github cloudflare/workers-sdk @cloudflare/workers-auth@0.1.1
on GitHub

4 hours ago

Patch Changes

  • #14121 7539a9b Thanks @petebacondarwin! - Extract the OAuth 2.0 + PKCE flow into a new @cloudflare/workers-auth package.

    The OAuth login / logout / refresh logic, the auth-config TOML file IO, the OAuth token exchange + local callback server, and the Cloudflare Access detection helpers that previously lived in packages/wrangler/src/user/ have moved to the new internal-only @cloudflare/workers-auth package. Wrangler now wires the OAuth flow up via a small glue module that injects its logger, browser opener, interactivity detector, and config cache via a dependency- injection context.

    What stays in wrangler:

    • The yargs login / logout / whoami / auth token commands
    • Environment-based credential resolution (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY / CLOUDFLARE_EMAIL, etc.)
    • Cloudflare account selection (requireAuth, getOrSelectAccountId)
    • The OAuth scope catalog (passed into the OAuth flow as a generic string[])
    • whoami / account fetching

    No behavior change for end users. The on-disk TOML format and location remain identical, and all telemetry message labels are preserved verbatim.

    @cloudflare/workers-auth is published with prerelease: true and is not intended for external use — its APIs may change without notice.

  • #14170 ea12b58 Thanks @petebacondarwin! - Tighten on-disk permissions of the OAuth credentials file to 0600

    The user auth config file written by wrangler login (typically ~/.config/.wrangler/config/default.toml on Linux/macOS, or <environment>.toml for non-production Cloudflare API environments) is now written with mode 0600 and re-chmod-ed on every save. This prevents other local users on shared hosts from reading the stored OAuth tokens. Existing files with looser permissions written by older Wrangler versions are tightened the next time Wrangler refreshes the token or the user logs in again. The change is a no-op on Windows, which does not honour POSIX mode bits.

  • #14022 acf7817 Thanks @petebacondarwin! - Show the actual OAuth error instead of hanging when wrangler login is rejected by the OAuth provider (for example with invalid_scope).

    Previously, if the OAuth callback returned with an error other than access_denied, Wrangler would never respond to the browser. Because server.close()'s callback only fires once all open connections have ended, the login command would hang until the 120 second OAuth timeout — at which point it would print a generic timeout message rather than the actual OAuth failure. The same gap existed for the case where the OAuth provider redirected back without an authorisation code, and for failures during the auth-code-to-access-token exchange.

    The OAuth provider's error_description (RFC 6749 §4.1.2.1) is now also surfaced, so the message includes the specific reason for the failure rather than just the bare error code. For example, a misconfigured staging scope now surfaces as: 

    OAuth error: invalid_scope
  The OAuth 2.0 Client is not allowed to request scope 'browser:write'.

    instead of hanging silently.

  • Updated dependencies [c6c61b5, b502d54, c4f45e8]:

    • @cloudflare/workers-utils@0.23.0
Check out latest releases or
releases around cloudflare/workers-sdk @cloudflare/workers-auth@0.1.1

Don't miss a new workers-sdk release

NewReleases is sending notifications on new releases.

Get notifications