npm - @cloudflare/workers-auth - Versions diffs - 0.2.0 → 0.3.0 - Mend

@cloudflare/workers-auth 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1,4 +1,21 @@
-import { ApiCredentials, UserError, ComplianceConfig } from '@cloudflare/workers-utils';
+import { ApiCredentials, ComplianceConfig } from '@cloudflare/workers-utils';
+/**
+ * Pluggable persistence for a typed config blob
+ */
+interface ConfigStorage<T> {
+    /**
+     * Read and parse the stored config.
+     * @throws if the backing store is missing or cannot be parsed.
+     */
+    read(): T;
+    /** Serialize and persist the config. */
+    write(config: T): void;
+    /** Remove the backing store; returns whether anything existed beforehand. */
+    clear(): boolean;
+    /** Human-readable location of the backing store, for display and warnings. */
+    path(): string;
+}
 /**
  * The data that may be read from the on-disk user auth config file.
@@ -11,30 +28,24 @@ interface UserAuthConfig {
     /** @deprecated - this field was only provided by the deprecated v1 `wrangler config` command. */
     api_token?: string;
 }
+type AuthConfigStorage = ConfigStorage<UserAuthConfig>;
 /**
- * Pluggable persistence for the user auth config.
- *
- * This package does not ship a default implementation — the consumer injects
- * one via {@link OAuthFlowContext.storage} (and into {@link getAPIToken} /
- * {@link readStoredAuthState}). Wrangler's default reads/writes a TOML file
- * under the global Wrangler config directory; other CLIs can use a different
- * location and/or serialization format (e.g. a JSONC file under a different
- * CLI's XDG config directory).
+ * A short-lived "temporary preview account"
  */
-interface AuthConfigStorage {
-    /**
-     * Read and parse the stored auth config.
-     * @throws if the backing store is missing or cannot be parsed. Callers treat
-     * a throw as "not logged in via local OAuth".
-     */
-    read(): UserAuthConfig;
-    /** Serialize and persist the auth config. */
-    write(config: UserAuthConfig): void;
-    /** Remove the backing store (used on logout). */
-    clear(): void;
-    /** Human-readable location of the backing store, for display and warnings. */
-    path(): string;
-}
+type TemporaryPreviewAccount = {
+    account: {
+        id: string;
+        name: string;
+        apiToken: string;
+        expiresAt: string;
+    };
+    claim: {
+        url: string;
+        expiresAt: string;
+    };
+};
+type TemporaryAccountStorage = ConfigStorage<TemporaryPreviewAccount>;
 interface GenerateAuthUrlProps {
     authUrl: string;
@@ -62,6 +73,22 @@ declare const generateAuthUrl: ({ authUrl, clientId, scopes, stateQueryParam, co
  */
 declare function generateRandomState(lengthOfState: number): string;
+/**
+ * The dependencies the OAuth flow needs to mint/reuse a short-lived "temporary
+ * preview account"
+ */
+interface OAuthFlowTemporaryContext {
+    /** Persistence backend for the cached temporary preview account. */
+    storage: TemporaryAccountStorage;
+    /**
+     * Hook to customise the terms-acceptance interactive prompt
+     *  - question: the question to ask a user in interactive mode.
+     *    return answer === "yes" (must be the literal string)
+     *  - notice: the notice to print on stderr if in non-interactive mode
+     *    always return true
+     */
+    prompt: (question: string, notice: string) => Promise<boolean>;
+}
 /**
  * The branded OAuth consent pages the provider redirects the browser to after
  * the user grants or denies consent.
@@ -144,6 +171,16 @@ interface OAuthFlowContext {
      * Persistence backend for the stored auth config.
      */
     storage: AuthConfigStorage;
+    /**
+     * Whether the flow's credential resolvers (`getAPIToken` / `requireApiToken`)
+     * should honour the global API key + email pair in addition to scoped API
+     * tokens.
+     */
+    allowGlobalAuthKey: boolean;
+    /**
+     * Dependencies for minting/reusing a temporary preview account.
+     */
+    temporary: OAuthFlowTemporaryContext | undefined;
     /**
      * Override the OAuth authorize URL generator. Used by tests to produce a
      * deterministic URL for snapshot testing. Defaults to the standard
@@ -186,31 +223,6 @@ interface GetAuthFromEnvOptions {
  * are present.
  */
 declare function getAuthFromEnv(options?: GetAuthFromEnvOptions): ApiCredentials | undefined;
-interface GetAPITokenOptions extends GetAuthFromEnvOptions {
-    /** Persistence backend for the stored OAuth token.  */
-    storage: AuthConfigStorage;
-    /** Logger used to surface the one-time deprecated-v1-`api_token` warning. */
-    warningLogger?: Pick<OAuthFlowLogger, "warn">;
-}
-/**
- * Resolve Cloudflare API credentials from the environment, falling back to the
- * locally-stored OAuth token.
- *
- * Resolution order (highest to lowest):
- *   1. {@link getAuthFromEnv} (env credentials).
- *   2. The deprecated v1 `api_token` on disk (with a one-time warning).
- *   3. The stored OAuth access token (from a previous interactive login).
- *
- * Note: this does NOT refresh an expired OAuth token. Callers that need a
- * guaranteed-valid OAuth token should use the flow's
- * `getOAuthTokenFromLocalState()` instead.
- */
-declare function getAPIToken(options: GetAPITokenOptions): ApiCredentials | undefined;
-/**
- * Like {@link getAPIToken}, but throws a {@link UserError} when no credentials
- * are available.
- */
-declare function requireApiToken(options: GetAPITokenOptions): ApiCredentials;
 /**
  * Clear internal caches. Exported for use in tests only.
@@ -243,28 +255,7 @@ declare function getAccessHeaders(domain: string, options: {
     logger: OAuthFlowLogger;
     isNonInteractiveOrCI: () => boolean;
 }): Promise<Record<string, string>>;
-/**
- * Get headers needed to authenticate with the Cloudflare OAuth auth domain
- * (the OAuth `WRANGLER_AUTH_DOMAIN`, which is `dash.cloudflare.com` by default
- * and `dash.staging.cloudflare.com` in staging).
- *
- * Checks `WRANGLER_CF_AUTHORIZATION_TOKEN` first, then falls back to
- * {@link getAccessHeaders} against the configured auth domain.
- */
-declare function getCloudflareAccessHeaders(options: {
-    logger: OAuthFlowLogger;
-    isNonInteractiveOrCI: () => boolean;
-}): Promise<Record<string, string>>;
-/**
- * `WRANGLER_AUTH_DOMAIN` is the URL base domain that is used
- * to access OAuth URLs for the Cloudflare APIs.
- *
- * Normally you should not need to set this explicitly.
- * If you want to switch to the staging environment set the
- * `WRANGLER_API_ENVIRONMENT=staging` environment variable instead.
- */
-declare const getAuthDomainFromEnv: () => string;
 /**
  * `WRANGLER_AUTH_URL` is the path that is used to access OAuth
  * for the Cloudflare APIs.
@@ -274,131 +265,6 @@ declare const getAuthDomainFromEnv: () => string;
  * `WRANGLER_API_ENVIRONMENT=staging` environment variable instead.
  */
 declare const getAuthUrlFromEnv: () => string;
-/**
- * `WRANGLER_TOKEN_URL` is the path that is used to exchange an OAuth
- * token for an API token.
- *
- * Normally you should not need to set this explicitly.
- * If you want to switch to the staging environment set the
- * `WRANGLER_API_ENVIRONMENT=staging` environment variable instead.
- */
-declare const getTokenUrlFromEnv: () => string;
-/**
- * `WRANGLER_REVOKE_URL` is the path that is used to exchange an OAuth
- * refresh token for a new OAuth token.
- *
- * Normally you should not need to set this explicitly.
- * If you want to switch to the staging environment set the
- * `WRANGLER_API_ENVIRONMENT=staging` environment variable instead.
- */
-declare const getRevokeUrlFromEnv: () => string;
-/**
- * `CLOUDFLARE_ACCESS_CLIENT_ID` is the Client ID of a Cloudflare Access Service Token.
- * Used together with `CLOUDFLARE_ACCESS_CLIENT_SECRET` to authenticate with
- * Access-protected domains in non-interactive environments (e.g. CI).
- *
- * @see https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/
- */
-declare const getAccessClientIdFromEnv: () => string | undefined;
-/**
- * `CLOUDFLARE_ACCESS_CLIENT_SECRET` is the Client Secret of a Cloudflare Access Service Token.
- * Used together with `CLOUDFLARE_ACCESS_CLIENT_ID` to authenticate with
- * Access-protected domains in non-interactive environments (e.g. CI).
- *
- * @see https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/
- */
-declare const getAccessClientSecretFromEnv: () => string | undefined;
-/**
- * `WRANGLER_CF_AUTHORIZATION_TOKEN` is an explicit `CF_Authorization` cookie value
- * used to authenticate against the OAuth auth domain when it is Access-protected
- * (typically staging). When set, the OAuth flow skips Access detection and uses
- * this token directly.
- */
-declare const getCfAuthorizationTokenFromEnv: () => string | undefined;
-/**
- * A list of OAuth2AuthCodePKCE errors.
- *
- * Instances may carry the structured details from the OAuth provider's
- * `error`, `error_description` and `error_uri` query parameters (RFC 6749
- * §4.1.2.1) so callers can render them — see {@link toErrorClass}.
- */
-declare class ErrorOAuth2 extends UserError {
-    /** The OAuth `error` code returned by the provider (e.g. `invalid_scope`). */
-    code?: string;
-    /** The OAuth `error_description` returned by the provider, if any. */
-    description?: string;
-    /** The OAuth `error_uri` returned by the provider, if any. */
-    uri?: string;
-    toString(): string;
-}
-declare class ErrorUnknown extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorNoAuthCode extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidReturnedStateParam extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidJson extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidScope extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidRequest extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidToken extends ErrorOAuth2 {
-    toString(): string;
-}
-/**
- * Possible authorization grant errors given by the redirection from the
- * authorization server.
- */
-declare class ErrorAuthenticationGrant extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorUnauthorizedClient extends ErrorAuthenticationGrant {
-    toString(): string;
-}
-declare class ErrorAccessDenied extends ErrorAuthenticationGrant {
-    toString(): string;
-}
-declare class ErrorUnsupportedResponseType extends ErrorAuthenticationGrant {
-    toString(): string;
-}
-declare class ErrorServerError extends ErrorAuthenticationGrant {
-    toString(): string;
-}
-declare class ErrorTemporarilyUnavailable extends ErrorAuthenticationGrant {
-    toString(): string;
-}
-/**
- * A list of possible access token response errors.
- */
-declare class ErrorAccessTokenResponse extends ErrorOAuth2 {
-    toString(): string;
-}
-declare class ErrorInvalidClient extends ErrorAccessTokenResponse {
-    toString(): string;
-}
-declare class ErrorInvalidGrant extends ErrorAccessTokenResponse {
-    toString(): string;
-}
-declare class ErrorUnsupportedGrantType extends ErrorAccessTokenResponse {
-    toString(): string;
-}
-/**
- * Translate an OAuth error response from the provider into one of our error
- * classes. The `error_description` and `error_uri` parameters (RFC 6749
- * §4.1.2.1) are included in the message when present so the user sees the
- * specific reason for the failure rather than just the bare error code, and
- * are also attached as structured fields so the HTTP callback handler can
- * render them on the browser-facing error page.
- */
-declare function toErrorClass(rawError: string, description?: string, uri?: string): ErrorOAuth2 | ErrorUnknown;
 /**
  * Reason why {@link OAuthFlowAPI.loginOrRefreshIfRequired} could not
@@ -493,17 +359,45 @@ interface OAuthFlowAPI {
      */
     getOAuthTokenFromLocalState(): Promise<string | undefined>;
     /**
-     * Whether the stored OAuth access token has expired and a refresh is
-     * required before it can be used. Returns `false` when env credentials are
-     * present (per `ctx.hasEnvCredentials`), because the stored OAuth state is
-     * not consulted in that case.
+     * Resolve API credentials, preferring an active temporary preview account
+     * (when one has been latched via {@link activateTemporaryAccount}) over the
+     * env / stored-OAuth resolution performed by the shared credential resolver.
+     *
+     * Returns `undefined` when no credentials are available.
+     */
+    getAPIToken(): ApiCredentials | undefined;
+    /**
+     * Like {@link getAPIToken}, but throws a `UserError` when no credentials are
+     * available.
+     */
+    requireApiToken(): ApiCredentials;
+    /**
+     * Establish whether `--temporary` is permitted for this invocation. Called
+     * once at command dispatch by the consumer. Also drops any temporary account
+     * latched by a previous dispatch, so that — when multiple commands share a
+     * process (e.g. in tests) — each invocation starts a fresh temporary session.
+     * No-op when the flow was created without a `temporary` context.
+     */
+    setTemporaryAllowed(allowed: boolean): void;
+    /**
+     * Whether `--temporary` is permitted for this invocation (see
+     * {@link setTemporaryAllowed}). Always `false` without a `temporary` context.
+     */
+    isTemporaryAllowed(): boolean;
+    /**
+     * The temporary preview account latched for this invocation, or `undefined`.
+     * Only set after {@link activateTemporaryAccount} has run.
      */
-    isRefreshNeeded(): boolean;
+    getActiveTemporaryAccount(): TemporaryPreviewAccount | undefined;
     /**
-     * Trigger an OAuth refresh-token rotation. Persists the new access/refresh
-     * tokens to disk on success. Returns `false` on any failure.
+     * The sole creator of the temporary-account latch: mint a fresh temporary
+     * preview account (or reuse a cached one), latch it for this invocation, and
+     * return it. Requires a `temporary` context.
      */
-    refreshToken(): Promise<boolean>;
+    activateTemporaryAccount(): Promise<{
+        account: TemporaryPreviewAccount;
+        cached: boolean;
+    }>;
 }
 /**
  * Build an instance of the OAuth flow bound to the given context.
@@ -514,35 +408,13 @@ interface OAuthFlowAPI {
  */
 declare function createOAuthFlow(ctx: OAuthFlowContext): OAuthFlowAPI;
-/**
- * The maximum length for a code verifier for the best security we can offer.
- * Please note the NOTE section of RFC 7636 § 4.1 - the length must be >= 43,
- * but <= 128, **after** base64 url encoding. This means 32 code verifier bytes
- * encoded will be 43 bytes, or 96 bytes encoded will be 128 bytes. So 96 bytes
- * is the highest valid value that can be used.
- */
-declare const RECOMMENDED_CODE_VERIFIER_LENGTH = 96;
-/**
- * A sensible length for the state's length, for anti-csrf.
- */
-declare const RECOMMENDED_STATE_LENGTH = 32;
+declare const TEMPORARY_TERMS_PROMPT: string;
+declare const TEMPORARY_TERMS_NOTICE: string;
 /**
  * Character set to generate code verifier defined in rfc7636.
  */
 declare const PKCE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
-interface PKCECodes {
-    codeChallenge: string;
-    codeVerifier: string;
-}
-/**
- * Implements *base64url-encode* (RFC 4648 § 5) without padding, which is NOT
- * the same as regular base64 encoding.
- */
-declare function base64urlEncode(value: string): string;
-/**
- * Generates a code_verifier and code_challenge, as specified in rfc7636.
- */
-declare function generatePKCECodes(): Promise<PKCECodes>;
 interface RefreshToken {
     value: string;
@@ -551,18 +423,6 @@ interface AccessToken {
     value: string;
     expiry: string;
 }
-/**
- * Transient state that is shared across the steps of a single OAuth login flow
- * within one Wrangler command. This state is not file-backed; it lives only for
- * the duration of an interactive login.
- */
-interface OAuthFlowState {
-    authorizationCode?: string;
-    codeChallenge?: string;
-    codeVerifier?: string;
-    hasAuthCodeBeenExchangedForAccessToken?: boolean;
-    stateQueryParam?: string;
-}
 /**
  * The auth state that is stored on disk in the user auth config file (TOML).
  * Read on demand by {@link readStoredAuthState} — never cached at module scope
@@ -600,4 +460,4 @@ declare function readStoredAuthState(options: {
     storage: AuthConfigStorage;
 }): StoredAuthState;
-export { type AccessToken, type AuthConfigStorage, ErrorAccessDenied, ErrorAccessTokenResponse, ErrorAuthenticationGrant, ErrorInvalidClient, ErrorInvalidGrant, ErrorInvalidJson, ErrorInvalidRequest, ErrorInvalidReturnedStateParam, ErrorInvalidScope, ErrorInvalidToken, ErrorNoAuthCode, ErrorOAuth2, ErrorServerError, ErrorTemporarilyUnavailable, ErrorUnauthorizedClient, ErrorUnknown, ErrorUnsupportedGrantType, ErrorUnsupportedResponseType, type GetAPITokenOptions, type GetAuthFromEnvOptions, type LoginOrRefreshFailureReason, type LoginOrRefreshResult, type LoginProps, type OAuthConsentPages, type OAuthFlowAPI, type OAuthFlowContext, type OAuthFlowLogger, type OAuthFlowState, type PKCECodes, PKCE_CHARSET, RECOMMENDED_CODE_VERIFIER_LENGTH, RECOMMENDED_STATE_LENGTH, type RefreshToken, type StoredAuthState, type UserAuthConfig, base64urlEncode, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generatePKCECodes, generateRandomState, getAPIToken, getAccessClientIdFromEnv, getAccessClientSecretFromEnv, getAccessHeaders, getAuthDomainFromEnv, getAuthFromEnv, getAuthUrlFromEnv, getCfAuthorizationTokenFromEnv, getCloudflareAPITokenFromEnv, getCloudflareAccessHeaders, getCloudflareGlobalAuthEmailFromEnv, getCloudflareGlobalAuthKeyFromEnv, getRevokeUrlFromEnv, getTokenUrlFromEnv, readStoredAuthState, requireApiToken, toErrorClass };
+export { type AuthConfigStorage, type ConfigStorage, type LoginOrRefreshFailureReason, type LoginOrRefreshResult, type LoginProps, PKCE_CHARSET, TEMPORARY_TERMS_NOTICE, TEMPORARY_TERMS_PROMPT, type TemporaryPreviewAccount, type UserAuthConfig, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generateRandomState, getAccessHeaders, getAuthFromEnv, getAuthUrlFromEnv, getCloudflareAPITokenFromEnv, getCloudflareGlobalAuthEmailFromEnv, getCloudflareGlobalAuthKeyFromEnv, readStoredAuthState };

package/dist/index.mjs CHANGED Viewed

@@ -1,11 +1,11 @@
 import { __name } from './chunk-O6YSETKJ.mjs';
-import { getEnvironmentVariableFactory, getCloudflareApiEnvironmentFromEnv, UserError, getCloudflareComplianceRegion } from '@cloudflare/workers-utils';
+import { getEnvironmentVariableFactory, getCloudflareApiEnvironmentFromEnv, UserError, getCloudflareApiBaseUrl, COMPLIANCE_REGION_CONFIG_PUBLIC, FatalError, getCloudflareComplianceRegion } from '@cloudflare/workers-utils';
 import { spawnSync } from 'node:child_process';
 import { fetch } from 'undici';
 import assert2 from 'node:assert';
 import http from 'node:http';
 import url from 'node:url';
-import { webcrypto } from 'node:crypto';
+import { webcrypto, createHash } from 'node:crypto';
 import { TextEncoder } from 'node:util';
 // src/state.ts
@@ -238,6 +238,48 @@ async function getCloudflareAccessHeaders(options) {
   return getAccessHeaders(getAuthDomainFromEnv(), options);
 }
 __name(getCloudflareAccessHeaders, "getCloudflareAccessHeaders");
+// ../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js
+function dedent(templ) {
+  var values = [];
+  for (var _i = 1; _i < arguments.length; _i++) {
+    values[_i - 1] = arguments[_i];
+  }
+  var strings = Array.from(typeof templ === "string" ? [templ] : templ);
+  strings[strings.length - 1] = strings[strings.length - 1].replace(/\r?\n([\t ]*)$/, "");
+  var indentLengths = strings.reduce(function(arr, str) {
+    var matches = str.match(/\n([\t ]+|(?!\s).)/g);
+    if (matches) {
+      return arr.concat(matches.map(function(match) {
+        var _a, _b;
+        return (_b = (_a = match.match(/[\t ]/g)) === null || _a === void 0 ? void 0 : _a.length) !== null && _b !== void 0 ? _b : 0;
+      }));
+    }
+    return arr;
+  }, []);
+  if (indentLengths.length) {
+    var pattern_1 = new RegExp("\n[	 ]{" + Math.min.apply(Math, indentLengths) + "}", "g");
+    strings = strings.map(function(str) {
+      return str.replace(pattern_1, "\n");
+    });
+  }
+  strings[0] = strings[0].replace(/^\r?\n/, "");
+  var string = strings[0];
+  values.forEach(function(value, i) {
+    var endentations = string.match(/(?:^|\n)( *)$/);
+    var endentation = endentations ? endentations[1] : "";
+    var indentedValue = value;
+    if (typeof value === "string" && value.includes("\n")) {
+      indentedValue = String(value).split("\n").map(function(str, i2) {
+        return i2 === 0 ? str : "" + endentation + str;
+      }).join("\n");
+    }
+    string += indentedValue + strings[i + 1];
+  });
+  return string;
+}
+__name(dedent, "dedent");
+var esm_default = dedent;
 var ErrorOAuth2 = class extends UserError {
   static {
     __name(this, "ErrorOAuth2");
@@ -477,48 +519,6 @@ function toErrorClass(rawError, description, uri) {
   return error;
 }
 __name(toErrorClass, "toErrorClass");
-// ../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js
-function dedent(templ) {
-  var values = [];
-  for (var _i = 1; _i < arguments.length; _i++) {
-    values[_i - 1] = arguments[_i];
-  }
-  var strings = Array.from(typeof templ === "string" ? [templ] : templ);
-  strings[strings.length - 1] = strings[strings.length - 1].replace(/\r?\n([\t ]*)$/, "");
-  var indentLengths = strings.reduce(function(arr, str) {
-    var matches = str.match(/\n([\t ]+|(?!\s).)/g);
-    if (matches) {
-      return arr.concat(matches.map(function(match) {
-        var _a, _b;
-        return (_b = (_a = match.match(/[\t ]/g)) === null || _a === void 0 ? void 0 : _a.length) !== null && _b !== void 0 ? _b : 0;
-      }));
-    }
-    return arr;
-  }, []);
-  if (indentLengths.length) {
-    var pattern_1 = new RegExp("\n[	 ]{" + Math.min.apply(Math, indentLengths) + "}", "g");
-    strings = strings.map(function(str) {
-      return str.replace(pattern_1, "\n");
-    });
-  }
-  strings[0] = strings[0].replace(/^\r?\n/, "");
-  var string = strings[0];
-  values.forEach(function(value, i) {
-    var endentations = string.match(/(?:^|\n)( *)$/);
-    var endentation = endentations ? endentations[1] : "";
-    var indentedValue = value;
-    if (typeof value === "string" && value.includes("\n")) {
-      indentedValue = String(value).split("\n").map(function(str, i2) {
-        return i2 === 0 ? str : "" + endentation + str;
-      }).join("\n");
-    }
-    string += indentedValue + strings[i + 1];
-  });
-  return string;
-}
-__name(dedent, "dedent");
-var esm_default = dedent;
 var RECOMMENDED_CODE_VERIFIER_LENGTH = 96;
 var RECOMMENDED_STATE_LENGTH = 32;
 var PKCE_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
@@ -969,6 +969,194 @@ function generateRandomState(lengthOfState) {
   return Array.from(output).map((num) => PKCE_CHARSET[num % PKCE_CHARSET.length]).join("");
 }
 __name(generateRandomState, "generateRandomState");
+var POW_MAX_ITERATIONS = 64e6;
+function solvePow(seed, k, g) {
+  const checkpoints = new Array(k + 1);
+  let h = createHash("sha256").update(seed).digest();
+  checkpoints[0] = h;
+  for (let j = 0; j < k; j++) {
+    for (let i = 0; i < g; i++) {
+      h = createHash("sha256").update(h).digest();
+    }
+    checkpoints[j + 1] = h;
+  }
+  return checkpoints;
+}
+__name(solvePow, "solvePow");
+function encodeCheckpoints(checkpoints) {
+  return Buffer.concat(checkpoints).toString("base64");
+}
+__name(encodeCheckpoints, "encodeCheckpoints");
+function solveChallenge(challenge) {
+  const checkpoints = solvePow(
+    Buffer.from(challenge.seed, "base64url"),
+    challenge.k,
+    challenge.g
+  );
+  return {
+    challengeToken: challenge.challengeToken,
+    solution: { checkpoints: encodeCheckpoints(checkpoints) }
+  };
+}
+__name(solveChallenge, "solveChallenge");
+// src/temporary.ts
+var TEMPORARY_TERMS_URLS = {
+  termsOfService: "https://www.cloudflare.com/terms/",
+  privacyPolicy: "https://www.cloudflare.com/privacypolicy/"
+};
+var TEMPORARY_TERMS_PROMPT = `You must accept Cloudflare's Terms of Service (${TEMPORARY_TERMS_URLS.termsOfService}) and Privacy Policy (${TEMPORARY_TERMS_URLS.privacyPolicy}) in order to continue. By typing "yes", you agree to these terms. Type "yes" to continue.`;
+var TEMPORARY_TERMS_NOTICE = `Continuing means you accept Cloudflare's Terms of Service (${TEMPORARY_TERMS_URLS.termsOfService}) and Privacy Policy (${TEMPORARY_TERMS_URLS.privacyPolicy}).`;
+var TEMPORARY_TERMS_ERROR = `You must accept Cloudflare's Terms of Service (${TEMPORARY_TERMS_URLS.termsOfService}) and Privacy Policy (${TEMPORARY_TERMS_URLS.privacyPolicy}) to use --temporary.`;
+function getTemporaryPreviewUrl() {
+  return `${getCloudflareApiBaseUrl(COMPLIANCE_REGION_CONFIG_PUBLIC)}/provisioning/previews`;
+}
+__name(getTemporaryPreviewUrl, "getTemporaryPreviewUrl");
+function getTemporaryPreviewChallengeUrl() {
+  return `${getTemporaryPreviewUrl()}/challenge`;
+}
+__name(getTemporaryPreviewChallengeUrl, "getTemporaryPreviewChallengeUrl");
+function isFutureTimestamp(timestamp) {
+  const parsed = Date.parse(timestamp);
+  return !Number.isNaN(parsed) && parsed > Date.now();
+}
+__name(isFutureTimestamp, "isFutureTimestamp");
+function getCachedTemporaryPreviewAccount(storage) {
+  let temporaryPreviewAccount;
+  try {
+    temporaryPreviewAccount = storage.read();
+  } catch {
+    return void 0;
+  }
+  if (!temporaryPreviewAccount) {
+    return void 0;
+  }
+  if (!temporaryPreviewAccount.account?.id || !temporaryPreviewAccount.account?.apiToken || !temporaryPreviewAccount.account?.name || !temporaryPreviewAccount.claim?.url || !isFutureTimestamp(temporaryPreviewAccount.account?.expiresAt ?? "") || !isFutureTimestamp(temporaryPreviewAccount.claim?.expiresAt ?? "")) {
+    return void 0;
+  }
+  return temporaryPreviewAccount;
+}
+__name(getCachedTemporaryPreviewAccount, "getCachedTemporaryPreviewAccount");
+async function requestPowSolution(logger) {
+  const response = await fetch(getTemporaryPreviewChallengeUrl(), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: "{}"
+  });
+  if (!response.ok) {
+    throw new FatalError(
+      `Failed to request a proof-of-work challenge (${response.status} ${response.statusText}).`,
+      { telemetryMessage: "deploy temporary account challenge failed" }
+    );
+  }
+  let body;
+  try {
+    body = await response.json();
+  } catch {
+    throw new FatalError(
+      `Failed to request a proof-of-work challenge. Received an invalid response (${response.status} ${response.statusText}).`,
+      {
+        telemetryMessage: "deploy temporary account challenge invalid response"
+      }
+    );
+  }
+  const { challengeToken, seed, k, g } = body.result ?? {};
+  if (challengeToken === void 0 || seed === void 0 || k === void 0 || g === void 0) {
+    throw new FatalError(
+      "Failed to request a proof-of-work challenge because the response was missing required fields.",
+      { telemetryMessage: "deploy temporary account challenge incomplete" }
+    );
+  }
+  if (!Number.isInteger(k) || !Number.isInteger(g) || k <= 0 || g <= 0 || k * g > POW_MAX_ITERATIONS || Buffer.from(seed, "base64url").length !== 32) {
+    throw new FatalError(
+      "The proof-of-work challenge is not supported by this version of Wrangler.",
+      {
+        telemetryMessage: "deploy temporary account challenge difficulty unsupported"
+      }
+    );
+  }
+  logger.log("Solving proof-of-work challenge\u2026");
+  return solveChallenge({ challengeToken, seed, k, g });
+}
+__name(requestPowSolution, "requestPowSolution");
+async function createTemporaryPreviewAccount(logger) {
+  const pow = await requestPowSolution(logger);
+  const response = await fetch(getTemporaryPreviewUrl(), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      termsOfService: TEMPORARY_TERMS_URLS.termsOfService,
+      privacyPolicy: TEMPORARY_TERMS_URLS.privacyPolicy,
+      acceptTermsOfService: "yes",
+      challengeToken: pow.challengeToken,
+      solution: pow.solution
+    })
+  });
+  if (!response.ok) {
+    throw new FatalError(
+      `Failed to create a temporary preview account (${response.status} ${response.statusText}).`,
+      { telemetryMessage: "deploy temporary account create failed" }
+    );
+  }
+  let responseBody;
+  try {
+    responseBody = await response.json();
+  } catch {
+    throw new FatalError(
+      `Failed to create a temporary preview account. Received an invalid response (${response.status} ${response.statusText}).`,
+      { telemetryMessage: "deploy temporary account invalid response" }
+    );
+  }
+  const previewAccount = responseBody.result;
+  const accountId = previewAccount?.account?.id;
+  const accountName = previewAccount?.account?.name;
+  const apiToken = previewAccount?.account?.apiToken;
+  const accountExpiresAt = previewAccount?.account?.expiresAt;
+  const claimUrl = previewAccount?.claim?.url;
+  const claimExpiresAt = previewAccount?.claim?.expiresAt;
+  if (accountId === void 0 || accountName === void 0 || apiToken === void 0 || accountExpiresAt === void 0 || claimUrl === void 0 || claimExpiresAt === void 0) {
+    throw new FatalError(
+      "Failed to create a temporary preview account because the response was missing required fields.",
+      { telemetryMessage: "deploy temporary account response incomplete" }
+    );
+  }
+  return {
+    account: {
+      id: accountId,
+      name: accountName,
+      apiToken,
+      expiresAt: accountExpiresAt
+    },
+    claim: {
+      url: claimUrl,
+      expiresAt: claimExpiresAt
+    }
+  };
+}
+__name(createTemporaryPreviewAccount, "createTemporaryPreviewAccount");
+async function getOrCreateTemporaryPreviewAccount(options) {
+  const cachedPreviewAccount = getCachedTemporaryPreviewAccount(
+    options.storage
+  );
+  if (cachedPreviewAccount) {
+    return { account: cachedPreviewAccount, cached: true };
+  }
+  const termsAccepted = await options.prompt(
+    TEMPORARY_TERMS_PROMPT,
+    TEMPORARY_TERMS_NOTICE
+  );
+  if (!termsAccepted) {
+    throw new UserError(TEMPORARY_TERMS_ERROR, {
+      telemetryMessage: "user temporary terms not accepted"
+    });
+  }
+  const temporaryPreviewAccount = await createTemporaryPreviewAccount(
+    options.logger
+  );
+  options.storage.write(temporaryPreviewAccount);
+  return { account: temporaryPreviewAccount, cached: false };
+}
+__name(getOrCreateTemporaryPreviewAccount, "getOrCreateTemporaryPreviewAccount");
 // src/flow.ts
 function createOAuthFlow(ctx) {
@@ -980,6 +1168,8 @@ function createOAuthFlow(ctx) {
   const storage = ctx.storage;
   const getClientId = /* @__PURE__ */ __name(() => typeof ctx.clientId === "function" ? ctx.clientId() : ctx.clientId, "getClientId");
   const consent = ctx.consent;
+  let temporaryAllowed = false;
+  let activeTemporaryAccount;
   const redirectUrl = new URL(ctx.redirectUri);
   const defaultCallbackHost = redirectUrl.hostname;
   const defaultCallbackPort = Number(redirectUrl.port);
@@ -1028,6 +1218,7 @@ function createOAuthFlow(ctx) {
       scopes: oauth.scopes
     });
     ctx.logger.log(`Successfully logged in.`);
+    clearTemporaryAccount();
     ctx.purgeOnLoginOrLogout?.();
     return true;
   }
@@ -1113,6 +1304,7 @@ function createOAuthFlow(ctx) {
   }
   __name(loginOrRefreshIfRequired, "loginOrRefreshIfRequired");
   async function logout() {
+    const clearedTemporary = clearTemporaryAccount();
     if (ctx.hasEnvCredentials()) {
       ctx.logger.log(
         "You are logged in with an API Token. Unset the CLOUDFLARE_API_TOKEN in the environment to log out."
@@ -1124,7 +1316,9 @@ function createOAuthFlow(ctx) {
       storage
     }).refreshToken;
     if (!storedRefreshToken) {
-      ctx.logger.log("Not logged in, exiting...");
+      ctx.logger.log(
+        clearedTemporary ? "Cleared temporary preview account." : "Not logged in, exiting..."
+      );
       return;
     }
     const body = `client_id=${encodeURIComponent(getClientId())}&token_type_hint=refresh_token&token=${encodeURIComponent(storedRefreshToken.value || "")}`;
@@ -1157,15 +1351,74 @@ function createOAuthFlow(ctx) {
     return stored.accessToken?.value;
   }
   __name(getOAuthTokenFromLocalState, "getOAuthTokenFromLocalState");
+  function getAPITokenInternal() {
+    if (activeTemporaryAccount) {
+      return { apiToken: activeTemporaryAccount.account.apiToken };
+    }
+    return getAPIToken({
+      storage,
+      warningLogger: ctx.logger,
+      allowGlobalAuthKey: ctx.allowGlobalAuthKey
+    });
+  }
+  __name(getAPITokenInternal, "getAPITokenInternal");
+  function requireApiTokenInternal() {
+    if (activeTemporaryAccount) {
+      return { apiToken: activeTemporaryAccount.account.apiToken };
+    }
+    return requireApiToken({
+      storage,
+      warningLogger: ctx.logger,
+      allowGlobalAuthKey: ctx.allowGlobalAuthKey
+    });
+  }
+  __name(requireApiTokenInternal, "requireApiTokenInternal");
+  function setTemporaryAllowed(allowed) {
+    temporaryAllowed = allowed && ctx.temporary !== void 0;
+    activeTemporaryAccount = void 0;
+  }
+  __name(setTemporaryAllowed, "setTemporaryAllowed");
+  function isTemporaryAllowed() {
+    return temporaryAllowed;
+  }
+  __name(isTemporaryAllowed, "isTemporaryAllowed");
+  function getActiveTemporaryAccount() {
+    return activeTemporaryAccount;
+  }
+  __name(getActiveTemporaryAccount, "getActiveTemporaryAccount");
+  async function activateTemporaryAccount() {
+    if (!ctx.temporary) {
+      throw new UserError(
+        "Temporary preview accounts are not supported by this CLI.",
+        { telemetryMessage: "user temporary account unsupported" }
+      );
+    }
+    const result = await getOrCreateTemporaryPreviewAccount({
+      ...ctx.temporary,
+      logger: ctx.logger
+    });
+    activeTemporaryAccount = result.account;
+    return result;
+  }
+  __name(activateTemporaryAccount, "activateTemporaryAccount");
+  function clearTemporaryAccount() {
+    activeTemporaryAccount = void 0;
+    return ctx.temporary?.storage.clear() ?? false;
+  }
+  __name(clearTemporaryAccount, "clearTemporaryAccount");
   return {
     login,
     logout,
     loginOrRefreshIfRequired,
     getOAuthTokenFromLocalState,
-    isRefreshNeeded,
-    refreshToken
+    getAPIToken: getAPITokenInternal,
+    requireApiToken: requireApiTokenInternal,
+    setTemporaryAllowed,
+    isTemporaryAllowed,
+    getActiveTemporaryAccount,
+    activateTemporaryAccount
   };
 }
 __name(createOAuthFlow, "createOAuthFlow");
-export { ErrorAccessDenied, ErrorAccessTokenResponse, ErrorAuthenticationGrant, ErrorInvalidClient, ErrorInvalidGrant, ErrorInvalidJson, ErrorInvalidRequest, ErrorInvalidReturnedStateParam, ErrorInvalidScope, ErrorInvalidToken, ErrorNoAuthCode, ErrorOAuth2, ErrorServerError, ErrorTemporarilyUnavailable, ErrorUnauthorizedClient, ErrorUnknown, ErrorUnsupportedGrantType, ErrorUnsupportedResponseType, PKCE_CHARSET, RECOMMENDED_CODE_VERIFIER_LENGTH, RECOMMENDED_STATE_LENGTH, base64urlEncode, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generatePKCECodes, generateRandomState, getAPIToken, getAccessClientIdFromEnv, getAccessClientSecretFromEnv, getAccessHeaders, getAuthDomainFromEnv, getAuthFromEnv, getAuthUrlFromEnv, getCfAuthorizationTokenFromEnv, getCloudflareAPITokenFromEnv, getCloudflareAccessHeaders, getCloudflareGlobalAuthEmailFromEnv, getCloudflareGlobalAuthKeyFromEnv, getRevokeUrlFromEnv, getTokenUrlFromEnv, readStoredAuthState, requireApiToken, toErrorClass };
+export { PKCE_CHARSET, TEMPORARY_TERMS_NOTICE, TEMPORARY_TERMS_PROMPT, clearAccessCaches, createOAuthFlow, domainUsesAccess, generateAuthUrl, generateRandomState, getAccessHeaders, getAuthFromEnv, getAuthUrlFromEnv, getCloudflareAPITokenFromEnv, getCloudflareGlobalAuthEmailFromEnv, getCloudflareGlobalAuthKeyFromEnv, readStoredAuthState };

package/dist/metafile-esm.json CHANGED Viewed

	@@ -1 +1 @@
1	- {"inputs":{"src/state.ts":{"bytes":3882,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/credentials.ts":{"bytes":4510,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"~~./auth-config-file","kind":"import-statement","external":true},{"path":"~~src/state.ts","kind":"import-statement","original":"./state"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/env-vars.ts":{"bytes":3473,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/access.ts":{"bytes":7367,"imports":[{"path":"node:child_process","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"~~src~~/~~errors~~.ts":{"bytes":~~6757~~,"imports":[{"path":"~~@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"~~<runtime>","kind":"import-statement","external":true}],"format":"esm"},"~~../../node_modules/.pnpm~~/~~ts-dedent@2~~.~~2.0/node_modules/~~ts~~-dedent/esm/index.js~~":{"bytes":~~1634~~,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/pkce.ts":{"bytes":2624,"imports":[{"path":"node:crypto","kind":"import-statement","external":true},{"path":"node:util","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/token-exchange.ts":{"bytes":11753,"imports":[{"path":"node:assert","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"src/access.ts","kind":"import-statement","original":"./access"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/errors.ts","kind":"import-statement","original":"./errors"},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"src/state.ts","kind":"import-statement","original":"./state"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/callback-server.ts":{"bytes":10234,"imports":[{"path":"node:assert","kind":"import-statement","external":true},{"path":"node:http","kind":"import-statement","external":true},{"path":"node:url","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"src/errors.ts","kind":"import-statement","original":"./errors"},{"path":"src/token-exchange.ts","kind":"import-statement","original":"./token-exchange"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/generate-auth-url.ts":{"bytes":978,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/generate-random-state.ts":{"bytes":599,"imports":[{"path":"node:crypto","kind":"import-statement","external":true},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/flow.ts":{"bytes":~~13004~~,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js","kind":"import-statement","original":"ts-dedent"},{"path":"undici","kind":"import-statement","external":true},{"path":"src/callback-server.ts","kind":"import-statement","original":"./callback-server"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/generate-auth-url.ts","kind":"import-statement","original":"./generate-auth-url"},{"path":"src/generate-random-state.ts","kind":"import-statement","original":"./generate-random-state"},{"path":"src/state.ts","kind":"import-statement","original":"./state"},{"path":"src/token-exchange.ts","kind":"import-statement","original":"./token-exchange"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/index.ts":{"bytes":~~2180~~,"imports":[{"path":"src/credentials.ts","kind":"import-statement","original":"./credentials"},{"path":"src/access.ts","kind":"import-statement","original":"./access"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/~~errors~~.ts","kind":"import-statement","original":"./~~errors~~"},{"path":"src/~~flow~~.ts","kind":"import-statement","original":"./~~flow~~"},{"path":"src/generate-~~auth~~-~~url~~.ts","kind":"import-statement","original":"./generate-~~auth~~-~~url~~"},{"path":"src/~~generate-random-state~~.ts","kind":"import-statement","original":"./~~generate-random-state~~"},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"src/state.ts","kind":"import-statement","original":"./state"}],"format":"esm"},"src/test-helpers/msw-handlers/access.ts":{"bytes":744,"imports":[{"path":"msw","kind":"import-statement","external":true}],"format":"esm"},"src/test-helpers/msw-handlers/oauth.ts":{"bytes":760,"imports":[{"path":"msw","kind":"import-statement","external":true}],"format":"esm"},"src/test-helpers/index.ts":{"bytes":123,"imports":[{"path":"src/test-helpers/msw-handlers/access.ts","kind":"import-statement","original":"./msw-handlers/access"},{"path":"src/test-helpers/msw-handlers/oauth.ts","kind":"import-statement","original":"./msw-handlers/oauth"}],"format":"esm"}},"outputs":{"dist/index.mjs":{"imports":[{"path":"dist/chunk-O6YSETKJ.mjs","kind":"import-statement"},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"node:child_process","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"~~@cloudflare/workers-utils~~","kind":"import-statement","external":true},{"path":"~~undici~~","kind":"import-statement","external":true},{"path":"node:~~assert~~","kind":"import-statement","external":true},{"path":"node:~~http~~","kind":"import-statement","external":true},{"path":"~~node:url~~","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"node:assert","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"node:crypto","kind":"import-statement","external":true},{"path":"node:util","kind":"import-statement","external":true},{"path":"node:crypto","kind":"import-statement","external":true}],"~~exports~~":["~~ErrorAccessDenied~~","~~ErrorAccessTokenResponse~~","~~ErrorAuthenticationGrant~~","~~ErrorInvalidClient~~","~~ErrorInvalidGrant~~","~~ErrorInvalidJson~~","~~ErrorInvalidRequest~~","~~ErrorInvalidReturnedStateParam~~","~~ErrorInvalidScope~~","~~ErrorInvalidToken~~","~~ErrorNoAuthCode~~","~~ErrorOAuth2~~","~~ErrorServerError~~","~~ErrorTemporarilyUnavailable~~","~~ErrorUnauthorizedClient~~","~~ErrorUnknown","ErrorUnsupportedGrantType","ErrorUnsupportedResponseType","~~PKCE_CHARSET","~~RECOMMENDED_CODE_VERIFIER_LENGTH~~","~~RECOMMENDED_STATE_LENGTH~~","~~base64urlEncode","~~clearAccessCaches","createOAuthFlow","domainUsesAccess","generateAuthUrl","~~generatePKCECodes","~~generateRandomState","~~getAPIToken","getAccessClientIdFromEnv","getAccessClientSecretFromEnv","~~getAccessHeaders","~~getAuthDomainFromEnv","~~getAuthFromEnv","getAuthUrlFromEnv","~~getCfAuthorizationTokenFromEnv","~~getCloudflareAPITokenFromEnv","~~getCloudflareAccessHeaders","~~getCloudflareGlobalAuthEmailFromEnv","getCloudflareGlobalAuthKeyFromEnv","~~getRevokeUrlFromEnv","getTokenUrlFromEnv","~~readStoredAuthState"~~,"requireApiToken","toErrorClass"~~],"entryPoint":"src/index.ts","inputs":{"src/credentials.ts":{"bytesInOutput":1810},"src/state.ts":{"bytesInOutput":1316},"src/index.ts":{"bytesInOutput":0},"src/access.ts":{"bytesInOutput":4517},"src/env-vars.ts":{"bytesInOutput":1415},"src/~~errors.ts":{"bytesInOutput":6069},"src/~~flow.ts":{"bytesInOutput":~~6456~~},"../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js":{"bytesInOutput":1494},"src/callback-server.ts":{"bytesInOutput":6776},"src/token-exchange.ts":{"bytesInOutput":7156},"src/pkce.ts":{"bytesInOutput":1203},"src/generate-auth-url.ts":{"bytesInOutput":467},"src/generate-random-state.ts":{"bytesInOutput":328}},"bytes":~~40600~~},"dist/test-helpers/index.mjs":{"imports":[{"path":"dist/chunk-O6YSETKJ.mjs","kind":"import-statement"},{"path":"msw","kind":"import-statement","external":true},{"path":"msw","kind":"import-statement","external":true}],"exports":["mswAccessHandlers","mswSuccessOauthHandlers"],"entryPoint":"src/test-helpers/index.ts","inputs":{"src/test-helpers/msw-handlers/access.ts":{"bytesInOutput":756},"src/test-helpers/index.ts":{"bytesInOutput":0},"src/test-helpers/msw-handlers/oauth.ts":{"bytesInOutput":877}},"bytes":1811},"dist/chunk-O6YSETKJ.mjs":{"imports":[],"exports":["__name"],"inputs":{},"bytes":151}}}
1	+ {"inputs":{"src/state.ts":{"bytes":3882,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/credentials.ts":{"bytes":4510,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"src/state.ts","kind":"import-statement","original":"./state"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/env-vars.ts":{"bytes":3473,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/access.ts":{"bytes":7367,"imports":[{"path":"node:child_process","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js":{"bytes":1634,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/errors.ts":{"bytes":6757,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/pkce.ts":{"bytes":2624,"imports":[{"path":"node:crypto","kind":"import-statement","external":true},{"path":"node:util","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/token-exchange.ts":{"bytes":11753,"imports":[{"path":"node:assert","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"src/access.ts","kind":"import-statement","original":"./access"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/errors.ts","kind":"import-statement","original":"./errors"},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"src/state.ts","kind":"import-statement","original":"./state"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/callback-server.ts":{"bytes":10234,"imports":[{"path":"node:assert","kind":"import-statement","external":true},{"path":"node:http","kind":"import-statement","external":true},{"path":"node:url","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"src/errors.ts","kind":"import-statement","original":"./errors"},{"path":"src/token-exchange.ts","kind":"import-statement","original":"./token-exchange"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/generate-auth-url.ts":{"bytes":978,"imports":[{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/generate-random-state.ts":{"bytes":599,"imports":[{"path":"node:crypto","kind":"import-statement","external":true},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/pow.ts":{"bytes":1766,"imports":[{"path":"node:crypto","kind":"import-statement","external":true},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/temporary.ts":{"bytes":8099,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"src/pow.ts","kind":"import-statement","original":"./pow"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/flow.ts":{"bytes":16319,"imports":[{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js","kind":"import-statement","original":"ts-dedent"},{"path":"undici","kind":"import-statement","external":true},{"path":"src/callback-server.ts","kind":"import-statement","original":"./callback-server"},{"path":"src/credentials.ts","kind":"import-statement","original":"./credentials"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/generate-auth-url.ts","kind":"import-statement","original":"./generate-auth-url"},{"path":"src/generate-random-state.ts","kind":"import-statement","original":"./generate-random-state"},{"path":"src/state.ts","kind":"import-statement","original":"./state"},{"path":"src/temporary.ts","kind":"import-statement","original":"./temporary"},{"path":"src/token-exchange.ts","kind":"import-statement","original":"./token-exchange"},{"path":"<runtime>","kind":"import-statement","external":true}],"format":"esm"},"src/index.ts":{"bytes":1282,"imports":[{"path":"src/credentials.ts","kind":"import-statement","original":"./credentials"},{"path":"src/access.ts","kind":"import-statement","original":"./access"},{"path":"src/env-vars.ts","kind":"import-statement","original":"./env-vars"},{"path":"src/flow.ts","kind":"import-statement","original":"./flow"},{"path":"src/generate-auth-url.ts","kind":"import-statement","original":"./generate-auth-url"},{"path":"src/generate-random-state.ts","kind":"import-statement","original":"./generate-random-state"},{"path":"src/temporary.ts","kind":"import-statement","original":"./temporary"},{"path":"src/pkce.ts","kind":"import-statement","original":"./pkce"},{"path":"src/state.ts","kind":"import-statement","original":"./state"}],"format":"esm"},"src/test-helpers/msw-handlers/access.ts":{"bytes":744,"imports":[{"path":"msw","kind":"import-statement","external":true}],"format":"esm"},"src/test-helpers/msw-handlers/oauth.ts":{"bytes":760,"imports":[{"path":"msw","kind":"import-statement","external":true}],"format":"esm"},"src/test-helpers/index.ts":{"bytes":123,"imports":[{"path":"src/test-helpers/msw-handlers/access.ts","kind":"import-statement","original":"./msw-handlers/access"},{"path":"src/test-helpers/msw-handlers/oauth.ts","kind":"import-statement","original":"./msw-handlers/oauth"}],"format":"esm"}},"outputs":{"dist/index.mjs":{"imports":[{"path":"dist/chunk-O6YSETKJ.mjs","kind":"import-statement"},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"node:child_process","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"node:assert","kind":"import-statement","external":true},{"path":"node:http","kind":"import-statement","external":true},{"path":"node:url","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"node:assert","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"node:crypto","kind":"import-statement","external":true},{"path":"node:util","kind":"import-statement","external":true},{"path":"node:crypto","kind":"import-statement","external":true},{"path":"@cloudflare/workers-utils","kind":"import-statement","external":true},{"path":"undici","kind":"import-statement","external":true},{"path":"node:crypto","kind":"import-statement","external":true}],"exports":["PKCE_CHARSET","TEMPORARY_TERMS_NOTICE","TEMPORARY_TERMS_PROMPT","clearAccessCaches","createOAuthFlow","domainUsesAccess","generateAuthUrl","generateRandomState","getAccessHeaders","getAuthFromEnv","getAuthUrlFromEnv","getCloudflareAPITokenFromEnv","getCloudflareGlobalAuthEmailFromEnv","getCloudflareGlobalAuthKeyFromEnv","readStoredAuthState"],"entryPoint":"src/index.ts","inputs":{"src/credentials.ts":{"bytesInOutput":1810},"src/state.ts":{"bytesInOutput":1316},"src/index.ts":{"bytesInOutput":0},"src/access.ts":{"bytesInOutput":4517},"src/env-vars.ts":{"bytesInOutput":1415},"src/flow.ts":{"bytesInOutput":8660},"../../node_modules/.pnpm/ts-dedent@2.2.0/node_modules/ts-dedent/esm/index.js":{"bytesInOutput":1494},"src/callback-server.ts":{"bytesInOutput":6776},"src/errors.ts":{"bytesInOutput":6069},"src/token-exchange.ts":{"bytesInOutput":7156},"src/pkce.ts":{"bytesInOutput":1203},"src/generate-auth-url.ts":{"bytesInOutput":467},"src/generate-random-state.ts":{"bytesInOutput":328},"src/temporary.ts":{"bytesInOutput":6747},"src/pow.ts":{"bytesInOutput":899}},"bytes":49784},"dist/test-helpers/index.mjs":{"imports":[{"path":"dist/chunk-O6YSETKJ.mjs","kind":"import-statement"},{"path":"msw","kind":"import-statement","external":true},{"path":"msw","kind":"import-statement","external":true}],"exports":["mswAccessHandlers","mswSuccessOauthHandlers"],"entryPoint":"src/test-helpers/index.ts","inputs":{"src/test-helpers/msw-handlers/access.ts":{"bytesInOutput":756},"src/test-helpers/index.ts":{"bytesInOutput":0},"src/test-helpers/msw-handlers/oauth.ts":{"bytesInOutput":877}},"bytes":1811},"dist/chunk-O6YSETKJ.mjs":{"imports":[],"exports":["__name"],"inputs":{},"bytes":151}}}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-auth",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Internal OAuth 2.0 + PKCE flow for Cloudflare CLIs. Not intended for external use — APIs may change without notice.",
   "homepage": "https://github.com/cloudflare/workers-sdk/tree/main/packages/workers-auth#readme",
   "bugs": {
@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "undici": "7.24.8",
-    "@cloudflare/workers-utils": "0.23.0"
+    "@cloudflare/workers-utils": "0.23.1"
   },
   "devDependencies": {
     "@types/node": "22.15.17",