@emdash-cms/cloudflare 0.0.1

package/dist/storage/r2.d.mts

@@ -0,0 +1,31 @@
+import { DownloadResult, ListOptions, ListResult, SignedUploadOptions, SignedUploadUrl, Storage, UploadResult } from "emdash";
+
+//#region src/storage/r2.d.ts
+/**
+ * R2 Storage implementation using native bindings
+ */
+declare class R2Storage implements Storage {
+  private bucket;
+  private publicUrl?;
+  constructor(bucket: R2Bucket, publicUrl?: string);
+  upload(options: {
+    key: string;
+    body: Buffer | Uint8Array | ReadableStream<Uint8Array>;
+    contentType: string;
+  }): Promise<UploadResult>;
+  download(key: string): Promise<DownloadResult>;
+  delete(key: string): Promise<void>;
+  exists(key: string): Promise<boolean>;
+  list(options?: ListOptions): Promise<ListResult>;
+  getSignedUploadUrl(_options: SignedUploadOptions): Promise<SignedUploadUrl>;
+  getPublicUrl(key: string): string;
+}
+/**
+ * Create R2 storage adapter
+ * This is the factory function called at runtime
+ *
+ * Uses cloudflare:workers to access bindings directly.
+ */
+declare function createStorage(config: Record<string, unknown>): Storage;
+//#endregion
+export { R2Storage, createStorage };

package/dist/storage/r2.mjs

@@ -0,0 +1,116 @@
+import { env } from "cloudflare:workers";
+import { EmDashStorageError } from "emdash";
+
+//#region src/storage/r2.ts
+/**
+* Cloudflare R2 Storage Implementation - RUNTIME ENTRY
+*
+* Uses R2 bindings directly when running on Cloudflare Workers.
+* This avoids the AWS SDK overhead and works with the native R2 API.
+*
+* This module imports directly from cloudflare:workers to access R2 bindings.
+* Do NOT import this at config time - use { r2 } from "@emdash-cms/cloudflare" instead.
+*
+* For Astro 6 / Cloudflare adapter v13+:
+* - Bindings are accessed via `import { env } from 'cloudflare:workers'`
+*/
+/** Regex to remove trailing slashes from URLs */
+const TRAILING_SLASH_REGEX = /\/$/;
+/**
+* R2 Storage implementation using native bindings
+*/
+var R2Storage = class {
+	bucket;
+	publicUrl;
+	constructor(bucket, publicUrl) {
+		this.bucket = bucket;
+		this.publicUrl = publicUrl;
+	}
+	async upload(options) {
+		try {
+			const result = await this.bucket.put(options.key, options.body, { httpMetadata: { contentType: options.contentType } });
+			if (!result) throw new EmDashStorageError(`Failed to upload file: ${options.key}`, "UPLOAD_FAILED");
+			return {
+				key: options.key,
+				url: this.getPublicUrl(options.key),
+				size: result.size
+			};
+		} catch (error) {
+			if (error instanceof EmDashStorageError) throw error;
+			throw new EmDashStorageError(`Failed to upload file: ${options.key}`, "UPLOAD_FAILED", error);
+		}
+	}
+	async download(key) {
+		try {
+			const object = await this.bucket.get(key);
+			if (!object) throw new EmDashStorageError(`File not found: ${key}`, "NOT_FOUND");
+			if (!("body" in object) || !object.body) throw new EmDashStorageError(`File not found: ${key}`, "NOT_FOUND");
+			return {
+				body: object.body,
+				contentType: object.httpMetadata?.contentType || "application/octet-stream",
+				size: object.size
+			};
+		} catch (error) {
+			if (error instanceof EmDashStorageError) throw error;
+			throw new EmDashStorageError(`Failed to download file: ${key}`, "DOWNLOAD_FAILED", error);
+		}
+	}
+	async delete(key) {
+		try {
+			await this.bucket.delete(key);
+		} catch (error) {
+			throw new EmDashStorageError(`Failed to delete file: ${key}`, "DELETE_FAILED", error);
+		}
+	}
+	async exists(key) {
+		try {
+			return await this.bucket.head(key) !== null;
+		} catch (error) {
+			throw new EmDashStorageError(`Failed to check file existence: ${key}`, "HEAD_FAILED", error);
+		}
+	}
+	async list(options = {}) {
+		try {
+			const response = await this.bucket.list({
+				prefix: options.prefix,
+				limit: options.limit,
+				cursor: options.cursor
+			});
+			return {
+				files: response.objects.map((item) => ({
+					key: item.key,
+					size: item.size,
+					lastModified: item.uploaded,
+					etag: item.etag
+				})),
+				nextCursor: response.truncated ? response.cursor : void 0
+			};
+		} catch (error) {
+			throw new EmDashStorageError("Failed to list files", "LIST_FAILED", error);
+		}
+	}
+	async getSignedUploadUrl(_options) {
+		throw new EmDashStorageError("R2 bindings do not support pre-signed upload URLs. Use the S3 API with R2 credentials for signed URL support, or upload through the Worker.", "NOT_SUPPORTED");
+	}
+	getPublicUrl(key) {
+		if (this.publicUrl) return `${this.publicUrl.replace(TRAILING_SLASH_REGEX, "")}/${key}`;
+		return `/_emdash/api/media/file/${key}`;
+	}
+};
+/**
+* Create R2 storage adapter
+* This is the factory function called at runtime
+*
+* Uses cloudflare:workers to access bindings directly.
+*/
+function createStorage(config) {
+	const binding = typeof config.binding === "string" ? config.binding : "";
+	const publicUrl = typeof config.publicUrl === "string" ? config.publicUrl : void 0;
+	if (!binding) throw new EmDashStorageError(`R2 binding name is required in storage config.`, "BINDING_NOT_FOUND");
+	const bucket = env[binding];
+	if (!bucket) throw new EmDashStorageError(`R2 binding "${binding}" not found. Make sure the binding is defined in wrangler.jsonc and you're running on Cloudflare Workers.\n\nExample wrangler.jsonc:\n{\n  "r2_buckets": [{\n    "binding": "${binding}",\n    "bucket_name": "my-bucket"\n  }]\n}`, "BINDING_NOT_FOUND");
+	return new R2Storage(bucket, publicUrl);
+}
+
+//#endregion
+export { R2Storage, createStorage };

package/dist/stream-DdbcvKi0.d.mts

@@ -0,0 +1,78 @@
+import { MediaProviderDescriptor } from "emdash/media";
+
+//#region src/media/stream.d.ts
+/**
+ * Cloudflare Stream configuration
+ */
+interface CloudflareStreamConfig {
+  /**
+   * Cloudflare Account ID
+   * If not provided, reads from accountIdEnvVar at runtime
+   */
+  accountId?: string;
+  /**
+   * Environment variable name containing the Account ID
+   * @default "CF_ACCOUNT_ID"
+   */
+  accountIdEnvVar?: string;
+  /**
+   * API Token with Stream permissions
+   * If not provided, reads from apiTokenEnvVar at runtime
+   * Should have "Stream: Read" and "Stream: Edit" permissions
+   */
+  apiToken?: string;
+  /**
+   * Environment variable name containing the API token
+   * @default "CF_STREAM_TOKEN"
+   */
+  apiTokenEnvVar?: string;
+  /**
+   * Customer subdomain for Stream delivery (optional)
+   * If not provided, uses customer-{hash}.cloudflarestream.com format
+   */
+  customerSubdomain?: string;
+  /**
+   * Default player controls setting
+   * @default true
+   */
+  controls?: boolean;
+  /**
+   * Autoplay videos (muted by default to comply with browser policies)
+   * @default false
+   */
+  autoplay?: boolean;
+  /**
+   * Loop videos
+   * @default false
+   */
+  loop?: boolean;
+  /**
+   * Mute videos
+   * @default false (true if autoplay is enabled)
+   */
+  muted?: boolean;
+}
+/**
+ * Cloudflare Stream media provider
+ *
+ * @example
+ * ```ts
+ * import { cloudflareStream } from "@emdash-cms/cloudflare";
+ *
+ * emdash({
+ *   mediaProviders: [
+ *     // Uses CF_ACCOUNT_ID and CF_STREAM_TOKEN env vars by default
+ *     cloudflareStream({}),
+ *
+ *     // Or with custom env var names
+ *     cloudflareStream({
+ *       accountIdEnvVar: "MY_CF_ACCOUNT",
+ *       apiTokenEnvVar: "MY_CF_STREAM_KEY",
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+declare function cloudflareStream(config: CloudflareStreamConfig): MediaProviderDescriptor<CloudflareStreamConfig>;
+//#endregion
+export { cloudflareStream as n, CloudflareStreamConfig as t };

package/package.json

@@ -0,0 +1,109 @@
+{
+  "name": "@emdash-cms/cloudflare",
+  "version": "0.0.1",
+  "description": "Cloudflare adapters for EmDash - D1, R2, Access, and Worker Loader sandbox",
+  "type": "module",
+  "main": "dist/index.mjs",
+  "files": [
+    "dist",
+    "src"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "default": "./dist/index.mjs"
+    },
+    "./db/d1": {
+      "types": "./dist/db/d1.d.mts",
+      "default": "./dist/db/d1.mjs"
+    },
+    "./db/do": {
+      "types": "./dist/db/do.d.mts",
+      "default": "./dist/db/do.mjs"
+    },
+    "./db/playground": {
+      "types": "./dist/db/playground.d.mts",
+      "default": "./dist/db/playground.mjs"
+    },
+    "./db/playground-middleware": {
+      "types": "./dist/db/playground-middleware.d.mts",
+      "default": "./dist/db/playground-middleware.mjs"
+    },
+    "./storage/r2": {
+      "types": "./dist/storage/r2.d.mts",
+      "default": "./dist/storage/r2.mjs"
+    },
+    "./auth": {
+      "types": "./dist/auth/index.d.mts",
+      "default": "./dist/auth/index.mjs"
+    },
+    "./sandbox": {
+      "types": "./dist/sandbox/index.d.mts",
+      "default": "./dist/sandbox/index.mjs"
+    },
+    "./plugins": {
+      "types": "./dist/plugins/index.d.mts",
+      "default": "./dist/plugins/index.mjs"
+    },
+    "./media/images-runtime": {
+      "types": "./dist/media/images-runtime.d.mts",
+      "default": "./dist/media/images-runtime.mjs"
+    },
+    "./media/stream-runtime": {
+      "types": "./dist/media/stream-runtime.d.mts",
+      "default": "./dist/media/stream-runtime.mjs"
+    },
+    "./cache": {
+      "types": "./dist/cache/runtime.d.mts",
+      "default": "./dist/cache/runtime.mjs"
+    },
+    "./cache/config": {
+      "types": "./dist/cache/config.d.mts",
+      "default": "./dist/cache/config.mjs"
+    }
+  },
+  "dependencies": {
+    "jose": "^6.1.3",
+    "kysely-d1": "^0.4.0",
+    "ulidx": "^2.4.1",
+    "emdash": "0.0.1"
+  },
+  "peerDependencies": {
+    "@cloudflare/workers-types": ">=4.0.0",
+    "astro": ">=6.0.0-beta.0",
+    "kysely": ">=0.27.0"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "^0.18.2",
+    "@cloudflare/workers-types": "^4.20260305.1",
+    "publint": "0.3.17",
+    "tsdown": "0.20.3",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cloudflare/emdash.git",
+    "directory": "packages/cloudflare"
+  },
+  "homepage": "https://github.com/cloudflare/emdash",
+  "keywords": [
+    "emdash",
+    "cloudflare",
+    "d1",
+    "r2",
+    "access",
+    "worker-loader",
+    "sandbox",
+    "plugins"
+  ],
+  "author": "Matt Kane",
+  "license": "MIT",
+  "scripts": {
+    "build": "tsdown",
+    "dev": "tsdown --watch",
+    "test": "vitest run",
+    "check": "publint && attw --pack --ignore-rules=cjs-resolves-to-esm --ignore-rules=no-resolution",
+    "typecheck": "tsgo --noEmit"
+  }
+}

package/src/auth/cloudflare-access.ts

@@ -0,0 +1,303 @@
+/**
+ * Cloudflare Access Authentication - RUNTIME MODULE
+ *
+ * When EmDash is deployed behind Cloudflare Access, this module handles
+ * JWT validation and user provisioning from Access identity.
+ *
+ * Uses jose for JWT verification - works in all runtimes.
+ *
+ * This is loaded at runtime via the auth provider system.
+ * Do not import at config time.
+ */
+
+import { createRemoteJWKSet, jwtVerify, type JWTPayload } from "jose";
+import type { AuthResult } from "emdash";
+
+/**
+ * Configuration for Cloudflare Access authentication
+ *
+ * Note: This interface is duplicated in ../index.ts for config-time usage.
+ * Keep them in sync.
+ */
+export interface AccessConfig {
+	/**
+	 * Your Cloudflare Access team domain
+	 * @example "myteam.cloudflareaccess.com"
+	 */
+	teamDomain: string;
+
+	/**
+	 * Application Audience (AUD) tag from Access application settings.
+	 * For Cloudflare Workers, use `audienceEnvVar` instead to read at runtime.
+	 */
+	audience?: string;
+
+	/**
+	 * Environment variable name containing the audience tag.
+	 * Read at runtime from environment.
+	 * @default "CF_ACCESS_AUDIENCE"
+	 */
+	audienceEnvVar?: string;
+
+	/**
+	 * Role level for users not matching any group in roleMapping
+	 * @default 30 (Editor)
+	 */
+	defaultRole?: number;
+
+	/**
+	 * Map IdP group names to EmDash role levels
+	 */
+	roleMapping?: Record<string, number>;
+}
+
+/**
+ * Cloudflare Access JWT payload extends standard JWT with email claim
+ */
+export interface AccessJwtPayload extends JWTPayload {
+	/** User's email address (Access-specific claim) */
+	email: string;
+}
+
+/**
+ * Group from IdP (returned by get-identity endpoint)
+ */
+export interface AccessGroup {
+	id: string;
+	name: string;
+	email?: string;
+}
+
+/**
+ * Full identity from Access get-identity endpoint
+ */
+export interface AccessIdentity {
+	/** Unique identity ID */
+	id: string;
+	/** User's display name (may be undefined if IdP doesn't provide it) */
+	name?: string;
+	/** User's email address */
+	email: string;
+	/** Groups from IdP */
+	groups: AccessGroup[];
+	/** Identity provider info */
+	idp: {
+		id: string;
+		type: string;
+	};
+	/** Custom OIDC claims from IdP */
+	oidc_fields?: Record<string, unknown>;
+	/** SAML attributes from IdP */
+	saml_attributes?: Record<string, unknown>;
+	/** User's country (from geo) */
+	geo?: {
+		country: string;
+	};
+}
+
+// Cache for JWKS (jose handles key rotation automatically)
+const jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
+
+/** Regex to extract CF_Authorization cookie value */
+const CF_AUTHORIZATION_COOKIE_REGEX = /CF_Authorization=([^;]+)/;
+
+/**
+ * Get or create a JWKS client for the given team domain
+ */
+function getJwks(teamDomain: string): ReturnType<typeof createRemoteJWKSet> {
+	let jwks = jwksCache.get(teamDomain);
+	if (!jwks) {
+		const jwksUrl = new URL(`https://${teamDomain}/cdn-cgi/access/certs`);
+		jwks = createRemoteJWKSet(jwksUrl);
+		jwksCache.set(teamDomain, jwks);
+	}
+	return jwks;
+}
+
+/** Default environment variable name for Access audience */
+const DEFAULT_AUDIENCE_ENV_VAR = "CF_ACCESS_AUDIENCE";
+
+/**
+ * Resolve the audience value from config.
+ * Supports direct value or reading from environment variable.
+ */
+function resolveAudience(config: AccessConfig): string {
+	// Direct value takes precedence
+	if (config.audience) {
+		return config.audience;
+	}
+
+	// Read from environment
+	const envVarName = config.audienceEnvVar ?? DEFAULT_AUDIENCE_ENV_VAR;
+	const value = process.env[envVarName];
+
+	if (typeof value === "string" && value) {
+		return value;
+	}
+
+	throw new Error(
+		`Environment variable "${envVarName}" not found or empty. ` +
+			`Set it via wrangler secret, .dev.vars, or environment.`,
+	);
+}
+
+/**
+ * Validate a Cloudflare Access JWT using jose
+ *
+ * @param jwt The JWT string from header or cookie
+ * @param config Access configuration
+ * @returns Decoded and validated JWT payload
+ * @throws Error if validation fails
+ */
+export async function validateAccessJwt(
+	jwt: string,
+	config: AccessConfig,
+): Promise<AccessJwtPayload> {
+	const audience = resolveAudience(config);
+	const issuer = `https://${config.teamDomain}`;
+	const jwks = getJwks(config.teamDomain);
+
+	const { payload } = await jwtVerify<AccessJwtPayload>(jwt, jwks, {
+		issuer,
+		audience,
+		clockTolerance: 60, // 60 seconds clock skew tolerance
+	});
+
+	return payload;
+}
+
+/**
+ * Extract Access JWT from request
+ *
+ * Checks header first (more reliable), then falls back to cookie.
+ *
+ * @param request The incoming request
+ * @returns JWT string or null if not present
+ */
+export function extractAccessJwt(request: Request): string | null {
+	// Try header first (preferred - set by Access on all requests)
+	const headerJwt = request.headers.get("Cf-Access-Jwt-Assertion");
+	if (headerJwt) {
+		return headerJwt;
+	}
+
+	// Fall back to cookie (set in browser)
+	const cookies = request.headers.get("Cookie") || "";
+	const match = cookies.match(CF_AUTHORIZATION_COOKIE_REGEX);
+	return match?.[1] || null;
+}
+
+/**
+ * Fetch full identity from Access (includes groups)
+ *
+ * The JWT itself only contains basic claims. To get groups and other
+ * IdP attributes, we need to call the get-identity endpoint.
+ *
+ * @param jwt The JWT string
+ * @param teamDomain The Access team domain
+ * @returns Full identity including groups
+ */
+export async function getAccessIdentity(jwt: string, teamDomain: string): Promise<AccessIdentity> {
+	const response = await fetch(`https://${teamDomain}/cdn-cgi/access/get-identity`, {
+		headers: {
+			Cookie: `CF_Authorization=${jwt}`,
+		},
+	});
+
+	if (!response.ok) {
+		throw new Error(`Failed to fetch identity: ${response.status}`);
+	}
+
+	return response.json();
+}
+
+/**
+ * Resolve role from IdP groups using roleMapping config
+ *
+ * @param groups User's groups from IdP
+ * @param config Access configuration
+ * @returns Role level (e.g., 50 for Admin, 30 for Editor)
+ */
+export function resolveRoleFromGroups(groups: AccessGroup[], config: AccessConfig): number {
+	const defaultRole = config.defaultRole ?? 30; // Editor
+
+	if (!config.roleMapping) {
+		return defaultRole;
+	}
+
+	// Check each group against mapping (first match wins)
+	for (const group of groups) {
+		const role = config.roleMapping[group.name];
+		if (role !== undefined) {
+			return role;
+		}
+	}
+
+	return defaultRole;
+}
+
+/**
+ * Authenticate a request using Cloudflare Access
+ *
+ * This is the main entry point for Access authentication.
+ * It validates the JWT, fetches the full identity, and resolves the role.
+ *
+ * This function implements the AuthProviderModule.authenticate interface.
+ *
+ * @param request The incoming request
+ * @param config Access configuration (passed from AuthDescriptor)
+ * @returns Authentication result with user info and role
+ * @throws Error if authentication fails
+ */
+function isAccessConfig(value: unknown): value is AccessConfig {
+	return (
+		value != null &&
+		typeof value === "object" &&
+		"teamDomain" in value &&
+		typeof value.teamDomain === "string"
+	);
+}
+
+export async function authenticate(request: Request, config: unknown): Promise<AuthResult> {
+	if (!isAccessConfig(config)) {
+		throw new Error("Invalid Cloudflare Access config: teamDomain is required");
+	}
+	const accessConfig = config;
+
+	// Extract JWT
+	const jwt = extractAccessJwt(request);
+	if (!jwt) {
+		throw new Error("No Access JWT present");
+	}
+
+	// Validate JWT
+	const payload = await validateAccessJwt(jwt, accessConfig);
+
+	// Fetch full identity (includes groups)
+	const identity = await getAccessIdentity(jwt, accessConfig.teamDomain);
+
+	// Resolve role from groups
+	const role = resolveRoleFromGroups(identity.groups, accessConfig);
+
+	// Log identity for debugging
+	console.log(
+		"[cf-access] Identity from Access:",
+		JSON.stringify({
+			email: identity.email,
+			name: identity.name,
+			groups: identity.groups?.map((g) => g.name),
+			idp: identity.idp,
+		}),
+	);
+
+	return {
+		email: identity.email,
+		name: identity.name ?? identity.email.split("@")[0] ?? "Unknown",
+		role,
+		subject: payload.sub,
+		metadata: {
+			groups: identity.groups,
+			idp: identity.idp,
+		},
+	};
+}

package/src/auth/index.ts

@@ -0,0 +1,16 @@
+/**
+ * Cloudflare Access Auth - RUNTIME ENTRY
+ *
+ * This module is loaded at runtime when authenticating requests.
+ * It exports the `authenticate` function required by the auth provider interface.
+ *
+ * For config-time usage, import { access } from "@emdash-cms/cloudflare" instead.
+ */
+
+export { authenticate } from "./cloudflare-access.js";
+export type {
+	AccessConfig,
+	AccessJwtPayload,
+	AccessGroup,
+	AccessIdentity,
+} from "./cloudflare-access.js";