feat: add Cloudflare OAuth provider#529
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds Cloudflare as an OAuth provider to the library. The implementation covers exported config/type interfaces, an Authorization Code + PKCE event handler, runtime config defaults, an updated ChangesCloudflare OAuth Provider
Sequence DiagramsequenceDiagram
participant Browser
participant H3Handler as defineOAuthCloudflareEventHandler
participant CloudflareAuth as Cloudflare /authorize
participant CloudflareToken as Cloudflare /token
participant CloudflareAPI as Cloudflare /user
Browser->>H3Handler: GET /auth/cloudflare (no code)
H3Handler->>H3Handler: generate state + PKCE verifier/challenge
H3Handler-->>Browser: redirect → Cloudflare /authorize
Browser->>CloudflareAuth: authorize (client_id, code_challenge, scope)
CloudflareAuth-->>Browser: redirect → /auth/cloudflare?code=…&state=…
Browser->>H3Handler: GET /auth/cloudflare?code=…&state=…
H3Handler->>H3Handler: validate state
H3Handler->>CloudflareToken: POST code + code_verifier
CloudflareToken-->>H3Handler: access_token
H3Handler->>CloudflareAPI: GET /user (Bearer token)
CloudflareAPI-->>H3Handler: CloudflareUser
H3Handler-->>Browser: onSuccess → set session, redirect /
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/runtime/server/lib/oauth/cloudflare.ts`:
- Around line 115-117: The Cloudflare OAuth configuration validation incorrectly
requires both clientId and clientSecret to be present, blocking public PKCE-only
clients which don't need a client secret. Modify the validation check at line
115 to only require clientId and remove clientSecret from the required fields
list passed to handleMissingConfiguration. Additionally, update the token
request logic around lines 149-151 where clientSecret is sent to conditionally
include it only when config.clientSecret is present, allowing the request to
proceed without it for public clients using PKCE flow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: fe3d7928-03f1-4637-add7-805a982e49dc
📒 Files selected for processing (7)
README.mdplayground/app/pages/index.vueplayground/server/routes/auth/cloudflare.get.tsplayground/shared/types/auth.d.tssrc/module.tssrc/runtime/server/lib/oauth/cloudflare.tssrc/runtime/types/oauth-config.ts
Add Cloudflare OAuth provider
Adds a
defineOAuthCloudflareEventHandlerprovider for signing in with a Cloudflare OAuth client, following the existing provider conventions.Files in this PR (following existing patterns as other providers)
src/runtime/server/lib/oauth/cloudflare.tssrc/runtime/types/oauth-config.tssrc/module.ts—runtimeConfig.oauth.cloudflaredefaults (clientId/clientSecret/redirectURL)Usertype entryUsage
Environmnet variables:
Testing
Login succeeds and sub is returned.
Note
A couple of things I noticed while testing
Setting openid is rejected by self-managed clients despite being advertised in /.well-known/openid-configuration. (Don't know if I misread here)
/oauth2/userinforeturns sub plus standard OIDC claims (aud, iss, iat, auth_time, rat). no email/name. Profile data the OAuth access token works against GET/client/v4/userSummary by CodeRabbit
New Features
Documentation
Other Changes