Skip to content

fix: read OAuth env from cloudflare workers runtime#1482

Open
richardjoo wants to merge 10 commits into
emdash-cms:mainfrom
richardjoo:upstream/fix-oauth-env-cloudflare-v6
Open

fix: read OAuth env from cloudflare workers runtime#1482
richardjoo wants to merge 10 commits into
emdash-cms:mainfrom
richardjoo:upstream/fix-oauth-env-cloudflare-v6

Conversation

@richardjoo

@richardjoo richardjoo commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Fixes OAuth login on Cloudflare Workers/Astro v6 by stopping the OAuth routes from reading provider secrets from the removed Astro.locals.runtime.env path. Instead, the routes read runtime bindings from cloudflare:workers when available and fall back to import.meta.env elsewhere.

Closes #

Type of change

  • Bug fix
  • Feature (requires maintainer-approved Discussion)
  • Refactor (no behavior change)
  • Translation
  • Documentation
  • Performance improvement
  • Tests
  • Chore (dependencies, CI, tooling)

Checklist

  • I have read CONTRIBUTING.md
  • pnpm --filter emdash typecheck passes
  • pnpm lint passes
  • pnpm test passes (or targeted tests for my change)
  • pnpm format has been run
  • I have added/updated tests for my changes (if applicable)
  • User-visible strings in the admin UI are wrapped for translation (if applicable). Do not include messages.po changes except in translation PRs — a workflow extracts catalogs on merge to main.
  • I have added a changeset (if this PR changes a published package)
  • New features link to an approved Discussion: https://github.com/emdash-cms/emdash/discussions/...

Notes:

  • This is intentionally narrow and only addresses the OAuth env lookup path.
  • The issue was reproduced on a Cloudflare Workers deployment where /_emdash/api/auth/oauth/github failed at runtime with: Astro.locals.runtime.env has been removed in Astro v6.
  • Targeted package validation run: pnpm --filter emdash typecheck.

AI-generated code disclosure

  • This PR includes AI-generated code — model/tool: GPT-5.4 / OpenCode

Screenshots / test output

  • Verified the fix by patching the published package in a real Cloudflare deployment and confirming /_emdash/api/auth/oauth/github now redirects correctly to GitHub OAuth instead of failing back to the local login page.

Copilot AI review requested due to automatic review settings June 15, 2026 05:06
@changeset-bot

changeset-bot Bot commented Jun 15, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: a52df8c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 16 packages
Name Type
emdash Patch
@emdash-cms/cloudflare Patch
@emdash-cms/sandbox-workerd Patch
@emdash-cms/fixture-perf-site Patch
@emdash-cms/perf-demo-site Patch
@emdash-cms/cache-demo-site Patch
@emdash-cms/do-demo-site Patch
@emdash-cms/do-solo-demo-site Patch
@emdash-cms/admin Patch
@emdash-cms/auth Patch
@emdash-cms/blocks Patch
@emdash-cms/gutenberg-to-portable-text Patch
@emdash-cms/x402 Patch
create-emdash Patch
@emdash-cms/auth-atproto Patch
@emdash-cms/plugin-embeds Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions Bot added review/needs-review No maintainer or bot review yet area/core size/S labels Jun 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a shared helper to resolve OAuth provider environment bindings across Astro adapters (Cloudflare Workers vs Node), replacing prior locals.runtime.env usage removed in Astro v6.

Changes:

  • Introduces getOAuthEnv() to read Cloudflare bindings via cloudflare:workers with fallback to import.meta.env
  • Updates OAuth authorize and callback API routes to use getOAuthEnv() instead of locals.runtime.env
  • Removes repeated locals/env-casting logic from route handlers

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
packages/core/src/auth/oauth-env.ts New helper to resolve env/bindings across Cloudflare Workers and non-Cloudflare runtimes
packages/core/src/astro/routes/api/auth/oauth/[provider]/callback.ts Switches env lookup to getOAuthEnv() for provider config resolution
packages/core/src/astro/routes/api/auth/oauth/[provider].ts Switches env lookup to getOAuthEnv() for provider config resolution

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/core/src/auth/oauth-env.ts Outdated
Comment on lines +9 to +12
try {
// @ts-ignore - runtime-only Cloudflare Workers virtual module
const { env } = await import("cloudflare:workers");
return env as Record<string, unknown>;
Comment thread packages/core/src/auth/oauth-env.ts Outdated
Comment on lines +10 to +11
// @ts-ignore - runtime-only Cloudflare Workers virtual module
const { env } = await import("cloudflare:workers");
Comment thread packages/core/src/auth/oauth-env.ts Outdated
Comment on lines +13 to +15
} catch {
return import.meta.env as Record<string, unknown>;
}
@pkg-pr-new

pkg-pr-new Bot commented Jun 15, 2026

Copy link
Copy Markdown

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1482

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1482

@emdash-cms/auth-atproto

npm i https://pkg.pr.new/@emdash-cms/auth-atproto@1482

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1482

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1482

@emdash-cms/contentful-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/contentful-to-portable-text@1482

emdash

npm i https://pkg.pr.new/emdash@1482

create-emdash

npm i https://pkg.pr.new/create-emdash@1482

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1482

@emdash-cms/plugin-cli

npm i https://pkg.pr.new/@emdash-cms/plugin-cli@1482

@emdash-cms/plugin-types

npm i https://pkg.pr.new/@emdash-cms/plugin-types@1482

@emdash-cms/registry-client

npm i https://pkg.pr.new/@emdash-cms/registry-client@1482

@emdash-cms/registry-lexicons

npm i https://pkg.pr.new/@emdash-cms/registry-lexicons@1482

@emdash-cms/sandbox-workerd

npm i https://pkg.pr.new/@emdash-cms/sandbox-workerd@1482

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1482

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1482

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1482

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1482

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1482

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1482

@emdash-cms/plugin-field-kit

npm i https://pkg.pr.new/@emdash-cms/plugin-field-kit@1482

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1482

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1482

commit: a52df8c

@emdashbot emdashbot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach is correct: switching from locals.runtime.env to the cloudflare:workers virtual module with an import.meta.env fallback is exactly what AGENTS.md recommends and matches the pattern already used elsewhere in the repo (e.g., packages/plugins/ai-moderation/src/guard.ts). The change is appropriately narrow.

However, there are two AGENTS.md convention gaps that need addressing before merge:

  1. Missing changesetpackages/core is a published package, and bug fixes require a changeset per CONTRIBUTING.md/AGENTS.md.
  2. Missing test — AGENTS.md requires TDD for bugs (Failing test -> fix -> verify. A bug without a reproducing test is not fixed.). A unit test for getOAuthEnv verifying the fallback behavior should be added. Even a minimal Vitest test that mocks the cloudflare:workers module (or verifies the catch path when the dynamic import fails) would satisfy the convention.

@@ -0,0 +1,16 @@
/**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[needs fixing] This file adds a new helper used by OAuth routes, but the PR includes no test for it. AGENTS.md requires TDD for bugs: "Failing test -> fix -> verify. A bug without a reproducing test is not fixed." Add at least a minimal unit test that verifies getOAuthEnv falls back to import.meta.env when the cloudflare:workers dynamic import throws. Vitest supports module-level mocking via vi.mock or temporal import interception for this.

@@ -0,0 +1,16 @@
/**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[needs fixing] The PR changes a published package (packages/core) but does not include a changeset. Per AGENTS.md: "A changeset is release notes a user reads while upgrading... lead with a present-tense verb (Fixes, Adds, Updates, Removes), describe the observable effect, and leave out internal mechanics." Add a changeset describing the fix for Cloudflare Workers OAuth login.

@github-actions

Copy link
Copy Markdown
Contributor

Overlapping PRs

This PR modifies files that are also changed by other open PRs:

This may cause merge conflicts or duplicated work. A maintainer will coordinate.

@github-actions github-actions Bot added review/awaiting-author Reviewed; waiting on the author to respond size/M review/needs-rereview Author pushed changes since the last review and removed review/needs-review No maintainer or bot review yet size/S review/awaiting-author Reviewed; waiting on the author to respond labels Jun 15, 2026
richardjoo and others added 5 commits June 18, 2026 14:19
Astro v6 removed the Cloudflare-specific locals.runtime.env path. Read OAuth provider secrets from cloudflare:workers when available and fall back to import.meta.env elsewhere so GitHub/Google login can start correctly on Workers deployments.
Address the minimal review feedback for the OAuth runtime fix by making the dynamic Cloudflare import bundler-safe, narrowing the fallback path, adding a focused unit test, and adding the required patch changeset.
Keep the Cloudflare runtime import path dynamic while avoiding the last unsafe assertion called out by lint/review feedback.
@richardjoo richardjoo force-pushed the upstream/fix-oauth-env-cloudflare-v6 branch from 734656b to 9756538 Compare June 18, 2026 20:25
@Cocodrulo

Copy link
Copy Markdown

we need a fix for this

@richardjoo

richardjoo commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Checked the current branch state on this PR: the earlier review asks are now covered.

  • added a unit test for the OAuth env helper (packages/core/tests/unit/auth/oauth-env.test.ts)
  • added a changeset for the published package fix (.changeset/bright-socks-taste.md)
  • hardened the helper so the cloudflare:workers path stays out of non-Cloudflare bundles and only falls back to import.meta.env when the Cloudflare module is unavailable

The current PR checks on the branch are green from what I can see.

If there is still a specific issue you are seeing, could you point to the exact failure mode or log? That would make it much easier to verify whether there is another edge case left to fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants