    parsed = configOverride ?? storage.read();
+  } catch {
+    return {};
   }
-};
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/primitive.js
-var INT_REGEX = /^((0x[0-9a-fA-F](_?[0-9a-fA-F])*)|(([+-]|0[ob])?\d(_?\d)*))$/;
-var FLOAT_REGEX = /^[+-]?\d(_?\d)*(\.\d(_?\d)*)?([eE][+-]?\d(_?\d)*)?$/;
-var LEADING_ZERO = /^[+-]?0[0-9_]/;
-var ESCAPE_REGEX = /^[0-9a-f]{4,8}$/i;
-var ESC_MAP = {
-  b: "\b",
-  t: "	",
-  n: "\n",
-  f: "\f",
-  r: "\r",
-  '"': '"',
-  "\\": "\\"
-};
-function parseString(str, ptr = 0, endPtr = str.length) {
-  let isLiteral = str[ptr] === "'";
-  let isMultiline = str[ptr++] === str[ptr] && str[ptr] === str[ptr + 1];
-  if (isMultiline) {
-    endPtr -= 2;
-    if (str[ptr += 2] === "\r")
-      ptr++;
-    if (str[ptr] === "\n")
-      ptr++;
-  }
-  let tmp = 0;
-  let isEscape;
-  let parsed = "";
-  let sliceStart = ptr;
-  while (ptr < endPtr - 1) {
-    let c = str[ptr++];
-    if (c === "\n" || c === "\r" && str[ptr] === "\n") {
-      if (!isMultiline) {
-        throw new TomlError("newlines are not allowed in strings", {
-          toml: str,
-          ptr: ptr - 1
-        });
-      }
-    } else if (c < " " && c !== "	" || c === "\x7F") {
-      throw new TomlError("control characters are not allowed in strings", {
-        toml: str,
-        ptr: ptr - 1
-      });
-    }
-    if (isEscape) {
-      isEscape = false;
-      if (c === "u" || c === "U") {
-        let code = str.slice(ptr, ptr += c === "u" ? 4 : 8);
-        if (!ESCAPE_REGEX.test(code)) {
-          throw new TomlError("invalid unicode escape", {
-            toml: str,
-            ptr: tmp
-          });
-        }
-        try {
-          parsed += String.fromCodePoint(parseInt(code, 16));
-        } catch {
-          throw new TomlError("invalid unicode escape", {
-            toml: str,
-            ptr: tmp
-          });
-        }
-      } else if (isMultiline && (c === "\n" || c === " " || c === "	" || c === "\r")) {
-        ptr = skipVoid(str, ptr - 1, true);
-        if (str[ptr] !== "\n" && str[ptr] !== "\r") {
-          throw new TomlError("invalid escape: only line-ending whitespace may be escaped", {
-            toml: str,
-            ptr: tmp
-          });
-        }
-        ptr = skipVoid(str, ptr);
-      } else if (c in ESC_MAP) {
-        parsed += ESC_MAP[c];
-      } else {
-        throw new TomlError("unrecognized escape sequence", {
-          toml: str,
-          ptr: tmp
-        });
-      }
-      sliceStart = ptr;
-    } else if (!isLiteral && c === "\\") {
-      tmp = ptr - 1;
-      isEscape = true;
-      parsed += str.slice(sliceStart, tmp);
-    }
+  const { oauth_token, refresh_token, expiration_time, scopes, api_token } = parsed;
+  if (oauth_token) {
+    return {
+      accessToken: {
+        value: oauth_token,
+        // If there is no `expiration_time` field then set it to an old date, to cause it to expire immediately.
+        expiry: expiration_time ?? "2000-01-01:00:00:00+00:00"
+      },
+      refreshToken: { value: refresh_token ?? "" },
+      scopes
+    };
   }
-  return parsed + str.slice(sliceStart, endPtr - 1);
-}
-__name(parseString, "parseString");
-function parseValue(value, toml, ptr, integersAsBigInt) {
-  if (value === "true")
-    return true;
-  if (value === "false")
-    return false;
-  if (value === "-inf")
-    return -Infinity;
-  if (value === "inf" || value === "+inf")
-    return Infinity;
-  if (value === "nan" || value === "+nan" || value === "-nan")
-    return NaN;
-  if (value === "-0")
-    return integersAsBigInt ? 0n : 0;
-  let isInt = INT_REGEX.test(value);
-  if (isInt || FLOAT_REGEX.test(value)) {
-    if (LEADING_ZERO.test(value)) {
-      throw new TomlError("leading zeroes are not allowed", {
-        toml,
-        ptr
-      });
-    }
-    value = value.replace(/_/g, "");
-    let numeric = +value;
-    if (isNaN(numeric)) {
-      throw new TomlError("invalid number", {
-        toml,
-        ptr
-      });
-    }
-    if (isInt) {
-      if ((isInt = !Number.isSafeInteger(numeric)) && !integersAsBigInt) {
-        throw new TomlError("integer value cannot be represented losslessly", {
-          toml,
-          ptr
-        });
-      }
-      if (isInt || integersAsBigInt === true)
-        numeric = BigInt(value);
+  if (api_token) {
+    if (!hasWarnedAboutDeprecatedV1ApiToken && warningLogger) {
+      hasWarnedAboutDeprecatedV1ApiToken = true;
+      warningLogger.warn(
+        `It looks like you have used Wrangler v1's \`config\` command to login with an API token
+from ${configOverride === void 0 ? storage.path() : "in-memory config"}.
+This is no longer supported in the current version of Wrangler.
+If you wish to authenticate via an API token then please set the \`CLOUDFLARE_API_TOKEN\` environment variable.`
+      );
     }
-    return numeric;
-  }
-  const date = new TomlDate(value);
-  if (!date.isValid()) {
-    throw new TomlError("invalid value", {
-      toml,
-      ptr
-    });
+    return { deprecatedApiToken: api_token };
   }
-  return date;
+  return {};
 }
-__name(parseValue, "parseValue");
+__name(readStoredAuthState, "readStoredAuthState");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/extract.js
-function sliceAndTrimEndOf(str, startPtr, endPtr, allowNewLines) {
-  let value = str.slice(startPtr, endPtr);
-  let commentIdx = value.indexOf("#");
-  if (commentIdx > -1) {
-    skipComment(str, commentIdx);
-    value = value.slice(0, commentIdx);
-  }
-  let trimmed = value.trimEnd();
-  if (!allowNewLines) {
-    let newlineIdx = value.indexOf("\n", trimmed.length);
-    if (newlineIdx > -1) {
-      throw new TomlError("newlines are not allowed in inline tables", {
-        toml: str,
-        ptr: startPtr + newlineIdx
-      });
-    }
-  }
-  return [trimmed, commentIdx];
-}
-__name(sliceAndTrimEndOf, "sliceAndTrimEndOf");
-function extractValue(str, ptr, end, depth, integersAsBigInt) {
-  if (depth === 0) {
-    throw new TomlError("document contains excessively nested structures. aborting.", {
-      toml: str,
-      ptr
-    });
-  }
-  let c = str[ptr];
-  if (c === "[" || c === "{") {
-    let [value, endPtr2] = c === "[" ? parseArray(str, ptr, depth, integersAsBigInt) : parseInlineTable(str, ptr, depth, integersAsBigInt);
-    let newPtr = end ? skipUntil(str, endPtr2, ",", end) : endPtr2;
-    if (endPtr2 - newPtr && end === "}") {
-      let nextNewLine = indexOfNewline(str, endPtr2, newPtr);
-      if (nextNewLine > -1) {
-        throw new TomlError("newlines are not allowed in inline tables", {
-          toml: str,
-          ptr: nextNewLine
-        });
-      }
-    }
-    return [value, newPtr];
-  }
-  let endPtr;
-  if (c === '"' || c === "'") {
-    endPtr = getStringEnd(str, ptr);
-    let parsed = parseString(str, ptr, endPtr);
-    if (end) {
-      endPtr = skipVoid(str, endPtr, end !== "]");
-      if (str[endPtr] && str[endPtr] !== "," && str[endPtr] !== end && str[endPtr] !== "\n" && str[endPtr] !== "\r") {
-        throw new TomlError("unexpected character encountered", {
-          toml: str,
-          ptr: endPtr
-        });
-      }
-      endPtr += +(str[endPtr] === ",");
+// src/credentials.ts
+var getCloudflareAPITokenFromEnv = getEnvironmentVariableFactory({
+  variableName: "CLOUDFLARE_API_TOKEN",
+  deprecatedName: "CF_API_TOKEN"
+});
+var getCloudflareGlobalAuthKeyFromEnv = getEnvironmentVariableFactory({
+  variableName: "CLOUDFLARE_API_KEY",
+  deprecatedName: "CF_API_KEY"
+});
+var getCloudflareGlobalAuthEmailFromEnv = getEnvironmentVariableFactory({
+  variableName: "CLOUDFLARE_EMAIL",
+  deprecatedName: "CF_EMAIL"
+});
+function getAuthFromEnv(options) {
+  const allowGlobalAuthKey = options?.allowGlobalAuthKey ?? true;
+  if (allowGlobalAuthKey) {
+    const globalApiKey = getCloudflareGlobalAuthKeyFromEnv();
+    const globalApiEmail = getCloudflareGlobalAuthEmailFromEnv();
+    if (globalApiKey && globalApiEmail) {
+      return { authKey: globalApiKey, authEmail: globalApiEmail };
     }
-    return [parsed, endPtr];
-  }
-  endPtr = skipUntil(str, ptr, ",", end);
-  let slice = sliceAndTrimEndOf(str, ptr, endPtr - +(str[endPtr - 1] === ","), end === "]");
-  if (!slice[0]) {
-    throw new TomlError("incomplete key-value declaration: no value specified", {
-      toml: str,
-      ptr
-    });
   }
-  if (end && slice[1] > -1) {
-    endPtr = skipVoid(str, ptr + slice[1]);
-    endPtr += +(str[endPtr] === ",");
+  const apiToken = getCloudflareAPITokenFromEnv();
+  if (apiToken) {
+    return { apiToken };
   }
-  return [
-    parseValue(slice[0], str, ptr, integersAsBigInt),
-    endPtr
-  ];
-}
-__name(extractValue, "extractValue");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/struct.js
-var KEY_PART_RE = /^[a-zA-Z0-9-_]+[ \t]*$/;
-function parseKey(str, ptr, end = "=") {
-  let dot = ptr - 1;
-  let parsed = [];
-  let endPtr = str.indexOf(end, ptr);
-  if (endPtr < 0) {
-    throw new TomlError("incomplete key-value: cannot find end of key", {
-      toml: str,
-      ptr
-    });
-  }
-  do {
-    let c = str[ptr = ++dot];
-    if (c !== " " && c !== "	") {
-      if (c === '"' || c === "'") {
-        if (c === str[ptr + 1] && c === str[ptr + 2]) {
-          throw new TomlError("multiline strings are not allowed in keys", {
-            toml: str,
-            ptr
-          });
-        }
-        let eos = getStringEnd(str, ptr);
-        if (eos < 0) {
-          throw new TomlError("unfinished string encountered", {
-            toml: str,
-            ptr
-          });
-        }
-        dot = str.indexOf(".", eos);
-        let strEnd = str.slice(eos, dot < 0 || dot > endPtr ? endPtr : dot);
-        let newLine = indexOfNewline(strEnd);
-        if (newLine > -1) {
-          throw new TomlError("newlines are not allowed in keys", {
-            toml: str,
-            ptr: ptr + dot + newLine
-          });
-        }
-        if (strEnd.trimStart()) {
-          throw new TomlError("found extra tokens after the string part", {
-            toml: str,
-            ptr: eos
-          });
-        }
-        if (endPtr < eos) {
-          endPtr = str.indexOf(end, eos);
-          if (endPtr < 0) {
-            throw new TomlError("incomplete key-value: cannot find end of key", {
-              toml: str,
-              ptr
-            });
-          }
-        }
-        parsed.push(parseString(str, ptr, eos));
-      } else {
-        dot = str.indexOf(".", ptr);
-        let part = str.slice(ptr, dot < 0 || dot > endPtr ? endPtr : dot);
-        if (!KEY_PART_RE.test(part)) {
-          throw new TomlError("only letter, numbers, dashes and underscores are allowed in keys", {
-            toml: str,
-            ptr
-          });
-        }
-        parsed.push(part.trimEnd());
-      }
-    }
-  } while (dot + 1 && dot < endPtr);
-  return [parsed, skipVoid(str, endPtr + 1, true, true)];
+  return void 0;
 }
-__name(parseKey, "parseKey");
-function parseInlineTable(str, ptr, depth, integersAsBigInt) {
-  let res = {};
-  let seen = /* @__PURE__ */ new Set();
-  let c;
-  let comma = 0;
-  ptr++;
-  while ((c = str[ptr++]) !== "}" && c) {
-    let err = { toml: str, ptr: ptr - 1 };
-    if (c === "\n") {
-      throw new TomlError("newlines are not allowed in inline tables", err);
-    } else if (c === "#") {
-      throw new TomlError("inline tables cannot contain comments", err);
-    } else if (c === ",") {
-      throw new TomlError("expected key-value, found comma", err);
-    } else if (c !== " " && c !== "	") {
-      let k;
-      let t = res;
-      let hasOwn = false;
-      let [key, keyEndPtr] = parseKey(str, ptr - 1);
-      for (let i = 0; i < key.length; i++) {
-        if (i)
-          t = hasOwn ? t[k] : t[k] = {};
-        k = key[i];
-        if ((hasOwn = Object.hasOwn(t, k)) && (typeof t[k] !== "object" || seen.has(t[k]))) {
-          throw new TomlError("trying to redefine an already defined value", {
-            toml: str,
-            ptr
-          });
-        }
-        if (!hasOwn && k === "__proto__") {
-          Object.defineProperty(t, k, { enumerable: true, configurable: true, writable: true });
-        }
-      }
-      if (hasOwn) {
-        throw new TomlError("trying to redefine an already defined value", {
-          toml: str,
-          ptr
-        });
-      }
-      let [value, valueEndPtr] = extractValue(str, keyEndPtr, "}", depth - 1, integersAsBigInt);
-      seen.add(value);
-      t[k] = value;
-      ptr = valueEndPtr;
-      comma = str[ptr - 1] === "," ? ptr - 1 : 0;
-    }
-  }
-  if (comma) {
-    throw new TomlError("trailing commas are not allowed in inline tables", {
-      toml: str,
-      ptr: comma
-    });
+__name(getAuthFromEnv, "getAuthFromEnv");
+function getAPIToken(options) {
+  const envAuth = getAuthFromEnv(options);
+  if (envAuth) {
+    return envAuth;
+  }
+  const stored = readStoredAuthState({
+    storage: options.storage,
+    warningLogger: options.warningLogger
+  });
+  if (stored.deprecatedApiToken) {
+    return { apiToken: stored.deprecatedApiToken };
   }
-  if (!c) {
-    throw new TomlError("unfinished table encountered", {
-      toml: str,
-      ptr
-    });
+  if (stored.accessToken?.value) {
+    return { apiToken: stored.accessToken.value };
   }
-  return [res, ptr];
+  return void 0;
 }
-__name(parseInlineTable, "parseInlineTable");
-function parseArray(str, ptr, depth, integersAsBigInt) {
-  let res = [];
-  let c;
-  ptr++;
-  while ((c = str[ptr++]) !== "]" && c) {
-    if (c === ",") {
-      throw new TomlError("expected value, found comma", {
-        toml: str,
-        ptr: ptr - 1
-      });
-    } else if (c === "#")
-      ptr = skipComment(str, ptr);
-    else if (c !== " " && c !== "	" && c !== "\n" && c !== "\r") {
-      let e = extractValue(str, ptr - 1, "]", depth - 1, integersAsBigInt);
-      res.push(e[0]);
-      ptr = e[1];
-    }
-  }
-  if (!c) {
-    throw new TomlError("unfinished array encountered", {
-      toml: str,
-      ptr
+__name(getAPIToken, "getAPIToken");
+function requireApiToken(options) {
+  const credentials = getAPIToken(options);
+  if (!credentials) {
+    throw new UserError("No API token found.", {
+      telemetryMessage: "user auth missing api token"
     });
   }
-  return [res, ptr];
-}
-__name(parseArray, "parseArray");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/parse.js
-function peekTable(key, table, meta, type) {
-  let t = table;
-  let m = meta;
-  let k;
-  let hasOwn = false;
-  let state;
-  for (let i = 0; i < key.length; i++) {
-    if (i) {
-      t = hasOwn ? t[k] : t[k] = {};
-      m = (state = m[k]).c;
-      if (type === 0 && (state.t === 1 || state.t === 2)) {
-        return null;
-      }
-      if (state.t === 2) {
-        let l = t.length - 1;
-        t = t[l];
-        m = m[l].c;
-      }
-    }
-    k = key[i];
-    if ((hasOwn = Object.hasOwn(t, k)) && m[k]?.t === 0 && m[k]?.d) {
-      return null;
-    }
-    if (!hasOwn) {
-      if (k === "__proto__") {
-        Object.defineProperty(t, k, { enumerable: true, configurable: true, writable: true });
-        Object.defineProperty(m, k, { enumerable: true, configurable: true, writable: true });
-      }
-      m[k] = {
-        t: i < key.length - 1 && type === 2 ? 3 : type,
-        d: false,
-        i: 0,
-        c: {}
-      };
-    }
-  }
-  state = m[k];
-  if (state.t !== type && !(type === 1 && state.t === 3)) {
-    return null;
-  }
-  if (type === 2) {
-    if (!state.d) {
-      state.d = true;
-      t[k] = [];
-    }
-    t[k].push(t = {});
-    state.c[state.i++] = state = { t: 1, d: false, i: 0, c: {} };
-  }
-  if (state.d) {
-    return null;
-  }
-  state.d = true;
-  if (type === 1) {
-    t = hasOwn ? t[k] : t[k] = {};
-  } else if (type === 0 && hasOwn) {
-    return null;
-  }
-  return [k, t, state.c];
+  return credentials;
 }
-__name(peekTable, "peekTable");
-function parse(toml, { maxDepth = 1e3, integersAsBigInt } = {}) {
-  let res = {};
-  let meta = {};
-  let tbl = res;
-  let m = meta;
-  for (let ptr = skipVoid(toml, 0); ptr < toml.length; ) {
-    if (toml[ptr] === "[") {
-      let isTableArray = toml[++ptr] === "[";
-      let k = parseKey(toml, ptr += +isTableArray, "]");
-      if (isTableArray) {
-        if (toml[k[1] - 1] !== "]") {
-          throw new TomlError("expected end of table declaration", {
-            toml,
-            ptr: k[1] - 1
-          });
-        }
-        k[1]++;
-      }
-      let p = peekTable(
-        k[0],
-        res,
-        meta,
-        isTableArray ? 2 : 1
-        /* Type.EXPLICIT */
-      );
-      if (!p) {
-        throw new TomlError("trying to redefine an already defined table or value", {
-          toml,
-          ptr
-        });
-      }
-      m = p[2];
-      tbl = p[1];
-      ptr = k[1];
-    } else {
-      let k = parseKey(toml, ptr);
-      let p = peekTable(
-        k[0],
-        tbl,
-        m,
-        0
-        /* Type.DOTTED */
-      );
-      if (!p) {
-        throw new TomlError("trying to redefine an already defined table or value", {
-          toml,
-          ptr
-        });
-      }
-      let v = extractValue(toml, k[1], void 0, maxDepth, integersAsBigInt);
-      p[1][p[0]] = v[0];
-      ptr = v[1];
-    }
-    ptr = skipVoid(toml, ptr, true);
-    if (toml[ptr] && toml[ptr] !== "\n" && toml[ptr] !== "\r") {
-      throw new TomlError("each key-value declaration must be followed by an end-of-line", {
-        toml,
-        ptr
-      });
-    }
-    ptr = skipVoid(toml, ptr);
-  }
-  return res;
-}
-__name(parse, "parse");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/stringify.js
-var BARE_KEY = /^[a-z0-9-_]+$/i;
-function extendedTypeOf(obj) {
-  let type = typeof obj;
-  if (type === "object") {
-    if (Array.isArray(obj))
-      return "array";
-    if (obj instanceof Date)
-      return "date";
-  }
-  return type;
-}
-__name(extendedTypeOf, "extendedTypeOf");
-function isArrayOfTables(obj) {
-  for (let i = 0; i < obj.length; i++) {
-    if (extendedTypeOf(obj[i]) !== "object")
-      return false;
-  }
-  return obj.length != 0;
-}
-__name(isArrayOfTables, "isArrayOfTables");
-function formatString(s) {
-  return JSON.stringify(s).replace(/\x7f/g, "\\u007f");
-}
-__name(formatString, "formatString");
-function stringifyValue(val, type, depth, numberAsFloat) {
-  if (depth === 0) {
-    throw new Error("Could not stringify the object: maximum object depth exceeded");
-  }
-  if (type === "number") {
-    if (isNaN(val))
-      return "nan";
-    if (val === Infinity)
-      return "inf";
-    if (val === -Infinity)
-      return "-inf";
-    if (numberAsFloat && Number.isInteger(val))
-      return val.toFixed(1);
-    return val.toString();
-  }
-  if (type === "bigint" || type === "boolean") {
-    return val.toString();
-  }
-  if (type === "string") {
-    return formatString(val);
-  }
-  if (type === "date") {
-    if (isNaN(val.getTime())) {
-      throw new TypeError("cannot serialize invalid date");
-    }
-    return val.toISOString();
-  }
-  if (type === "object") {
-    return stringifyInlineTable(val, depth, numberAsFloat);
-  }
-  if (type === "array") {
-    return stringifyArray(val, depth, numberAsFloat);
-  }
-}
-__name(stringifyValue, "stringifyValue");
-function stringifyInlineTable(obj, depth, numberAsFloat) {
-  let keys = Object.keys(obj);
-  if (keys.length === 0)
-    return "{}";
-  let res = "{ ";
-  for (let i = 0; i < keys.length; i++) {
-    let k = keys[i];
-    if (i)
-      res += ", ";
-    res += BARE_KEY.test(k) ? k : formatString(k);
-    res += " = ";
-    res += stringifyValue(obj[k], extendedTypeOf(obj[k]), depth - 1, numberAsFloat);
-  }
-  return res + " }";
-}
-__name(stringifyInlineTable, "stringifyInlineTable");
-function stringifyArray(array, depth, numberAsFloat) {
-  if (array.length === 0)
-    return "[]";
-  let res = "[ ";
-  for (let i = 0; i < array.length; i++) {
-    if (i)
-      res += ", ";
-    if (array[i] === null || array[i] === void 0) {
-      throw new TypeError("arrays cannot contain null or undefined values");
-    }
-    res += stringifyValue(array[i], extendedTypeOf(array[i]), depth - 1, numberAsFloat);
-  }
-  return res + " ]";
-}
-__name(stringifyArray, "stringifyArray");
-function stringifyArrayTable(array, key, depth, numberAsFloat) {
-  if (depth === 0) {
-    throw new Error("Could not stringify the object: maximum object depth exceeded");
-  }
-  let res = "";
-  for (let i = 0; i < array.length; i++) {
-    res += `${res && "\n"}[[${key}]]
-`;
-    res += stringifyTable(0, array[i], key, depth, numberAsFloat);
-  }
-  return res;
-}
-__name(stringifyArrayTable, "stringifyArrayTable");
-function stringifyTable(tableKey, obj, prefix, depth, numberAsFloat) {
-  if (depth === 0) {
-    throw new Error("Could not stringify the object: maximum object depth exceeded");
-  }
-  let preamble = "";
-  let tables = "";
-  let keys = Object.keys(obj);
-  for (let i = 0; i < keys.length; i++) {
-    let k = keys[i];
-    if (obj[k] !== null && obj[k] !== void 0) {
-      let type = extendedTypeOf(obj[k]);
-      if (type === "symbol" || type === "function") {
-        throw new TypeError(`cannot serialize values of type '${type}'`);
-      }
-      let key = BARE_KEY.test(k) ? k : formatString(k);
-      if (type === "array" && isArrayOfTables(obj[k])) {
-        tables += (tables && "\n") + stringifyArrayTable(obj[k], prefix ? `${prefix}.${key}` : key, depth - 1, numberAsFloat);
-      } else if (type === "object") {
-        let tblKey = prefix ? `${prefix}.${key}` : key;
-        tables += (tables && "\n") + stringifyTable(tblKey, obj[k], tblKey, depth - 1, numberAsFloat);
-      } else {
-        preamble += key;
-        preamble += " = ";
-        preamble += stringifyValue(obj[k], type, depth, numberAsFloat);
-        preamble += "\n";
-      }
-    }
-  }
-  if (tableKey && (preamble || !tables))
-    preamble = preamble ? `[${tableKey}]
-${preamble}` : `[${tableKey}]`;
-  return preamble && tables ? `${preamble}
-${tables}` : preamble || tables;
-}
-__name(stringifyTable, "stringifyTable");
-function stringify(obj, { maxDepth = 1e3, numbersAsFloat = false } = {}) {
-  if (extendedTypeOf(obj) !== "object") {
-    throw new TypeError("stringify can only be called with an object");
-  }
-  let str = stringifyTable(0, obj, "", maxDepth, numbersAsFloat);
-  if (str[str.length - 1] !== "\n")
-    return str + "\n";
-  return str;
-}
-__name(stringify, "stringify");
-// ../../node_modules/.pnpm/smol-toml@1.5.2/node_modules/smol-toml/dist/index.js
-var dist_default = { parse, stringify, TomlDate, TomlError };
-// src/auth-config-file.ts
-var USER_AUTH_CONFIG_PATH = "config";
-function getAuthConfigFilePath() {
-  const environment = getCloudflareApiEnvironmentFromEnv();
-  const filePath = `${USER_AUTH_CONFIG_PATH}/${environment === "production" ? "default.toml" : `${environment}.toml`}`;
-  return path.join(getGlobalWranglerConfigPath(), filePath);
-}
-__name(getAuthConfigFilePath, "getAuthConfigFilePath");
-function writeAuthConfigFile(config) {
-  const configPath = getAuthConfigFilePath();
-  mkdirSync(path.dirname(configPath), {
-    recursive: true
-  });
-  writeFileSync(configPath, dist_default.stringify(config), {
-    encoding: "utf-8"
-  });
-}
-__name(writeAuthConfigFile, "writeAuthConfigFile");
-function readAuthConfigFile() {
-  return parseTOML(readFileSync(getAuthConfigFilePath()));
-}
-__name(readAuthConfigFile, "readAuthConfigFile");
-var getClientIdFromEnv = getEnvironmentVariableFactory({
-  variableName: "WRANGLER_CLIENT_ID",
-  defaultValue: /* @__PURE__ */ __name(() => getCloudflareApiEnvironmentFromEnv() === "staging" ? "4b2ea6cc-9421-4761-874b-ce550e0e3def" : "54d11594-84e4-41aa-b438-e81b8fa78ee7", "defaultValue")
-});
+__name(requireApiToken, "requireApiToken");
 var getAuthDomainFromEnv = getEnvironmentVariableFactory({
   variableName: "WRANGLER_AUTH_DOMAIN",
   defaultValue: /* @__PURE__ */ __name(() => getCloudflareApiEnvironmentFromEnv() === "staging" ? "dash.staging.cloudflare.com" : "dash.cloudflare.com", "defaultValue")
@@ -1052,11 +242,17 @@ var ErrorOAuth2 = class extends UserError {
   static {
     __name(this, "ErrorOAuth2");
   }
+  /** The OAuth `error` code returned by the provider (e.g. `invalid_scope`). */
+  code;
+  /** The OAuth `error_description` returned by the provider, if any. */
+  description;
+  /** The OAuth `error_uri` returned by the provider, if any. */
+  uri;
   toString() {
     return "ErrorOAuth2";
   }
 };
-var ErrorUnknown = class extends UserError {
+var ErrorUnknown = class extends ErrorOAuth2 {
   static {
     __name(this, "ErrorUnknown");
   }
@@ -1192,61 +388,93 @@ var ErrorUnsupportedGrantType = class extends ErrorAccessTokenResponse {
     return "ErrorUnsupportedGrantType";
   }
 };
-function toErrorClass(rawError) {
+function formatOAuthErrorMessage(code, description, uri) {
+  let message = `OAuth error: ${code}`;
+  if (description) {
+    message += `
+  ${description}`;
+  }
+  if (uri) {
+    message += `
+  See: ${uri}`;
+  }
+  return message;
+}
+__name(formatOAuthErrorMessage, "formatOAuthErrorMessage");
+function toErrorClass(rawError, description, uri) {
+  const message = formatOAuthErrorMessage(rawError, description, uri);
+  let error;
   switch (rawError) {
     case "invalid_request":
-      return new ErrorInvalidRequest(rawError, {
+      error = new ErrorInvalidRequest(message, {
         telemetryMessage: "user oauth invalid request"
       });
+      break;
     case "invalid_grant":
-      return new ErrorInvalidGrant(rawError, {
+      error = new ErrorInvalidGrant(message, {
         telemetryMessage: "user oauth invalid grant"
       });
+      break;
     case "unauthorized_client":
-      return new ErrorUnauthorizedClient(rawError, {
+      error = new ErrorUnauthorizedClient(message, {
         telemetryMessage: "user oauth unauthorized client"
       });
+      break;
     case "access_denied":
-      return new ErrorAccessDenied(rawError, {
+      error = new ErrorAccessDenied(message, {
         telemetryMessage: "user oauth access denied"
       });
+      break;
     case "unsupported_response_type":
-      return new ErrorUnsupportedResponseType(rawError, {
+      error = new ErrorUnsupportedResponseType(message, {
         telemetryMessage: "user oauth unsupported response type"
       });
+      break;
     case "invalid_scope":
-      return new ErrorInvalidScope(rawError, {
+      error = new ErrorInvalidScope(message, {
         telemetryMessage: "user oauth invalid scope"
       });
+      break;
     case "server_error":
-      return new ErrorServerError(rawError, {
+      error = new ErrorServerError(message, {
         telemetryMessage: "user oauth server error"
       });
+      break;
     case "temporarily_unavailable":
-      return new ErrorTemporarilyUnavailable(rawError, {
+      error = new ErrorTemporarilyUnavailable(message, {
         telemetryMessage: "user oauth temporarily unavailable"
       });
+      break;
     case "invalid_client":
-      return new ErrorInvalidClient(rawError, {
+      error = new ErrorInvalidClient(message, {
         telemetryMessage: "user oauth invalid client"
       });
+      break;
     case "unsupported_grant_type":
-      return new ErrorUnsupportedGrantType(rawError, {
+      error = new ErrorUnsupportedGrantType(message, {
         telemetryMessage: "user oauth unsupported grant type"
       });
+      break;
     case "invalid_json":
-      return new ErrorInvalidJson(rawError, {
+      error = new ErrorInvalidJson(message, {
         telemetryMessage: "user oauth invalid json"
       });
+      break;
     case "invalid_token":
-      return new ErrorInvalidToken(rawError, {
+      error = new ErrorInvalidToken(message, {
         telemetryMessage: "user oauth invalid token"
       });
+      break;
     default:
-      return new ErrorUnknown(rawError, {
+      error = new ErrorUnknown(message, {
         telemetryMessage: "user oauth unknown error"
       });
+      break;
   }
+  error.code = rawError;
+  error.description = description;
+  error.uri = uri;
+  return error;
 }
 __name(toErrorClass, "toErrorClass");
@@ -1291,18 +519,6 @@ function dedent(templ) {
 }
 __name(dedent, "dedent");
 var esm_default = dedent;
-// src/generate-auth-url.ts
-var OAUTH_CALLBACK_URL = "http://localhost:8976/oauth/callback";
-var generateAuthUrl = /* @__PURE__ */ __name(({
-  authUrl,
-  clientId,
-  scopes,
-  stateQueryParam,
-  codeChallenge
-}) => {
-  return authUrl + `?response_type=code&client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(OAUTH_CALLBACK_URL)}&scope=${encodeURIComponent([...scopes, "offline_access"].join(" "))}&state=${stateQueryParam}&code_challenge=${encodeURIComponent(codeChallenge)}&code_challenge_method=S256`;
-}, "generateAuthUrl");
 var RECOMMENDED_CODE_VERIFIER_LENGTH = 96;
 var RECOMMENDED_STATE_LENGTH = 32;
 var PKCE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
@@ -1335,51 +551,13 @@ async function generatePKCECodes() {
 }
 __name(generatePKCECodes, "generatePKCECodes");
-// src/state.ts
-var hasWarnedAboutDeprecatedV1ApiToken = false;
-function readStoredAuthState(options) {
-  const { configOverride, warningLogger } = options ?? {};
-  let parsed;
-  try {
-    parsed = configOverride ?? readAuthConfigFile();
-  } catch {
-    return {};
-  }
-  const { oauth_token, refresh_token, expiration_time, scopes, api_token } = parsed;
-  if (oauth_token) {
-    return {
-      accessToken: {
-        value: oauth_token,
-        // If there is no `expiration_time` field then set it to an old date, to cause it to expire immediately.
-        expiry: expiration_time ?? "2000-01-01:00:00:00+00:00"
-      },
-      refreshToken: { value: refresh_token ?? "" },
-      scopes
-    };
-  }
-  if (api_token) {
-    if (!hasWarnedAboutDeprecatedV1ApiToken && warningLogger) {
-      hasWarnedAboutDeprecatedV1ApiToken = true;
-      warningLogger.warn(
-        `It looks like you have used Wrangler v1's \`config\` command to login with an API token
-from ${configOverride === void 0 ? getAuthConfigFilePath() : "in-memory config"}.
-This is no longer supported in the current version of Wrangler.
-If you wish to authenticate via an API token then please set the \`CLOUDFLARE_API_TOKEN\` environment variable.`
-      );
-    }
-    return { deprecatedApiToken: api_token };
-  }
-  return {};
-}
-__name(readStoredAuthState, "readStoredAuthState");
 // src/token-exchange.ts
 function isReturningFromAuthServer(query, state, logger) {
   if (query.error) {
-    if (Array.isArray(query.error)) {
-      throw toErrorClass(query.error[0]);
-    }
-    throw toErrorClass(query.error);
+    const error = Array.isArray(query.error) ? query.error[0] : query.error;
+    const description = Array.isArray(query.error_description) ? query.error_description[0] : query.error_description;
+    const uri = Array.isArray(query.error_uri) ? query.error_uri[0] : query.error_uri;
+    throw toErrorClass(error, description, uri);
   }
   const code = query.code;
   if (!code) {
@@ -1400,7 +578,7 @@ function isReturningFromAuthServer(query, state, logger) {
   return true;
 }
 __name(isReturningFromAuthServer, "isReturningFromAuthServer");
-async function getAuthURL(scopes, clientId, state, generators) {
+async function getAuthURL(scopes, clientId, redirectUri, state, generators) {
   const { codeChallenge, codeVerifier } = await generatePKCECodes();
   const stateQueryParam = generators.generateRandomState(
     RECOMMENDED_STATE_LENGTH
@@ -1415,13 +593,15 @@ async function getAuthURL(scopes, clientId, state, generators) {
     clientId,
     scopes,
     stateQueryParam,
-    codeChallenge
+    codeChallenge,
+    redirectUri
   });
 }
 __name(getAuthURL, "getAuthURL");
-async function exchangeRefreshTokenForAccessToken(logger, isNonInteractiveOrCI) {
+async function exchangeRefreshTokenForAccessToken(logger, isNonInteractiveOrCI, clientId, storage) {
   const storedRefreshToken = readStoredAuthState({
-    warningLogger: logger
+    warningLogger: logger,
+    storage
   }).refreshToken;
   if (!storedRefreshToken) {
     logger.warn("No refresh token is present.");
@@ -1429,7 +609,7 @@ async function exchangeRefreshTokenForAccessToken(logger, isNonInteractiveOrCI)
   const params = new URLSearchParams({
     grant_type: "refresh_token",
     refresh_token: storedRefreshToken?.value ?? "",
-    client_id: getClientIdFromEnv()
+    client_id: clientId
   });
   const response = await fetchAuthToken(params, logger, isNonInteractiveOrCI);
   if (response.status >= 400) {
@@ -1478,7 +658,7 @@ async function exchangeRefreshTokenForAccessToken(logger, isNonInteractiveOrCI)
   }
 }
 __name(exchangeRefreshTokenForAccessToken, "exchangeRefreshTokenForAccessToken");
-async function exchangeAuthCodeForAccessToken(state, logger, isNonInteractiveOrCI) {
+async function exchangeAuthCodeForAccessToken(state, logger, isNonInteractiveOrCI, clientId, redirectUri) {
   const { authorizationCode, codeVerifier = "" } = state;
   if (!codeVerifier) {
     logger.warn("No code verifier is being sent.");
@@ -1488,8 +668,8 @@ async function exchangeAuthCodeForAccessToken(state, logger, isNonInteractiveOrC
   const params = new URLSearchParams({
     grant_type: `authorization_code`,
     code: authorizationCode ?? "",
-    redirect_uri: OAUTH_CALLBACK_URL,
-    client_id: getClientIdFromEnv(),
+    redirect_uri: redirectUri,
+    client_id: clientId,
     code_verifier: codeVerifier
   });
   const response = await fetchAuthToken(params, logger, isNonInteractiveOrCI);
@@ -1502,7 +682,7 @@ async function exchangeAuthCodeForAccessToken(state, logger, isNonInteractiveOrC
   }
   const json = await getJSONFromResponse(response, logger);
   if ("error" in json) {
-    throw new Error(json.error);
+    throw toErrorClass(json.error);
   }
   const { access_token, expires_in, refresh_token, scope } = json;
   state.hasAuthCodeBeenExchangedForAccessToken = true;
@@ -1546,7 +726,7 @@ async function fetchAuthToken(body, logger, isNonInteractiveOrCI) {
       headers
     });
     if (!response.ok) {
-      logger.error(
+      logger.debug(
         "Failed to fetch auth token:",
         response.status,
         response.statusText
@@ -1554,7 +734,7 @@ async function fetchAuthToken(body, logger, isNonInteractiveOrCI) {
     }
     return response;
   } catch (e) {
-    logger.error("Failed to fetch auth token:", e);
+    logger.debug("Failed to fetch auth token:", e);
     throw e;
   }
 }
@@ -1570,7 +750,9 @@ async function getJSONFromResponse(response, logger) {
       );
       if (text.match(/challenge-platform/)) {
         logger.error(
-          `It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done. When you contact Cloudflare, please provide your Ray ID: ${response.headers.get("cf-ray")}`
+          `It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done. When you contact Cloudflare, please provide your Ray ID: ${response.headers.get(
+            "cf-ray"
+          )}`
         );
       }
     }
@@ -1588,9 +770,11 @@ async function getOauthToken(options, state, ctx, generators) {
   const urlToOpen = await getAuthURL(
     options.scopes,
     options.clientId,
+    options.redirectUri,
     state,
     generators
   );
+  const callbackPath = new URL(options.redirectUri).pathname;
   let server;
   let loginTimeoutHandle;
   const timerPromise = new Promise((_, reject) => {
@@ -1609,6 +793,9 @@ async function getOauthToken(options, state, ctx, generators) {
     server = http.createServer(async (req, res) => {
       function finish(token, error) {
         clearTimeout(loginTimeoutHandle);
+        if (!res.writableEnded) {
+          res.end();
+        }
         server.close((closeErr) => {
           if (error || closeErr) {
             reject(error || closeErr);
@@ -1619,13 +806,50 @@ async function getOauthToken(options, state, ctx, generators) {
         });
       }
       __name(finish, "finish");
+      function renderErrorPage(detail) {
+        const escape = /* @__PURE__ */ __name((s) => s.replace(
+          /[&<>"']/g,
+          (c) => ({
+            "&": "&amp;",
+            "<": "&lt;",
+            ">": "&gt;",
+            '"': "&quot;",
+            "'": "&#39;"
+          })[c]
+        ), "escape");
+        const codeRow = detail.code ? `<p>Code: <code>${escape(detail.code)}</code></p>` : "";
+        const descriptionRow = detail.description ? `<p class="detail">${escape(detail.description)}</p>` : "";
+        const body = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>Wrangler login failed</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; max-width: 720px; margin: 4rem auto; padding: 0 1rem; color: #1f2933; line-height: 1.5; }
+    h1 { color: #c12d3f; }
+    code { background: #f5f7fa; padding: 0.15em 0.3em; border-radius: 3px; }
+    p.detail { background: #f5f7fa; padding: 1rem; border-radius: 4px; white-space: pre-wrap; }
+  </style>
+</head>
+<body>
+  <h1>Wrangler login failed</h1>
+  <p>The Cloudflare OAuth provider returned an error.</p>
+  ${codeRow}
+  ${descriptionRow}
+  <p>You can close this tab and return to your terminal for more details.</p>
+</body>
+</html>`;
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(body);
+      }
+      __name(renderErrorPage, "renderErrorPage");
       assert2(req.url, "This request doesn't have a URL");
       const { pathname, query } = url.parse(req.url, true);
       if (req.method !== "GET") {
         return res.end("OK");
       }
       switch (pathname) {
-        case "/oauth/callback": {
+        case callbackPath: {
           let hasAuthCode = false;
           try {
             hasAuthCode = isReturningFromAuthServer(query, state, ctx.logger);
@@ -1643,46 +867,64 @@ async function getOauthToken(options, state, ctx, generators) {
                 );
               });
               return;
-            } else {
-              finish(null, err);
-              return;
             }
+            const oauthErr = err;
+            renderErrorPage({
+              code: oauthErr.code,
+              description: oauthErr.description ?? oauthErr.message
+            });
+            finish(null, oauthErr);
+            return;
           }
           if (!hasAuthCode) {
+            const noCodeMessage = "The Cloudflare OAuth provider did not return an authorisation code.";
+            renderErrorPage({ description: noCodeMessage });
             finish(
               null,
-              new ErrorNoAuthCode("", {
+              new ErrorNoAuthCode(noCodeMessage, {
                 telemetryMessage: "user oauth missing auth code"
               })
             );
             return;
-          } else {
-            try {
-              const exchange = await exchangeAuthCodeForAccessToken(
-                state,
-                ctx.logger,
-                ctx.isNonInteractiveOrCI
-              );
-              res.writeHead(307, {
-                Location: options.granted.url
-              });
-              res.end(() => {
-                finish(exchange);
-              });
-            } catch (err) {
-              finish(null, err);
-            }
-            return;
           }
+          try {
+            const exchange = await exchangeAuthCodeForAccessToken(
+              state,
+              ctx.logger,
+              ctx.isNonInteractiveOrCI,
+              options.clientId,
+              options.redirectUri
+            );
+            res.writeHead(307, {
+              Location: options.granted.url
+            });
+            res.end(() => {
+              finish(exchange);
+            });
+          } catch (err) {
+            const exchangeErr = err;
+            const isOAuthError = exchangeErr instanceof ErrorOAuth2;
+            renderErrorPage({
+              code: isOAuthError ? exchangeErr.code : void 0,
+              description: (isOAuthError ? exchangeErr.description : void 0) ?? exchangeErr.message ?? "Failed to exchange the authorisation code for an access token."
+            });
+            finish(null, exchangeErr);
+          }
+          return;
         }
       }
     });
-    if (options.callbackHost !== "localhost" || options.callbackPort !== 8976) {
+    const redirect = new URL(options.redirectUri);
+    const redirectPort = Number(
+      redirect.port || (redirect.protocol === "https:" ? 443 : 80)
+    );
+    if (redirect.hostname !== options.callbackHost || redirectPort !== options.callbackPort) {
       ctx.logger.log(
         `Temporary login server listening on ${options.callbackHost}:${options.callbackPort}`
       );
       ctx.logger.log(
-        "Note that the OAuth login page will always redirect to `localhost:8976`.\nIf you have changed the callback host or port because you are running in a container, then ensure that you have port forwarding set up correctly."
+        `Note that the OAuth login page will always redirect to \`${options.redirectUri}\`.
+If you have changed the callback host or port because you are running in a container, then ensure that you have port forwarding set up correctly.`
       );
     }
     server.once("error", (err) => {
@@ -1709,6 +951,18 @@ async function getOauthToken(options, state, ctx, generators) {
   return Promise.race([timerPromise, loginPromise]);
 }
 __name(getOauthToken, "getOauthToken");
+// src/generate-auth-url.ts
+var generateAuthUrl = /* @__PURE__ */ __name(({
+  authUrl,
+  clientId,
+  scopes,
+  stateQueryParam,
+  codeChallenge,
+  redirectUri
+}) => {
+  return authUrl + `?response_type=code&client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&scope=${encodeURIComponent([...scopes, "offline_access"].join(" "))}&state=${stateQueryParam}&code_challenge=${encodeURIComponent(codeChallenge)}&code_challenge_method=S256`;
+}, "generateAuthUrl");
 function generateRandomState(lengthOfState) {
   const output = new Uint32Array(lengthOfState);
   webcrypto.getRandomValues(output);
@@ -1723,6 +977,12 @@ function createOAuthFlow(ctx) {
     generateAuthUrl: ctx.generateAuthUrl ?? generateAuthUrl,
     generateRandomState: ctx.generateRandomState ?? generateRandomState
   };
+  const storage = ctx.storage;
+  const getClientId = /* @__PURE__ */ __name(() => typeof ctx.clientId === "function" ? ctx.clientId() : ctx.clientId, "getClientId");
+  const consent = ctx.consent;
+  const redirectUrl = new URL(ctx.redirectUri);
+  const defaultCallbackHost = redirectUrl.hostname;
+  const defaultCallbackPort = Number(redirectUrl.port);
   async function login(props) {
     if (ctx.hasEnvCredentials()) {
       ctx.logger.error(
@@ -1750,22 +1010,18 @@ function createOAuthFlow(ctx) {
       {
         browser: props.browser ?? true,
         scopes: props.scopes,
-        clientId: getClientIdFromEnv(),
-        denied: {
-          url: "https://welcome.developers.workers.dev/wrangler-oauth-consent-denied",
-          error: "Error: Consent denied. You must grant consent to Wrangler in order to login.\nIf you don't want to do this consider passing an API token via the `CLOUDFLARE_API_TOKEN` environment variable"
-        },
-        granted: {
-          url: "https://welcome.developers.workers.dev/wrangler-oauth-consent-granted"
-        },
-        callbackHost: props.callbackHost ?? "localhost",
-        callbackPort: props.callbackPort ?? 8976
+        clientId: getClientId(),
+        redirectUri: ctx.redirectUri,
+        denied: consent.denied,
+        granted: consent.granted,
+        callbackHost: props.callbackHost ?? defaultCallbackHost,
+        callbackPort: props.callbackPort ?? defaultCallbackPort
       },
       oauthFlowState,
       ctx,
       generators
     );
-    writeAuthConfigFile({
+    storage.write({
       oauth_token: oauth.token?.value ?? "",
       expiration_time: oauth.token?.expiry,
       refresh_token: oauth.refreshToken?.value,
@@ -1780,7 +1036,10 @@ function createOAuthFlow(ctx) {
     if (ctx.hasEnvCredentials()) {
       return false;
     }
-    const { accessToken } = readStoredAuthState({ warningLogger: ctx.logger });
+    const { accessToken } = readStoredAuthState({
+      warningLogger: ctx.logger,
+      storage
+    });
     return Boolean(accessToken && /* @__PURE__ */ new Date() >= new Date(accessToken.expiry));
   }
   __name(isRefreshNeeded, "isRefreshNeeded");
@@ -1795,9 +1054,11 @@ function createOAuthFlow(ctx) {
         scopes
       } = await exchangeRefreshTokenForAccessToken(
         ctx.logger,
-        ctx.isNonInteractiveOrCI
+        ctx.isNonInteractiveOrCI,
+        getClientId(),
+        storage
       );
-      writeAuthConfigFile({
+      storage.write({
         oauth_token,
         expiration_time,
         refresh_token,
@@ -1814,20 +1075,40 @@ function createOAuthFlow(ctx) {
   __name(refreshToken, "refreshToken");
   async function loginOrRefreshIfRequired(props) {
     if (ctx.hasEnvCredentials()) {
-      return true;
+      return { loggedIn: true };
     }
-    const stored = readStoredAuthState({ warningLogger: ctx.logger });
+    const stored = readStoredAuthState({
+      warningLogger: ctx.logger,
+      storage
+    });
     if (!stored.accessToken && !stored.deprecatedApiToken) {
-      return !ctx.isNonInteractiveOrCI() && await login(props);
+      if (ctx.isNonInteractiveOrCI()) {
+        return {
+          loggedIn: false,
+          reason: "no-credentials-non-interactive"
+        };
+      }
+      if (await login(props)) {
+        return { loggedIn: true };
+      }
+      return { loggedIn: false, reason: "no-credentials-login-failed" };
     } else if (isRefreshNeeded()) {
       const didRefresh = await refreshToken();
       if (didRefresh) {
-        return true;
-      } else {
-        return !ctx.isNonInteractiveOrCI() && await login(props);
+        return { loggedIn: true };
+      }
+      if (ctx.isNonInteractiveOrCI()) {
+        return {
+          loggedIn: false,
+          reason: "token-expired-non-interactive"
+        };
       }
+      if (await login(props)) {
+        return { loggedIn: true };
+      }
+      return { loggedIn: false, reason: "token-expired-login-failed" };
     } else {
-      return true;
+      return { loggedIn: true };
     }
   }
   __name(loginOrRefreshIfRequired, "loginOrRefreshIfRequired");
@@ -1839,13 +1120,14 @@ function createOAuthFlow(ctx) {
       return;
     }
     const storedRefreshToken = readStoredAuthState({
-      warningLogger: ctx.logger
+      warningLogger: ctx.logger,
+      storage
     }).refreshToken;
     if (!storedRefreshToken) {
       ctx.logger.log("Not logged in, exiting...");
       return;
     }
-    const body = `client_id=${encodeURIComponent(getClientIdFromEnv())}&token_type_hint=refresh_token&token=${encodeURIComponent(storedRefreshToken.value || "")}`;
+    const body = `client_id=${encodeURIComponent(getClientId())}&token_type_hint=refresh_token&token=${encodeURIComponent(storedRefreshToken.value || "")}`;
     const response = await fetch(getRevokeUrlFromEnv(), {
       method: "POST",
       body,
@@ -1854,13 +1136,13 @@ function createOAuthFlow(ctx) {
       }
     });
     await response.text();
-    rmSync(getAuthConfigFilePath());
+    storage.clear();
     ctx.logger.log(`Successfully logged out.`);
     ctx.purgeOnLoginOrLogout?.();
   }
   __name(logout, "logout");
   async function getOAuthTokenFromLocalState() {
-    let stored = readStoredAuthState({ warningLogger: ctx.logger });
+    let stored = readStoredAuthState({ warningLogger: ctx.logger, storage });
     if (!stored.accessToken) {
       return void 0;
     }
@@ -1870,7 +1152,7 @@ function createOAuthFlow(ctx) {
       if (!didRefresh) {
         return void 0;
       }
-      stored = readStoredAuthState({ warningLogger: ctx.logger });
+      stored = readStoredAuthState({ warningLogger: ctx.logger, storage });
     }
     return stored.accessToken?.value;
   }
@@ -1885,270 +1167,5 @@ function createOAuthFlow(ctx) {
   };
 }
 __name(createOAuthFlow, "createOAuthFlow");
-/*! Bundled license information:
-smol-toml/dist/error.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/util.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/date.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/primitive.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/extract.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/struct.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/parse.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/stringify.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-smol-toml/dist/index.js:
-  (*!
-   * Copyright (c) Squirrel Chat et al., All rights reserved.
-   * SPDX-License-Identifier: BSD-3-Clause
-   *
-   * Redistribution and use in source and binary forms, with or without
-   * modification, are permitted provided that the following conditions are met:
-   *
-   * 1. Redistributions of source code must retain the above copyright notice, this
-   *    list of conditions and the following disclaimer.
-   * 2. Redistributions in binary form must reproduce the above copyright notice,
-   *    this list of conditions and the following disclaimer in the
-   *    documentation and/or other materials provided with the distribution.
-   * 3. Neither the name of the copyright holder nor the names of its contributors
-   *    may be used to endorse or promote products derived from this software without
-   *    specific prior written permission.
-   *
-   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-   * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-   * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-   * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-   *)
-*/
-export { ErrorAccessDenied, ErrorAccessTokenResponse, ErrorAuthenticationGrant, ErrorInvalidClient, ErrorInvalidGrant, ErrorInvalidJson, ErrorInvalidRequest, ErrorInvalidReturnedStateParam, ErrorInvalidScope, ErrorInvalidToken, ErrorNoAuthCode, ErrorOAuth2, ErrorServerError, ErrorTemporarilyUnavailable, ErrorUnauthorizedClient, ErrorUnknown, ErrorUnsupportedGrantType, ErrorUnsupportedResponseType, OAUTH_CALLBACK_URL, PKCE_CHARSET, RECOMMENDED_CODE_VERIFIER_LENGTH, RECOMMENDED_STATE_LENGTH, base64urlEncode, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generatePKCECodes, generateRandomState, getAccessClientIdFromEnv, getAccessClientSecretFromEnv, getAccessHeaders, getAuthConfigFilePath, getAuthDomainFromEnv, getAuthUrlFromEnv, getCfAuthorizationTokenFromEnv, getClientIdFromEnv, getCloudflareAccessHeaders, getRevokeUrlFromEnv, getTokenUrlFromEnv, readAuthConfigFile, readStoredAuthState, toErrorClass, writeAuthConfigFile };
-//# sourceMappingURL=index.mjs.map
-//# sourceMappingURL=index.mjs.map
+export { ErrorAccessDenied, ErrorAccessTokenResponse, ErrorAuthenticationGrant, ErrorInvalidClient, ErrorInvalidGrant, ErrorInvalidJson, ErrorInvalidRequest, ErrorInvalidReturnedStateParam, ErrorInvalidScope, ErrorInvalidToken, ErrorNoAuthCode, ErrorOAuth2, ErrorServerError, ErrorTemporarilyUnavailable, ErrorUnauthorizedClient, ErrorUnknown, ErrorUnsupportedGrantType, ErrorUnsupportedResponseType, PKCE_CHARSET, RECOMMENDED_CODE_VERIFIER_LENGTH, RECOMMENDED_STATE_LENGTH, base64urlEncode, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generatePKCECodes, generateRandomState, getAPIToken, getAccessClientIdFromEnv, getAccessClientSecretFromEnv, getAccessHeaders, getAuthDomainFromEnv, getAuthFromEnv, getAuthUrlFromEnv, getCfAuthorizationTokenFromEnv, getCloudflareAPITokenFromEnv, getCloudflareAccessHeaders, getCloudflareGlobalAuthEmailFromEnv, getCloudflareGlobalAuthKeyFromEnv, getRevokeUrlFromEnv, getTokenUrlFromEnv, readStoredAuthState, requireApiToken, toErrorClass };