@cloudflare/workers-oauth-provider 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/oauth-provider.js +4 -26
  2. package/package.json +1 -1
package/dist/oauth-provider.js CHANGED
@@ -1,7 +1,6 @@
1
1
  import { WorkerEntrypoint } from "cloudflare:workers";
2
2
 
3
3
  //#region src/oauth-provider.ts
4
- const PROTECTED_RESOURCE_WELL_KNOWN_PREFIX = "/.well-known/oauth-protected-resource";
5
4
  if (!(typeof Cloudflare !== "undefined" && Cloudflare.compatibilityFlags?.global_fetch_strictly_public === true)) console.warn("CIMD (Client ID Metadata Document) is disabled: add '\"compatibility_flags\": [\"global_fetch_strictly_public\"]' to your wrangler.jsonc to enable. See: https://developers.cloudflare.com/workers/configuration/compatibility-flags/#global-fetch-strictly-public");
6
5
  /**
7
6
  * Enum representing the type of handler (ExportedHandler or WorkerEntrypoint)
@@ -142,7 +141,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
142
141
  async fetch(request, env, ctx) {
143
142
  const url = new URL(request.url);
144
143
  if (request.method === "OPTIONS") {
145
- if (this.isApiRequest(url) || url.pathname === "/.well-known/oauth-authorization-server" || this.isProtectedResourceMetadataRequest(url) || this.isTokenEndpoint(url) || this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url)) return this.addCorsHeaders(new Response(null, {
144
+ if (this.isApiRequest(url) || url.pathname === "/.well-known/oauth-authorization-server" || url.pathname === "/.well-known/oauth-protected-resource" || this.isTokenEndpoint(url) || this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url)) return this.addCorsHeaders(new Response(null, {
146
145
  status: 204,
147
146
  headers: { "Content-Length": "0" }
148
147
  }), request);
@@ -151,7 +150,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
151
150
  const response = await this.handleMetadataDiscovery(url);
152
151
  return this.addCorsHeaders(response, request);
153
152
  }
154
- if (this.isProtectedResourceMetadataRequest(url)) {
153
+ if (url.pathname === "/.well-known/oauth-protected-resource") {
155
154
  const response = this.handleProtectedResourceMetadata(url);
156
155
  return this.addCorsHeaders(response, request);
157
156
  }
@@ -246,27 +245,6 @@ var OAuthProviderImpl = class OAuthProviderImpl {
246
245
  return this.matchEndpoint(url, this.options.clientRegistrationEndpoint);
247
246
  }
248
247
  /**
249
- * Checks if a URL is a request for OAuth Protected Resource Metadata (RFC 9728).
250
- * Matches both the root well-known path and path-suffixed variants per RFC 9728 §3.1.
251
- */
252
- isProtectedResourceMetadataRequest(url) {
253
- return url.pathname === PROTECTED_RESOURCE_WELL_KNOWN_PREFIX || url.pathname.startsWith(PROTECTED_RESOURCE_WELL_KNOWN_PREFIX + "/");
254
- }
255
- /**
256
- * Derives the resource identifier from a protected resource metadata well-known URL.
257
- * Per RFC 9728 §3.1, the well-known URI is inserted after the authority and before the path,
258
- * so the resource identifier is reconstructed by removing the well-known prefix.
259
- *
260
- * Examples:
261
- * /.well-known/oauth-protected-resource → origin (e.g. https://example.com)
262
- * /.well-known/oauth-protected-resource/mcp → origin + /mcp (e.g. https://example.com/mcp)
263
- */
264
- deriveResourceIdentifier(requestUrl) {
265
- const suffix = requestUrl.pathname.slice(37);
266
- if (!suffix || suffix === "/") return requestUrl.origin;
267
- return `${requestUrl.origin}${suffix}`;
268
- }
269
- /**
270
248
  * Parses and validates a token endpoint request (used for both token exchange and revocation)
271
249
  * @param request - The HTTP request to parse
272
250
  * @returns Promise with parsed body and client info, or error response
@@ -411,7 +389,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
411
389
  const tokenEndpointUrl = this.getFullEndpointUrl(this.options.tokenEndpoint, requestUrl);
412
390
  const authServerOrigin = new URL(tokenEndpointUrl).origin;
413
391
  const metadata = {
414
- resource: rm?.resource ?? this.deriveResourceIdentifier(requestUrl),
392
+ resource: rm?.resource ?? requestUrl.origin,
415
393
  authorization_servers: rm?.authorization_servers ?? [authServerOrigin],
416
394
  scopes_supported: rm?.scopes_supported ?? this.options.scopesSupported,
417
395
  bearer_methods_supported: rm?.bearer_methods_supported ?? ["header"]
@@ -978,7 +956,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
978
956
  */
979
957
  async handleApiRequest(request, env, ctx) {
980
958
  const url = new URL(request.url);
981
- const resourceMetadataUrl = `${url.origin}/.well-known/oauth-protected-resource${url.pathname}`;
959
+ const resourceMetadataUrl = `${url.origin}/.well-known/oauth-protected-resource`;
982
960
  const authHeader = request.headers.get("Authorization");
983
961
  if (!authHeader || !authHeader.startsWith("Bearer ")) return this.createErrorResponse("invalid_token", "Missing or invalid access token", 401, { "WWW-Authenticate": this.buildWwwAuthenticateHeader(resourceMetadataUrl, "invalid_token", "Missing or invalid access token") });
984
962
  const accessToken = authHeader.substring(7);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cloudflare/workers-oauth-provider",
3
- "version": "0.3.2",
3
+ "version": "0.3.3",
4
4
  "description": "OAuth provider for Cloudflare Workers",
5
5
  "main": "dist/oauth-provider.js",
6
6
  "types": "dist/oauth-provider.d.ts",