@cloudflare/workers-oauth-provider 0.3.2 → 0.4.0

package/dist/oauth-provider.d.ts

@@ -253,6 +253,16 @@ interface OAuthProviderOptions<Env = Cloudflare.Env> {
    * Defaults to false.
    */
   clientIdMetadataDocumentEnabled?: boolean;
+  /**
+   * When true, resource validation during token exchange compares origins only
+   * (scheme + host + port) instead of exact URI matching. This allows grants issued
+   * with an origin-only resource (e.g. `https://server.com`) to be used with
+   * path-aware resource requests (e.g. `https://server.com/mcp`), enabling seamless
+   * migration from pre-0.4.0 versions that stored origin-only resource URIs.
+   *
+   * Defaults to false (strict exact matching per RFC 8707).
+   */
+  resourceMatchOriginOnly?: boolean;
   /**
    * Optional metadata for RFC 9728 OAuth 2.0 Protected Resource Metadata.
    * Controls the response served at /.well-known/oauth-protected-resource.

package/dist/oauth-provider.js

@@ -537,10 +537,11 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			grantData.expiresAt = expiresAt;
 		}
 		await this.saveGrantWithTTL(env, grantKey, grantData, now);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		if (body.resource && grantData.resource) {
 			const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
 			const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-			for (const requested of requestedResources) if (!grantedResources.includes(requested)) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
+			for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
 		}
 		const audience = parseResourceParameter(body.resource || grantData.resource);
 		if ((body.resource || grantData.resource) && !audience) return this.createErrorResponse("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -657,10 +658,11 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		grantData.refreshTokenId = newRefreshTokenId;
 		grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
 		await this.saveGrantWithTTL(env, grantKey, grantData, now);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		if (body.resource && grantData.resource) {
 			const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
 			const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-			for (const requested of requestedResources) if (!grantedResources.includes(requested)) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
+			for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
 		}
 		const audience = parseResourceParameter(body.resource || grantData.resource);
 		if ((body.resource || grantData.resource) && !audience) return this.createErrorResponse("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -712,12 +714,13 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		const grantData = await env.OAUTH_KV.get(grantKey, { type: "json" });
 		if (!grantData) throw new OAuthError("invalid_grant", "Grant not found");
 		let tokenScopes = this.downscope(requestedScopes, grantData.scope);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		let newAudience = tokenSummary.audience;
 		if (requestedResource) {
 			if (grantData.resource) {
 				const requestedResources = Array.isArray(requestedResource) ? requestedResource : [requestedResource];
 				const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-				for (const requested of requestedResources) if (!grantedResources.includes(requested)) throw new OAuthError("invalid_target", "Requested resource was not included in the authorization request");
+				for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) throw new OAuthError("invalid_target", "Requested resource was not included in the authorization request");
 			}
 			const parsedResource = parseResourceParameter(requestedResource);
 			if (!parsedResource) throw new OAuthError("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -1353,6 +1356,19 @@ function parseResourceParameter(value) {
 	return value;
 }
 /**
+* Checks if a requested resource matches a granted resource.
+* When originOnly is true, compares only the origin (scheme + host + port),
+* allowing path-aware resources to match origin-only grants.
+*/
+function resourceMatches(requested, granted, originOnly) {
+	if (!originOnly) return requested === granted;
+	try {
+		return new URL(requested).origin === new URL(granted).origin;
+	} catch {
+		return requested === granted;
+	}
+}
+/**
 * Hashes a secret value using SHA-256
 * @param secret - The secret value to hash
 * @returns A hex string representation of the hash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.3.2",
+  "version": "0.4.0",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",