MCP Server Template for Cloudflare Workers

# Session State **Current Phase**: Complete - All Phase 3 work done **Current Stage**: Complete **Last Checkpoint**: 72229d6 (2026-01-04) **Planning Docs**: `docs/BETTER_AUTH_ARCHITECTURE.md`, `docs/MODULAR_PLATFORM_CONCEPT.md` --- ## Phase 1: Multi-Layer Auth Directory Structure ✅ **Completed**: 2026-01-02 | **Checkpoint**: c87441c **Summary**: Created modular auth architecture with identity/backend separation ## Phase 2: Multi-Provider Identity Authentication ✅ **Completed**: 2026-01-02 | **Checkpoint**: c87441c **Summary**: Added Microsoft Entra and GitHub OAuth providers (now superseded by better-auth) ## Phase 3a: better-auth Core Setup ✅ **Completed**: 2026-01-02 | **Checkpoint**: 221fd5b **Summary**: Replaced DIY OAuth with better-auth - D1 database, Drizzle ORM, social login (Google/Microsoft/GitHub) Files created: - `src/lib/auth.ts` - better-auth configuration with OAuth Provider plugin - `src/lib/db/` - Drizzle ORM setup with D1 - `src/lib/db/schema.ts` - Complete better-auth schema + custom tables - `src/pages/login.ts` - Social login page with provider buttons - `migrations/0001_*.sql` through `0003_*.sql` - D1 migrations ## Phase 3b: MCP OAuth Integration ✅ **Completed**: 2026-01-03 | **Checkpoint**: 8cfe5ea **Summary**: Integrated better-auth with workers-oauth-provider for MCP clients ### Key Changes - `src/oauth/better-auth-handler.ts` - OAuth routes using better-auth sessions - `src/oauth/workers-oauth-utils.ts` - Dark theme approval dialog, formatClientId() - Added `jwks` table for better-auth v1.4.0 JWT key rotation ### Bugs Fixed 1. **Social sign-in 404** - better-auth requires JSON POST, not form-urlencoded 2. **Unknown Client display** - Added formatClientId() for UUID client IDs 3. **redirect_uri_mismatch** - Updated Google callback to `/api/auth/callback/google` 4. **JWKS table missing** - Added schema + migration for better-auth v1.4.0 ### Testing Status | Flow | Status | Notes | |------|--------|-------| | Google OAuth → MCP Client | ✅ | Full flow verified with Claude Code | | Admin Dashboard Login | ✅ | Via better-auth session | | Approval Dialog | ✅ | Dark theme, shows "MCP Client" | --- ## Architecture Overview ``` better-auth (L1: Identity) ├── Social Providers (Google, Microsoft, GitHub) │ └── /api/auth/sign-in/social → /api/auth/callback/{provider} │ ├── workers-oauth-provider (MCP OAuth) │ ├── /authorize → Approval dialog │ ├── POST /authorize → Store state, redirect to /login │ ├── /login → better-auth social login │ └── /mcp-auth-complete → Complete MCP auth with session │ └── Admin Dashboard └── /admin → Requires better-auth session + ADMIN_EMAILS check Layer 2: Shared Services (Admin-configured) ├── shared_service table - Admin OAuth connections ├── MCP Tool: list_calendar_events (uses admin token) └── Admin UI: /admin/services/:id Layer 3: User Services (Per-user connections) ├── user_service_token table - User OAuth connections ├── MCP Tool: list_my_calendar_events (uses user token) └── User UI: /dashboard/services/connect ``` ## Environment Configuration ```jsonc // Required secrets: // GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET // BETTER_AUTH_SECRET (for session encryption) // COOKIE_ENCRYPTION_KEY (for approved clients cookie) // Optional (for alternative providers): // MICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET, MICROSOFT_TENANT_ID // GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET // Admin access: // ADMIN_EMAILS (comma-separated) ``` --- ## Phase 3c: Admin Features ✅ **Completed**: 2026-01-03 | **Checkpoint**: 615ea30 **Summary**: User management UI with list, search, role changes, ban/unban, impersonation ## Phase 3d: API Keys ✅ **Completed**: 2026-01-03 | **Checkpoint**: e3a79b8 **Summary**: better-auth apiKey plugin for programmatic MCP access ## Phase 3e: Organizations ✅ **Completed**: 2026-01-03 | **Checkpoint**: e3a79b8 **Summary**: Multi-tenant organization support with better-auth organization plugin ### Key Changes - `src/lib/auth.ts` - Added organization plugin with owner/admin/member roles - `src/lib/db/schema.ts` - Added organization, member, invitation, team, teamMember tables - `src/admin/routes.ts` - Organization CRUD, members, invite endpoints - `src/admin/ui.ts` - Organizations section with create/manage modal - `migrations/0006_organization_support.sql` - Organization tables - `migrations/0007_fix_organization_updated_at.sql` - Nullable updated_at fix ### API Endpoints | Endpoint | Method | Description | |----------|--------|-------------| | `/api/admin/organizations` | GET | List user's organizations | | `/api/admin/organizations` | POST | Create organization | | `/api/admin/organizations/:id/members` | GET | List org members | | `/api/admin/organizations/:id/invite` | POST | Invite member | | `/api/admin/organizations/:id` | DELETE | Delete organization | ### Bugs Fixed 1. **NOT NULL constraint on updated_at** - better-auth inserts `null` on create, fixed with migration 0007 2. **Double-nested members response** - `listMembers` returns `{members: [...]}`, was wrapping again ### Testing Verified - ✅ Organization creation works - ✅ Organizations list displays correctly - ✅ Members modal shows count and user list - ✅ Owner role displays in modal --- ## Phase 3f: Layer 2 - Shared Services ✅ **Completed**: 2026-01-03 | **Checkpoint**: 221fd5b **Summary**: Admin-configurable shared services with encrypted storage and interactive OAuth ### Key Changes - `shared_services` D1 table for storing service configs - AES-GCM encryption for secrets (`src/lib/crypto.ts`) - Admin UI: Services section with create/edit/delete modals - Interactive OAuth flow: Authorize button → popup → callback → token storage - Support for API key, OAuth, and Service Account types ### API Endpoints | Endpoint | Method | Description | |----------|--------|-------------| | `/api/admin/services` | GET | List all shared services | | `/api/admin/services` | POST | Create new service | | `/api/admin/services/:id` | GET | Get service details (masked) | | `/api/admin/services/:id` | PUT | Update service config | | `/api/admin/services/:id` | DELETE | Delete service | | `/api/admin/services/:id/authorize` | POST | Start OAuth flow | | `/api/admin/services/:id/disconnect` | POST | Revoke OAuth connection | | `/api/admin/services/callback` | GET | OAuth callback handler | --- ## Phase 3g: Layer 3 - User Services ✅ **Completed**: 2026-01-03 | **Checkpoint**: 1e53a7b **Summary**: User service connections with OAuth flow and token refresh **Progress**: - [x] `user_service_token` table exists in schema - [x] User dashboard route (/dashboard) - [x] User dashboard UI with profile and service cards - [x] Service connection modal (lists OAuth shared services) - [x] OAuth flow for user service connections - [x] Token refresh automation (`src/lib/user-services.ts`) - [x] Test with real Google Calendar connection ### Bugs Fixed 1. **Route collision** - OAuth callback at `/api/admin/services/callback` returned "Service not found" because it was defined AFTER `/:id` route. Moved static routes before dynamic routes. 2. **Closure capture bug** - OAuth popup completion handler used stale `currentServiceId` (captured by reference). Fixed by capturing value at call time. ### Next Session Notes - **UI Enhancement**: Consider replacing service modals with dedicated pages (`/admin/services/:id`) for cleaner UX **Key Files**: - `src/index.ts` - Dashboard route handler - `src/pages/dashboard.ts` - Dashboard HTML/JS - `src/dashboard/routes.ts` - Dashboard API routes - `src/lib/user-services.ts` - Token management utilities ### API Endpoints | Endpoint | Method | Description | |----------|--------|-------------| | `/api/dashboard/services` | GET | List user's connected services | | `/api/dashboard/services/available` | GET | List OAuth services available to connect | | `/api/dashboard/services/connect` | POST | Start OAuth flow for user service | | `/api/dashboard/services/:id` | DELETE | Disconnect a user service | | `/api/dashboard/services/callback` | GET | OAuth callback handler | --- ## Phase 3h: Cleanup + Testing ✅ **Completed**: 2026-01-04 | **Checkpoint**: 72229d6 **Summary**: Converted modals to pages, created Layer 2/3 calendar tools, verified all OAuth flows **Tasks Completed**: - [x] Replace admin service modals with dedicated page (`/admin/services/:id`) - [x] Replace user dashboard modals with dedicated page (`/dashboard/services/connect`) - [x] Add "Connected as: email" display for authorized services - [x] Create Layer 2 MCP tool (`list_calendar_events` using shared service token) - [x] Create Layer 3 MCP tool (`list_my_calendar_events` using user service token) - [x] Comprehensive test of admin + user OAuth flows **New Files**: - `src/pages/admin-service-detail.ts` - Full admin service detail page - `src/pages/dashboard-connect-service.ts` - User service connection page - `src/tools/calendar.ts` - Calendar tools for Layer 2 & Layer 3 - `src/lib/shared-services.ts` - Shared service token utilities --- ## Known Issues None ## Next Action Template is feature-complete. Ready for use as starting point for new MCP server projects. ## Future Enhancements - Consider adding more OAuth providers (Slack, Notion, etc.) - Add service usage analytics dashboard - Implement webhook support for real-time updates ## Key Files - `src/lib/auth.ts` - better-auth configuration - `src/lib/db/schema.ts` - Drizzle schema (better-auth + custom tables) - `src/lib/shared-services.ts` - Layer 2 shared service utilities - `src/lib/user-services.ts` - Layer 3 user service utilities - `src/oauth/better-auth-handler.ts` - MCP OAuth routes - `src/pages/login.ts` - Social login page - `src/pages/admin-service-detail.ts` - Admin service configuration page - `src/pages/dashboard-connect-service.ts` - User service connection page - `src/tools/calendar.ts` - Calendar MCP tools (Layer 2 + 3) - `docs/BETTER_AUTH_ARCHITECTURE.md` - Full architecture plan