Skip to content

Add OAuth 2.1 /internal endpoint (Sentry SSO via Cloudflare Access)#2

Open
sergical wants to merge 6 commits into
chore/pnpmfrom
feat/oauth-cowork
Open

Add OAuth 2.1 /internal endpoint (Sentry SSO via Cloudflare Access)#2
sergical wants to merge 6 commits into
chore/pnpmfrom
feat/oauth-cowork

Conversation

@sergical

@sergical sergical commented Apr 10, 2026

Copy link
Copy Markdown
Member

Stacked on #6 (the Bun→pnpm migration). Review/merge #6 first; GitHub will retarget this to main automatically. This PR's diff is OAuth + hardening only.

What this introduces

Today the Worker exposes a single endpoint, /mcp — bring-your-own-key, each caller passes their own Plausible API key as a Bearer token.

This adds a second endpoint, /internal, an OAuth 2.1 server for managed connectors (Cowork, Claude.ai) that can't send a custom header. /mcp is unchanged.

How /internal differs from the existing /mcp model

  • The Worker runs its own OAuth 2.1 server (@cloudflare/workers-oauth-provider) and federates login to Cloudflare Access as the upstream OIDC provider (Sentry Google SSO).
  • Only @sentry.io identities are admitted; queries run against one shared, server-side Plausible key, so connector users never handle a key (vs. /mcp where the user's own key is the credential).
  • Identity is verified by reusing the Access id_token JWKS validator (cf-access.ts).

Security posture of the new auth surface

  • RS256-only token validation (alg-confusion guard); case-insensitive @sentry.io gate
  • S256-only PKCE (plain disabled)
  • Token lifetimes bounded — access 1h, refresh 24h — so access can't be reused long after offboarding
  • No plaintext PII in the unencrypted grant store: the OAuth userId is a hash and no email is stored in metadata; the email lives only in the encrypted props, used for Sentry attribution
  • CIMD (URL client_ids) enabled with DCR /register kept as fallback; global_fetch_strictly_public set (CIMD requirement + SSRF guard)
  • Sentry: sendDefaultPii: false, and Authorization / cookie / Cf-Access-Jwt-Assertion scrubbed from spans
  • Per-IP rate limiting and security headers (HSTS, X-Frame-Options, etc.) on all responses
  • Discovery + token endpoints (/.well-known/*, /authorize, /token, /register) are served publicly by the Worker — Access is the upstream IdP, not a proxy in front, so connector OAuth discovery isn't blocked

Other effects on the codebase

  • Worker files (worker.ts, env.ts, access-handler.ts, workers-oauth-utils.ts) are now type-checked via pnpm typecheck (tsconfig.worker.json); previously transpiled without type-checking.
  • @modelcontextprotocol/sdk pinned to 1.28.0 so it resolves to a single copy (matching agents@0.8.7), required for the worker type-check.

Requires before deploy (Cloudflare dashboard, not code)

Register the Access OIDC app (app-specific CF_ACCESS_AUD, @sentry.io SSO policy), create OAUTH_KV, set the secrets listed in the README, then run the end-to-end Cowork connect test.

Verification

Worker type-check + pnpm build clean · 68 tests pass · CI green.

@sergical sergical marked this pull request as ready for review April 10, 2026 23:32
Comment thread wrangler.toml Outdated
Comment thread src/auth-handler.ts Outdated
Comment thread src/worker.ts Outdated
Comment thread src/worker.ts Outdated
@sergical sergical changed the title Add OAuth 2.1 for Cowork connector support Replace custom OAuth with Cloudflare Access for /internal auth May 25, 2026
@sergical sergical force-pushed the feat/oauth-cowork branch from 532c54f to 59f8e3f Compare May 25, 2026 20:30
@sergical sergical changed the title Replace custom OAuth with Cloudflare Access for /internal auth Add Cloudflare Access auth for /internal and harden Sentry config May 25, 2026
Comment thread src/worker.ts Outdated
Comment thread src/worker.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from 59f8e3f to c32fa9e Compare May 25, 2026 20:33
Comment thread src/worker.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from c32fa9e to da1ebe0 Compare May 25, 2026 20:37
Comment thread src/cf-access.ts Outdated
Comment thread src/worker.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from da1ebe0 to d05ca83 Compare May 25, 2026 20:47
Comment thread src/cf-access.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from d05ca83 to bf7b33e Compare May 25, 2026 20:55
Comment thread src/cf-access.ts Outdated
Comment thread src/cf-access.ts Outdated
Comment thread .gitignore Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from bf7b33e to 391f7af Compare May 25, 2026 22:45
Comment thread src/cf-access.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from 391f7af to 86b69f3 Compare May 26, 2026 02:15
Comment thread src/cf-access.ts
@sergical sergical force-pushed the feat/oauth-cowork branch 2 times, most recently from 8b9b7f9 to b22eb5b Compare May 26, 2026 14:22
Comment thread src/cf-access.ts
@sergical sergical force-pushed the feat/oauth-cowork branch from b22eb5b to d53c4d2 Compare May 26, 2026 14:59
Comment thread src/worker.ts Outdated
@sergical sergical force-pushed the feat/oauth-cowork branch from d53c4d2 to 2c5b563 Compare May 26, 2026 16:34
@sergical sergical changed the title Add Cloudflare Access auth for /internal and harden Sentry config Add OAuth 2.1 /internal endpoint (Sentry SSO via Cloudflare Access) + pnpm Jun 13, 2026
Comment thread src/cf-access.ts
Comment thread src/access-handler.ts
Comment thread src/worker.ts
@sergical sergical force-pushed the feat/oauth-cowork branch from 3178cb9 to 5a58292 Compare June 13, 2026 00:50
@sergical sergical force-pushed the feat/oauth-cowork branch from 5a58292 to 4a2cf5c Compare June 13, 2026 00:53
Comment thread src/access-handler.ts
@sergical sergical changed the title Add OAuth 2.1 /internal endpoint (Sentry SSO via Cloudflare Access) + pnpm Add OAuth 2.1 /internal endpoint (Sentry SSO via Cloudflare Access) Jun 13, 2026
Adds a second Worker endpoint, /internal, an OAuth 2.1 server for managed
connectors (Cowork, Claude.ai) that can't send a custom Authorization header.
/mcp (bring-your-own-key) is unchanged.

- /internal runs @cloudflare/workers-oauth-provider and federates login to
  Cloudflare Access (Sentry Google SSO). Only @sentry.io identities are
  admitted; queries use one shared server-side Plausible key.
- Access id_token verified via JWKS (cf-access.ts): RS256-only, case-insensitive
  @sentry.io check.
- OAuth 2.1 hardening: S256-only PKCE; access 1h / refresh 24h TTLs (offboarding);
  no plaintext PII in the unencrypted grant store (hashed userId, no email
  metadata — email lives only in encrypted props for Sentry attribution);
  CIMD enabled with DCR /register fallback; global_fetch_strictly_public flag.
- Sentry: sendDefaultPii false; Authorization/cookie/Cf-Access-Jwt-Assertion
  scrubbed from spans. Per-IP rate limiting + security headers on all responses.
- Worker files now type-checked via tsconfig.worker.json (`pnpm typecheck`).
- @modelcontextprotocol/sdk pinned to 1.28.0 so it resolves to a single copy
  (matches agents@0.8.7), required for the worker type-check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sergical sergical force-pushed the feat/oauth-cowork branch from 4a2cf5c to 21ca53c Compare June 15, 2026 13:10
@sergical sergical changed the base branch from main to chore/pnpm June 15, 2026 13:10
- Validate redirect_uri against the registered client in POST /authorize so a
  tampered round-tripped oauthReqInfo can't exfiltrate the auth code
- Pin accepted Host(s) before deriving redirect_uri from request.url
- Fail closed in verifyCloudflareAccessJwt: malformed tokens/JWKS errors now
  return null (403) instead of throwing (500)
- Require a well-formed `Bearer <key>` Authorization header on /mcp
- Add tests for the JWT verifier fail-closed path and the access-handler
  redirect_uri validation + host guard

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread src/worker.ts
Reconstructing the Response in corsResponse can collapse repeated Set-Cookie
headers on some runtimes, which would drop one of the two cookies the POST
/authorize redirect sets (approved-client + CSRF-clear). Re-apply them
individually from the original response. Flagged by Sentry review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 057ee0c. Configure here.

Comment thread src/access-handler.ts
The hardcoded host allowlist blocked self-hosted deploys (README registers
Access against <your-worker-host>/callback). Gate the authorize/callback host
check on an optional SERVICE_HOSTNAME env var instead: enforced when set
(prod pins plausible-mcp.sentry.dev via wrangler.toml [vars]), skipped when
unset so custom hosts work. localhost always allowed for wrangler dev.
Flagged by Cursor Bugbot.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread src/cf-access.ts
…y.io (SEC-1266)

The @sentry.io check in cf-access.ts was hardcoded, so a self-hosted deploy
couldn't admit its own users even with a matching Cloudflare Access policy —
and that wasn't documented. Gate on ALLOWED_EMAIL_DOMAIN instead (comma-
separated, defaults to sentry.io so the hosted deploy stays Sentry-only and
self-hosters fail closed until configured). Also supports multiple domains
(e.g. contractors). Document that the hosted /internal is Sentry-only and how
to self-host for another org.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment thread src/workers-oauth-utils.ts
Comment thread src/cf-access.ts
…hash (SEC-1266)

- GET /authorize: wrap renderApprovalDialog so a non-ASCII client-supplied
  state (btoa DOMException) returns 400 instead of an uncaught 500
- /callback: hash the lowercased email for the OAuth userId so mixed-case
  emails from the IdP map to one stable grant record
- Test for the non-ASCII /authorize path

Both flagged by Sentry review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant