npm - @cloudflare/workers-oauth-provider - Versions diffs - 0.0.2 → 0.0.4-0 - Mend

@cloudflare/workers-oauth-provider 0.0.2 → 0.0.4-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -2,9 +2,9 @@
 This is a TypeScript library that implements the provider side of the OAuth 2.1 protocol with PKCE support. The library is intended to be used on Cloudflare Workers.
-## EXPERIMENTAL
+## Beta
-As of March, 2025, this library is very new. Please use with caution as additional security reviews are still in progress.
+As of March, 2025, this library is very new, prerelease software. The API is still subject to change.
 ## Benefits of this library
@@ -43,6 +43,16 @@ export default new OAuthProvider({
   // You can provide either an object with a fetch method (ExportedHandler)
   // or a class extending WorkerEntrypoint.
   apiHandler: ApiHandler, // Using a WorkerEntrypoint class
+  // For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
+  // This allows you to use different handlers for different API routes.
+  // Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
+  // Example:
+  // apiHandlers: {
+  //   "/api/users/": UsersApiHandler,
+  //   "/api/documents/": DocumentsApiHandler,
+  //   "https://api.example.com/": ExternalApiHandler,
+  // },
   // Any requests which aren't API request will be passed to the default handler instead.
   // Again, this can be either an object or a WorkerEntrypoint.
@@ -262,11 +272,34 @@ The `accessTokenTTL` override is particularly useful when the application is als
 The `props` values are end-to-end encrypted, so they can safely contain sensitive information.
-## Written by Claude
+## Custom Error Responses
-This library (including the schema documentation) was largely written by [Claude](https://claude.ai), the AI model by Anthropic. Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security and compliance with standards. Many improvements were made on the initial output, mostly again by prompting Claude (and reviewing the results). Check out the commit history to see how Claude was prompted and what code it produced.
+By using the `onError` option, you can emit notifications or take other actions when an error response was to be emitted:
-(@kentonv, the lead engineer, was actually an AI skeptic, and started this project with the intent to prove that LLMs cannot code. He ended up deciding he had proven himself wrong.)
+```ts
+new OAuthProvider({
+  // ... other options ...
+  onError({ code, description, status, headers }) {
+    Sentry.captureMessage(/* ... */)
+  }
+})
+```
+By returning a `Response` you can also override what the OAuthProvider returns to your users:
+```ts
+new OAuthProvider({
+  // ... other options ...
+  onError({ code, description, status, headers }) {
+    if (code === 'unsupported_grant_type') {
+      return new Response('...', { status, headers })
+    }
+    // returning undefined (i.e. void) uses the default Response generation
+  }
+})
+```
+By default, the `onError` callback is set to ``({ status, code, description }) => console.warn(`OAuth error response: ${status} ${code} - ${description}`)``.
 ## Implementation Notes
@@ -286,3 +319,17 @@ OAuth 2.1 requires that refresh tokens are either "cryptographically bound" to t
 This requirement is seemingly fundamentally flawed as it assumes that every refresh request will complete with no errors. In the real world, a transient network error, machine failure, or software fault could mean that the client fails to store the new refresh token after a refresh request. In this case, the client would be permanently unable to make any further requests, as the only token it has is no longer valid.
 This library implements a compromise: At any particular time, a grant may have two valid refresh tokens. When the client uses one of them, the other one is invalidated, and a new one is generated and returned. Thus, if the client correctly uses the new refresh token each time, then older refresh tokens are continuously invalidated. But if a transient failure prevents the client from updating its token, it can always retry the request with the token it used previously.
+## Written using Claude
+This library (including the schema documentation) was largely written with the help of [Claude](https://claude.ai), the AI model by Anthropic. Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security and compliance with standards. Many improvements were made on the initial output, mostly again by prompting Claude (and reviewing the results). Check out the commit history to see how Claude was prompted and what code it produced.
+**"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!"**
+"haha gpus go brrr"
+In all seriousness, two months ago (January 2025), I ([@kentonv](https://github.com/kentonv)) would have agreed. I was an AI skeptic. I thoughts LLMs were glorified Markov chain generators that didn't actually understand code and couldn't produce anything novel. I started this project on a lark, fully expecting the AI to produce terrible code for me to laugh at. And then, uh... the code actually looked pretty good. Not perfect, but I just told the AI to fix things, and it did. I was shocked.
+To emphasize, **this is not "vibe coded"**. Every line was thoroughly reviewed and cross-referenced with relevant RFCs, by security experts with previous experience with those RFCs. I was *trying* to validate my skepticism. I ended up proving myself wrong.
+Again, please check out the commit history -- especially early commits -- to understand how this went.

package/dist/oauth-provider.d.ts CHANGED Viewed

@@ -67,14 +67,31 @@ interface OAuthProviderOptions {
      * URL(s) for API routes. Requests with URLs starting with any of these prefixes
      * will be treated as API requests and require a valid access token.
      * Can be a single route or an array of routes. Each route can be a full URL or just a path.
+     *
+     * Used with `apiHandler` for the single-handler configuration. This is incompatible with
+     * the `apiHandlers` property. You must use either `apiRoute` + `apiHandler` OR `apiHandlers`, not both.
      */
-    apiRoute: string | string[];
+    apiRoute?: string | string[];
     /**
      * Handler for API requests that have a valid access token.
      * This handler will receive the authenticated user properties in ctx.props.
      * Can be either an ExportedHandler object with a fetch method or a class extending WorkerEntrypoint.
+     *
+     * Used with `apiRoute` for the single-handler configuration. This is incompatible with
+     * the `apiHandlers` property. You must use either `apiRoute` + `apiHandler` OR `apiHandlers`, not both.
      */
-    apiHandler: ExportedHandlerWithFetch | (new (ctx: ExecutionContext, env: any) => WorkerEntrypointWithFetch);
+    apiHandler?: ExportedHandlerWithFetch | (new (ctx: ExecutionContext, env: any) => WorkerEntrypointWithFetch);
+    /**
+     * Map of API routes to their corresponding handlers for the multi-handler configuration.
+     * The keys are the API routes (strings only, not arrays), and the values are the handlers.
+     * Each route can be a full URL or just a path, and each handler can be either an ExportedHandler
+     * object with a fetch method or a class extending WorkerEntrypoint.
+     *
+     * This is incompatible with the `apiRoute` and `apiHandler` properties. You must use either
+     * `apiRoute` + `apiHandler` (single-handler configuration) OR `apiHandlers` (multi-handler
+     * configuration), not both.
+     */
+    apiHandlers?: Record<string, ExportedHandlerWithFetch | (new (ctx: ExecutionContext, env: any) => WorkerEntrypointWithFetch)>;
     /**
      * Handler for all non-API requests or API requests without a valid token.
      * Can be either an ExportedHandler object with a fetch method or a class extending WorkerEntrypoint.
@@ -128,6 +145,18 @@ interface OAuthProviderOptions {
      * If the callback returns nothing or undefined for a props field, the original props will be used.
      */
     tokenExchangeCallback?: (options: TokenExchangeCallbackOptions) => Promise<TokenExchangeCallbackResult | void> | TokenExchangeCallbackResult | void;
+    /**
+     * Optional callback function that is called whenever the OAuthProvider returns an error response
+     * This allows the client to emit notifications or perform other actions when an error occurs.
+     *
+     * If the function returns a Response, that will be used in place of the OAuthProvider's default one.
+     */
+    onError?: (error: {
+        code: string;
+        description: string;
+        status: number;
+        headers: Record<string, string>;
+    }) => Response | void;
 }
 /**
  * Helper methods for OAuth operations provided to handler functions

package/dist/oauth-provider.js CHANGED Viewed

@@ -37,14 +37,36 @@ var OAuthProviderImpl = class {
    * @param options - Configuration options for the provider
    */
   constructor(options) {
-    this.typedApiHandler = this.validateHandler(options.apiHandler, "apiHandler");
+    this.typedApiHandlers = /* @__PURE__ */ new Map();
+    const hasSingleHandlerConfig = !!(options.apiRoute && options.apiHandler);
+    const hasMultiHandlerConfig = !!options.apiHandlers;
+    if (hasSingleHandlerConfig && hasMultiHandlerConfig) {
+      throw new TypeError(
+        "Cannot use both apiRoute/apiHandler and apiHandlers. Use either apiRoute + apiHandler OR apiHandlers, not both."
+      );
+    }
+    if (!hasSingleHandlerConfig && !hasMultiHandlerConfig) {
+      throw new TypeError(
+        "Must provide either apiRoute + apiHandler OR apiHandlers. No API route configuration provided."
+      );
+    }
     this.typedDefaultHandler = this.validateHandler(options.defaultHandler, "defaultHandler");
-    if (Array.isArray(options.apiRoute)) {
-      options.apiRoute.forEach((route, index) => {
-        this.validateEndpoint(route, `apiRoute[${index}]`);
-      });
+    if (hasSingleHandlerConfig) {
+      const apiHandler = this.validateHandler(options.apiHandler, "apiHandler");
+      if (Array.isArray(options.apiRoute)) {
+        options.apiRoute.forEach((route, index) => {
+          this.validateEndpoint(route, `apiRoute[${index}]`);
+          this.typedApiHandlers.set(route, apiHandler);
+        });
+      } else {
+        this.validateEndpoint(options.apiRoute, "apiRoute");
+        this.typedApiHandlers.set(options.apiRoute, apiHandler);
+      }
     } else {
-      this.validateEndpoint(options.apiRoute, "apiRoute");
+      for (const [route, handler] of Object.entries(options.apiHandlers)) {
+        this.validateEndpoint(route, `apiHandlers key: ${route}`);
+        this.typedApiHandlers.set(route, this.validateHandler(handler, `apiHandlers[${route}]`));
+      }
     }
     this.validateEndpoint(options.authorizeEndpoint, "authorizeEndpoint");
     this.validateEndpoint(options.tokenEndpoint, "tokenEndpoint");
@@ -52,8 +74,9 @@ var OAuthProviderImpl = class {
       this.validateEndpoint(options.clientRegistrationEndpoint, "clientRegistrationEndpoint");
     }
     this.options = {
-      ...options,
-      accessTokenTTL: options.accessTokenTTL || DEFAULT_ACCESS_TOKEN_TTL
+      accessTokenTTL: DEFAULT_ACCESS_TOKEN_TTL,
+      onError: ({ status, code, description }) => console.warn(`OAuth error response: ${status} ${code} - ${description}`),
+      ...options
     };
   }
   /**
@@ -203,11 +226,25 @@ var OAuthProviderImpl = class {
    * @returns True if the URL matches any of the API routes
    */
   isApiRequest(url) {
-    if (Array.isArray(this.options.apiRoute)) {
-      return this.options.apiRoute.some((route) => this.matchApiRoute(url, route));
-    } else {
-      return this.matchApiRoute(url, this.options.apiRoute);
+    for (const route of this.typedApiHandlers.keys()) {
+      if (this.matchApiRoute(url, route)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Finds the appropriate API handler for a URL
+   * @param url - The URL to find a handler for
+   * @returns The TypedHandler for the URL, or undefined if no handler matches
+   */
+  findApiHandlerForUrl(url) {
+    for (const [route, handler] of this.typedApiHandlers.entries()) {
+      if (this.matchApiRoute(url, route)) {
+        return handler;
+      }
     }
+    return void 0;
   }
   /**
    * Gets the full URL for an endpoint, using the provided request URL's
@@ -298,12 +335,12 @@ var OAuthProviderImpl = class {
    */
   async handleTokenRequest(request, env) {
     if (request.method !== "POST") {
-      return createErrorResponse("invalid_request", "Method not allowed", 405);
+      return this.createErrorResponse("invalid_request", "Method not allowed", 405);
     }
     let contentType = request.headers.get("Content-Type") || "";
     let body = {};
     if (!contentType.includes("application/x-www-form-urlencoded")) {
-      return createErrorResponse("invalid_request", "Content-Type must be application/x-www-form-urlencoded", 400);
+      return this.createErrorResponse("invalid_request", "Content-Type must be application/x-www-form-urlencoded", 400);
     }
     const formData = await request.formData();
     for (const [key, value] of formData.entries()) {
@@ -322,19 +359,19 @@ var OAuthProviderImpl = class {
       clientSecret = body.client_secret || "";
     }
     if (!clientId) {
-      return createErrorResponse("invalid_client", "Client ID is required", 401);
+      return this.createErrorResponse("invalid_client", "Client ID is required", 401);
     }
     const clientInfo = await this.getClient(env, clientId);
     if (!clientInfo) {
-      return createErrorResponse("invalid_client", "Client not found", 401);
+      return this.createErrorResponse("invalid_client", "Client not found", 401);
     }
     const isPublicClient = clientInfo.tokenEndpointAuthMethod === "none";
     if (!isPublicClient) {
       if (!clientSecret) {
-        return createErrorResponse("invalid_client", "Client authentication failed: missing client_secret", 401);
+        return this.createErrorResponse("invalid_client", "Client authentication failed: missing client_secret", 401);
       }
       if (!clientInfo.clientSecret) {
-        return createErrorResponse(
+        return this.createErrorResponse(
           "invalid_client",
           "Client authentication failed: client has no registered secret",
           401
@@ -342,7 +379,7 @@ var OAuthProviderImpl = class {
       }
       const providedSecretHash = await hashSecret(clientSecret);
       if (providedSecretHash !== clientInfo.clientSecret) {
-        return createErrorResponse("invalid_client", "Client authentication failed: invalid client_secret", 401);
+        return this.createErrorResponse("invalid_client", "Client authentication failed: invalid client_secret", 401);
       }
     }
     const grantType = body.grant_type;
@@ -351,7 +388,7 @@ var OAuthProviderImpl = class {
     } else if (grantType === "refresh_token") {
       return this.handleRefreshTokenGrant(body, clientInfo, env);
     } else {
-      return createErrorResponse("unsupported_grant_type", "Grant type not supported");
+      return this.createErrorResponse("unsupported_grant_type", "Grant type not supported");
     }
   }
   /**
@@ -367,38 +404,38 @@ var OAuthProviderImpl = class {
     const redirectUri = body.redirect_uri;
     const codeVerifier = body.code_verifier;
     if (!code) {
-      return createErrorResponse("invalid_request", "Authorization code is required");
+      return this.createErrorResponse("invalid_request", "Authorization code is required");
     }
     const codeParts = code.split(":");
     if (codeParts.length !== 3) {
-      return createErrorResponse("invalid_grant", "Invalid authorization code format");
+      return this.createErrorResponse("invalid_grant", "Invalid authorization code format");
     }
     const [userId, grantId, _] = codeParts;
     const grantKey = `grant:${userId}:${grantId}`;
     const grantData = await env.OAUTH_KV.get(grantKey, { type: "json" });
     if (!grantData) {
-      return createErrorResponse("invalid_grant", "Grant not found or authorization code expired");
+      return this.createErrorResponse("invalid_grant", "Grant not found or authorization code expired");
     }
     if (!grantData.authCodeId) {
-      return createErrorResponse("invalid_grant", "Authorization code already used");
+      return this.createErrorResponse("invalid_grant", "Authorization code already used");
     }
     const codeHash = await hashSecret(code);
     if (codeHash !== grantData.authCodeId) {
-      return createErrorResponse("invalid_grant", "Invalid authorization code");
+      return this.createErrorResponse("invalid_grant", "Invalid authorization code");
     }
     if (grantData.clientId !== clientInfo.clientId) {
-      return createErrorResponse("invalid_grant", "Client ID mismatch");
+      return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
     const isPkceEnabled = !!grantData.codeChallenge;
     if (!redirectUri && !isPkceEnabled) {
-      return createErrorResponse("invalid_request", "redirect_uri is required when not using PKCE");
+      return this.createErrorResponse("invalid_request", "redirect_uri is required when not using PKCE");
     }
     if (redirectUri && !clientInfo.redirectUris.includes(redirectUri)) {
-      return createErrorResponse("invalid_grant", "Invalid redirect URI");
+      return this.createErrorResponse("invalid_grant", "Invalid redirect URI");
     }
     if (isPkceEnabled) {
       if (!codeVerifier) {
-        return createErrorResponse("invalid_request", "code_verifier is required for PKCE");
+        return this.createErrorResponse("invalid_request", "code_verifier is required for PKCE");
       }
       let calculatedChallenge;
       if (grantData.codeChallengeMethod === "S256") {
@@ -411,7 +448,7 @@ var OAuthProviderImpl = class {
         calculatedChallenge = codeVerifier;
       }
       if (calculatedChallenge !== grantData.codeChallenge) {
-        return createErrorResponse("invalid_grant", "Invalid PKCE code_verifier");
+        return this.createErrorResponse("invalid_grant", "Invalid PKCE code_verifier");
       }
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
@@ -516,26 +553,26 @@ var OAuthProviderImpl = class {
   async handleRefreshTokenGrant(body, clientInfo, env) {
     const refreshToken = body.refresh_token;
     if (!refreshToken) {
-      return createErrorResponse("invalid_request", "Refresh token is required");
+      return this.createErrorResponse("invalid_request", "Refresh token is required");
     }
     const tokenParts = refreshToken.split(":");
     if (tokenParts.length !== 3) {
-      return createErrorResponse("invalid_grant", "Invalid token format");
+      return this.createErrorResponse("invalid_grant", "Invalid token format");
     }
     const [userId, grantId, _] = tokenParts;
     const providedTokenHash = await generateTokenId(refreshToken);
     const grantKey = `grant:${userId}:${grantId}`;
     const grantData = await env.OAUTH_KV.get(grantKey, { type: "json" });
     if (!grantData) {
-      return createErrorResponse("invalid_grant", "Grant not found");
+      return this.createErrorResponse("invalid_grant", "Grant not found");
     }
     const isCurrentToken = grantData.refreshTokenId === providedTokenHash;
     const isPreviousToken = grantData.previousRefreshTokenId === providedTokenHash;
     if (!isCurrentToken && !isPreviousToken) {
-      return createErrorResponse("invalid_grant", "Invalid refresh token");
+      return this.createErrorResponse("invalid_grant", "Invalid refresh token");
     }
     if (grantData.clientId !== clientInfo.clientId) {
-      return createErrorResponse("invalid_grant", "Client ID mismatch");
+      return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
     const newAccessToken = `${userId}:${grantId}:${accessTokenSecret}`;
@@ -647,24 +684,24 @@ var OAuthProviderImpl = class {
    */
   async handleClientRegistration(request, env) {
     if (!this.options.clientRegistrationEndpoint) {
-      return createErrorResponse("not_implemented", "Client registration is not enabled", 501);
+      return this.createErrorResponse("not_implemented", "Client registration is not enabled", 501);
     }
     if (request.method !== "POST") {
-      return createErrorResponse("invalid_request", "Method not allowed", 405);
+      return this.createErrorResponse("invalid_request", "Method not allowed", 405);
     }
     const contentLength = parseInt(request.headers.get("Content-Length") || "0", 10);
     if (contentLength > 1048576) {
-      return createErrorResponse("invalid_request", "Request payload too large, must be under 1 MiB", 413);
+      return this.createErrorResponse("invalid_request", "Request payload too large, must be under 1 MiB", 413);
     }
     let clientMetadata;
     try {
       const text = await request.text();
       if (text.length > 1048576) {
-        return createErrorResponse("invalid_request", "Request payload too large, must be under 1 MiB", 413);
+        return this.createErrorResponse("invalid_request", "Request payload too large, must be under 1 MiB", 413);
       }
       clientMetadata = JSON.parse(text);
     } catch (error) {
-      return createErrorResponse("invalid_request", "Invalid JSON payload", 400);
+      return this.createErrorResponse("invalid_request", "Invalid JSON payload", 400);
     }
     const validateStringField = (field) => {
       if (field === void 0) {
@@ -692,7 +729,7 @@ var OAuthProviderImpl = class {
     const authMethod = validateStringField(clientMetadata.token_endpoint_auth_method) || "client_secret_basic";
     const isPublicClient = authMethod === "none";
     if (isPublicClient && this.options.disallowPublicClientRegistration) {
-      return createErrorResponse("invalid_client_metadata", "Public client registration is not allowed");
+      return this.createErrorResponse("invalid_client_metadata", "Public client registration is not allowed");
     }
     const clientId = generateRandomString(16);
     let clientSecret;
@@ -726,7 +763,7 @@ var OAuthProviderImpl = class {
         clientInfo.clientSecret = hashedSecret;
       }
     } catch (error) {
-      return createErrorResponse(
+      return this.createErrorResponse(
         "invalid_client_metadata",
         error instanceof Error ? error.message : "Invalid client metadata"
       );
@@ -766,14 +803,14 @@ var OAuthProviderImpl = class {
   async handleApiRequest(request, env, ctx) {
     const authHeader = request.headers.get("Authorization");
     if (!authHeader || !authHeader.startsWith("Bearer ")) {
-      return createErrorResponse("invalid_token", "Missing or invalid access token", 401, {
+      return this.createErrorResponse("invalid_token", "Missing or invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Missing or invalid access token"'
       });
     }
     const accessToken = authHeader.substring(7);
     const tokenParts = accessToken.split(":");
     if (tokenParts.length !== 3) {
-      return createErrorResponse("invalid_token", "Invalid token format", 401, {
+      return this.createErrorResponse("invalid_token", "Invalid token format", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
@@ -782,13 +819,13 @@ var OAuthProviderImpl = class {
     const tokenKey = `token:${userId}:${grantId}:${accessTokenId}`;
     const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
     if (!tokenData) {
-      return createErrorResponse("invalid_token", "Invalid access token", 401, {
+      return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
     const now = Math.floor(Date.now() / 1e3);
     if (tokenData.expiresAt < now) {
-      return createErrorResponse("invalid_token", "Access token expired", 401, {
+      return this.createErrorResponse("invalid_token", "Access token expired", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
@@ -798,10 +835,15 @@ var OAuthProviderImpl = class {
     if (!env.OAUTH_PROVIDER) {
       env.OAUTH_PROVIDER = this.createOAuthHelpers(env);
     }
-    if (this.typedApiHandler.type === 0 /* EXPORTED_HANDLER */) {
-      return this.typedApiHandler.handler.fetch(request, env, ctx);
+    const url = new URL(request.url);
+    const apiHandler = this.findApiHandlerForUrl(url);
+    if (!apiHandler) {
+      return this.createErrorResponse("invalid_request", "No handler found for API route", 404);
+    }
+    if (apiHandler.type === 0 /* EXPORTED_HANDLER */) {
+      return apiHandler.handler.fetch(request, env, ctx);
     } else {
-      const handler = new this.typedApiHandler.handler(ctx, env);
+      const handler = new apiHandler.handler(ctx, env);
       return handler.fetch(request);
     }
   }
@@ -827,22 +869,32 @@ var OAuthProviderImpl = class {
     const clientKey = `client:${clientId}`;
     return env.OAUTH_KV.get(clientKey, { type: "json" });
   }
+  /**
+   * Helper function to create OAuth error responses
+   * @param code - OAuth error code (e.g., 'invalid_request', 'invalid_token')
+   * @param description - Human-readable error description
+   * @param status - HTTP status code (default: 400)
+   * @param headers - Additional headers to include
+   * @returns A Response object with the error
+   */
+  createErrorResponse(code, description, status = 400, headers = {}) {
+    const customErrorResponse = this.options.onError?.({ code, description, status, headers });
+    if (customErrorResponse) return customErrorResponse;
+    const body = JSON.stringify({
+      error: code,
+      error_description: description
+    });
+    return new Response(body, {
+      status,
+      headers: {
+        "Content-Type": "application/json",
+        ...headers
+      }
+    });
+  }
 };
 var DEFAULT_ACCESS_TOKEN_TTL = 60 * 60;
 var TOKEN_LENGTH = 32;
-function createErrorResponse(code, description, status = 400, headers = {}) {
-  const body = JSON.stringify({
-    error: code,
-    error_description: description
-  });
-  return new Response(body, {
-    status,
-    headers: {
-      "Content-Type": "application/json",
-      ...headers
-    }
-  });
-}
 async function hashSecret(secret) {
   return generateTokenId(secret);
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.2",
+  "version": "0.0.4-0",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",
@@ -15,7 +15,9 @@
   },
   "scripts": {
     "build": "tsup",
+    "build:watch": "tsup --watch",
     "test": "vitest run",
+    "test:watch": "vitest",
     "prepublishOnly": "npm run build",
     "prettier": "prettier -w ."
   },