npm - @cloudflare/workers-oauth-provider - Versions diffs - 0.3.3 → 0.4.0 - Mend

@cloudflare/workers-oauth-provider 0.3.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/oauth-provider.d.ts CHANGED Viewed

@@ -253,6 +253,16 @@ interface OAuthProviderOptions<Env = Cloudflare.Env> {
    * Defaults to false.
    */
   clientIdMetadataDocumentEnabled?: boolean;
+  /**
+   * When true, resource validation during token exchange compares origins only
+   * (scheme + host + port) instead of exact URI matching. This allows grants issued
+   * with an origin-only resource (e.g. `https://server.com`) to be used with
+   * path-aware resource requests (e.g. `https://server.com/mcp`), enabling seamless
+   * migration from pre-0.4.0 versions that stored origin-only resource URIs.
+   *
+   * Defaults to false (strict exact matching per RFC 8707).
+   */
+  resourceMatchOriginOnly?: boolean;
   /**
    * Optional metadata for RFC 9728 OAuth 2.0 Protected Resource Metadata.
    * Controls the response served at /.well-known/oauth-protected-resource.

package/dist/oauth-provider.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { WorkerEntrypoint } from "cloudflare:workers";
 //#region src/oauth-provider.ts
+const PROTECTED_RESOURCE_WELL_KNOWN_PREFIX = "/.well-known/oauth-protected-resource";
 if (!(typeof Cloudflare !== "undefined" && Cloudflare.compatibilityFlags?.global_fetch_strictly_public === true)) console.warn("CIMD (Client ID Metadata Document) is disabled: add '\"compatibility_flags\": [\"global_fetch_strictly_public\"]' to your wrangler.jsonc to enable. See: https://developers.cloudflare.com/workers/configuration/compatibility-flags/#global-fetch-strictly-public");
 /**
 * Enum representing the type of handler (ExportedHandler or WorkerEntrypoint)
@@ -141,7 +142,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	async fetch(request, env, ctx) {
 		const url = new URL(request.url);
 		if (request.method === "OPTIONS") {
-			if (this.isApiRequest(url) || url.pathname === "/.well-known/oauth-authorization-server" || url.pathname === "/.well-known/oauth-protected-resource" || this.isTokenEndpoint(url) || this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url)) return this.addCorsHeaders(new Response(null, {
+			if (this.isApiRequest(url) || url.pathname === "/.well-known/oauth-authorization-server" || this.isProtectedResourceMetadataRequest(url) || this.isTokenEndpoint(url) || this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url)) return this.addCorsHeaders(new Response(null, {
 				status: 204,
 				headers: { "Content-Length": "0" }
 			}), request);
@@ -150,7 +151,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			const response = await this.handleMetadataDiscovery(url);
 			return this.addCorsHeaders(response, request);
 		}
-		if (url.pathname === "/.well-known/oauth-protected-resource") {
+		if (this.isProtectedResourceMetadataRequest(url)) {
 			const response = this.handleProtectedResourceMetadata(url);
 			return this.addCorsHeaders(response, request);
 		}
@@ -245,6 +246,27 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		return this.matchEndpoint(url, this.options.clientRegistrationEndpoint);
 	}
 	/**
+	* Checks if a URL is a request for OAuth Protected Resource Metadata (RFC 9728).
+	* Matches both the root well-known path and path-suffixed variants per RFC 9728 §3.1.
+	*/
+	isProtectedResourceMetadataRequest(url) {
+		return url.pathname === PROTECTED_RESOURCE_WELL_KNOWN_PREFIX || url.pathname.startsWith(PROTECTED_RESOURCE_WELL_KNOWN_PREFIX + "/");
+	}
+	/**
+	* Derives the resource identifier from a protected resource metadata well-known URL.
+	* Per RFC 9728 §3.1, the well-known URI is inserted after the authority and before the path,
+	* so the resource identifier is reconstructed by removing the well-known prefix.
+	*
+	* Examples:
+	*   /.well-known/oauth-protected-resource       → origin (e.g. https://example.com)
+	*   /.well-known/oauth-protected-resource/mcp   → origin + /mcp (e.g. https://example.com/mcp)
+	*/
+	deriveResourceIdentifier(requestUrl) {
+		const suffix = requestUrl.pathname.slice(37);
+		if (!suffix || suffix === "/") return requestUrl.origin;
+		return `${requestUrl.origin}${suffix}`;
+	}
+	/**
 	* Parses and validates a token endpoint request (used for both token exchange and revocation)
 	* @param request - The HTTP request to parse
 	* @returns Promise with parsed body and client info, or error response
@@ -389,7 +411,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		const tokenEndpointUrl = this.getFullEndpointUrl(this.options.tokenEndpoint, requestUrl);
 		const authServerOrigin = new URL(tokenEndpointUrl).origin;
 		const metadata = {
-			resource: rm?.resource ?? requestUrl.origin,
+			resource: rm?.resource ?? this.deriveResourceIdentifier(requestUrl),
 			authorization_servers: rm?.authorization_servers ?? [authServerOrigin],
 			scopes_supported: rm?.scopes_supported ?? this.options.scopesSupported,
 			bearer_methods_supported: rm?.bearer_methods_supported ?? ["header"]
@@ -515,10 +537,11 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			grantData.expiresAt = expiresAt;
 		}
 		await this.saveGrantWithTTL(env, grantKey, grantData, now);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		if (body.resource && grantData.resource) {
 			const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
 			const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-			for (const requested of requestedResources) if (!grantedResources.includes(requested)) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
+			for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
 		}
 		const audience = parseResourceParameter(body.resource || grantData.resource);
 		if ((body.resource || grantData.resource) && !audience) return this.createErrorResponse("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -635,10 +658,11 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		grantData.refreshTokenId = newRefreshTokenId;
 		grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
 		await this.saveGrantWithTTL(env, grantKey, grantData, now);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		if (body.resource && grantData.resource) {
 			const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
 			const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-			for (const requested of requestedResources) if (!grantedResources.includes(requested)) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
+			for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) return this.createErrorResponse("invalid_target", "Requested resource was not included in the authorization request");
 		}
 		const audience = parseResourceParameter(body.resource || grantData.resource);
 		if ((body.resource || grantData.resource) && !audience) return this.createErrorResponse("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -690,12 +714,13 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		const grantData = await env.OAUTH_KV.get(grantKey, { type: "json" });
 		if (!grantData) throw new OAuthError("invalid_grant", "Grant not found");
 		let tokenScopes = this.downscope(requestedScopes, grantData.scope);
+		const originOnly = !!this.options.resourceMatchOriginOnly;
 		let newAudience = tokenSummary.audience;
 		if (requestedResource) {
 			if (grantData.resource) {
 				const requestedResources = Array.isArray(requestedResource) ? requestedResource : [requestedResource];
 				const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
-				for (const requested of requestedResources) if (!grantedResources.includes(requested)) throw new OAuthError("invalid_target", "Requested resource was not included in the authorization request");
+				for (const requested of requestedResources) if (!grantedResources.some((granted) => resourceMatches(requested, granted, originOnly))) throw new OAuthError("invalid_target", "Requested resource was not included in the authorization request");
 			}
 			const parsedResource = parseResourceParameter(requestedResource);
 			if (!parsedResource) throw new OAuthError("invalid_target", "The resource parameter must be a valid absolute URI without a fragment");
@@ -956,7 +981,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	*/
 	async handleApiRequest(request, env, ctx) {
 		const url = new URL(request.url);
-		const resourceMetadataUrl = `${url.origin}/.well-known/oauth-protected-resource`;
+		const resourceMetadataUrl = `${url.origin}/.well-known/oauth-protected-resource${url.pathname}`;
 		const authHeader = request.headers.get("Authorization");
 		if (!authHeader || !authHeader.startsWith("Bearer ")) return this.createErrorResponse("invalid_token", "Missing or invalid access token", 401, { "WWW-Authenticate": this.buildWwwAuthenticateHeader(resourceMetadataUrl, "invalid_token", "Missing or invalid access token") });
 		const accessToken = authHeader.substring(7);
@@ -1331,6 +1356,19 @@ function parseResourceParameter(value) {
 	return value;
 }
 /**
+* Checks if a requested resource matches a granted resource.
+* When originOnly is true, compares only the origin (scheme + host + port),
+* allowing path-aware resources to match origin-only grants.
+*/
+function resourceMatches(requested, granted, originOnly) {
+	if (!originOnly) return requested === granted;
+	try {
+		return new URL(requested).origin === new URL(granted).origin;
+	} catch {
+		return requested === granted;
+	}
+}
+/**
 * Hashes a secret value using SHA-256
 * @param secret - The secret value to hash
 * @returns A hex string representation of the hash

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",