From 3c1b13f49d17c8457a370704a99ecf8ce8993b02 Mon Sep 17 00:00:00 2001 From: Matt Provost Date: Wed, 25 Mar 2026 16:19:06 +0000 Subject: [PATCH 1/2] feat: add AccessContext types Signed-off-by: Matt Provost --- src/workerd/api/global-scope.h | 4 ++++ types/defines/access.d.ts | 23 +++++++++++++++++++ .../experimental/index.d.ts | 22 ++++++++++++++++++ .../generated-snapshot/experimental/index.ts | 22 ++++++++++++++++++ types/generated-snapshot/latest/index.d.ts | 22 ++++++++++++++++++ types/generated-snapshot/latest/index.ts | 22 ++++++++++++++++++ 6 files changed, 115 insertions(+) create mode 100644 types/defines/access.d.ts diff --git a/src/workerd/api/global-scope.h b/src/workerd/api/global-scope.h index ffaf66fac9e..174ea82b827 100644 --- a/src/workerd/api/global-scope.h +++ b/src/workerd/api/global-scope.h @@ -276,11 +276,13 @@ class ExecutionContext: public jsg::Object { readonly key?: string; readonly override?: string; }; + readonly access?: AccessContext; }); } else { JSG_TS_OVERRIDE( { readonly props: Props; readonly exports: Cloudflare.Exports; + readonly access?: AccessContext; }); } } else { @@ -293,10 +295,12 @@ class ExecutionContext: public jsg::Object { readonly key?: string; readonly override?: string; }; + readonly access?: AccessContext; }); } else { JSG_TS_OVERRIDE( { readonly props: Props; + readonly access?: AccessContext; }); } } diff --git a/types/defines/access.d.ts b/types/defines/access.d.ts new file mode 100644 index 00000000000..818d9541baa --- /dev/null +++ b/types/defines/access.d.ts @@ -0,0 +1,23 @@ +/** + * Represents the identity of a user authenticated via Cloudflare Access. + * This matches the result of calling /cdn-cgi/access/get-identity. + */ +type Identity = object; + +/** + * Cloudflare Access authentication information for the current request. + */ +interface AccessContext { + /** + * The audience claim from the Access JWT. This identifies which Access + * application the request matched. + */ + readonly aud: string; + + /** + * Fetches the full identity information for the authenticated user. + * + * @returns The subject's identity, if one exists + */ + getIdentity(): Promise; +} diff --git a/types/generated-snapshot/experimental/index.d.ts b/types/generated-snapshot/experimental/index.d.ts index 72a3d8f7bc6..19087b8b55d 100755 --- a/types/generated-snapshot/experimental/index.d.ts +++ b/types/generated-snapshot/experimental/index.d.ts @@ -501,6 +501,7 @@ interface ExecutionContext { readonly override?: string; }; abort(reason?: any): void; + readonly access?: AccessContext; } type ExportedHandlerFetchHandler< Env = unknown, @@ -4659,6 +4660,27 @@ interface EventCounts { ): void; [Symbol.iterator](): IterableIterator; } +/** + * Represents the identity of a user authenticated via Cloudflare Access. + * This matches the result of calling /cdn-cgi/access/get-identity. + */ +type Identity = object; +/** + * Cloudflare Access authentication information for the current request. + */ +interface AccessContext { + /** + * The audience claim from the Access JWT. This identifies which Access + * application the request matched. + */ + readonly aud: string; + /** + * Fetches the full identity information for the authenticated user. + * + * @returns The subject's identity, if one exists + */ + getIdentity(): Promise; +} // ============ AI Search Error Interfaces ============ interface AiSearchInternalError extends Error {} interface AiSearchNotFoundError extends Error {} diff --git a/types/generated-snapshot/experimental/index.ts b/types/generated-snapshot/experimental/index.ts index 1ba1e4f325b..0be1b6b56c4 100755 --- a/types/generated-snapshot/experimental/index.ts +++ b/types/generated-snapshot/experimental/index.ts @@ -503,6 +503,7 @@ export interface ExecutionContext { readonly override?: string; }; abort(reason?: any): void; + readonly access?: AccessContext; } export type ExportedHandlerFetchHandler< Env = unknown, @@ -4665,6 +4666,27 @@ export interface EventCounts { ): void; [Symbol.iterator](): IterableIterator; } +/** + * Represents the identity of a user authenticated via Cloudflare Access. + * This matches the result of calling /cdn-cgi/access/get-identity. + */ +export type Identity = object; +/** + * Cloudflare Access authentication information for the current request. + */ +export interface AccessContext { + /** + * The audience claim from the Access JWT. This identifies which Access + * application the request matched. + */ + readonly aud: string; + /** + * Fetches the full identity information for the authenticated user. + * + * @returns The subject's identity, if one exists + */ + getIdentity(): Promise; +} // ============ AI Search Error Interfaces ============ export interface AiSearchInternalError extends Error {} export interface AiSearchNotFoundError extends Error {} diff --git a/types/generated-snapshot/latest/index.d.ts b/types/generated-snapshot/latest/index.d.ts index b569c0a3c41..bde751ac14a 100755 --- a/types/generated-snapshot/latest/index.d.ts +++ b/types/generated-snapshot/latest/index.d.ts @@ -479,6 +479,7 @@ interface ExecutionContext { passThroughOnException(): void; readonly exports: Cloudflare.Exports; readonly props: Props; + readonly access?: AccessContext; } type ExportedHandlerFetchHandler< Env = unknown, @@ -3934,6 +3935,27 @@ declare abstract class Performance { */ toJSON(): object; } +/** + * Represents the identity of a user authenticated via Cloudflare Access. + * This matches the result of calling /cdn-cgi/access/get-identity. + */ +type Identity = object; +/** + * Cloudflare Access authentication information for the current request. + */ +interface AccessContext { + /** + * The audience claim from the Access JWT. This identifies which Access + * application the request matched. + */ + readonly aud: string; + /** + * Fetches the full identity information for the authenticated user. + * + * @returns The subject's identity, if one exists + */ + getIdentity(): Promise; +} // ============ AI Search Error Interfaces ============ interface AiSearchInternalError extends Error {} interface AiSearchNotFoundError extends Error {} diff --git a/types/generated-snapshot/latest/index.ts b/types/generated-snapshot/latest/index.ts index f2c4af42220..7f0e65e81ff 100755 --- a/types/generated-snapshot/latest/index.ts +++ b/types/generated-snapshot/latest/index.ts @@ -481,6 +481,7 @@ export interface ExecutionContext { passThroughOnException(): void; readonly exports: Cloudflare.Exports; readonly props: Props; + readonly access?: AccessContext; } export type ExportedHandlerFetchHandler< Env = unknown, @@ -3940,6 +3941,27 @@ export declare abstract class Performance { */ toJSON(): object; } +/** + * Represents the identity of a user authenticated via Cloudflare Access. + * This matches the result of calling /cdn-cgi/access/get-identity. + */ +export type Identity = object; +/** + * Cloudflare Access authentication information for the current request. + */ +export interface AccessContext { + /** + * The audience claim from the Access JWT. This identifies which Access + * application the request matched. + */ + readonly aud: string; + /** + * Fetches the full identity information for the authenticated user. + * + * @returns The subject's identity, if one exists + */ + getIdentity(): Promise; +} // ============ AI Search Error Interfaces ============ export interface AiSearchInternalError extends Error {} export interface AiSearchNotFoundError extends Error {} From 811e3b507aec65bd29ebab9a54d3d8c05151f195 Mon Sep 17 00:00:00 2001 From: Matt Provost Date: Tue, 31 Mar 2026 21:17:13 +0000 Subject: [PATCH 2/2] chore: update names Signed-off-by: Matt Provost --- src/workerd/api/global-scope.h | 8 ++++---- types/defines/access.d.ts | 6 +++--- types/generated-snapshot/experimental/index.d.ts | 8 ++++---- types/generated-snapshot/experimental/index.ts | 8 ++++---- types/generated-snapshot/latest/index.d.ts | 8 ++++---- types/generated-snapshot/latest/index.ts | 8 ++++---- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/workerd/api/global-scope.h b/src/workerd/api/global-scope.h index 174ea82b827..b8a8aad0656 100644 --- a/src/workerd/api/global-scope.h +++ b/src/workerd/api/global-scope.h @@ -276,13 +276,13 @@ class ExecutionContext: public jsg::Object { readonly key?: string; readonly override?: string; }; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; }); } else { JSG_TS_OVERRIDE( { readonly props: Props; readonly exports: Cloudflare.Exports; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; }); } } else { @@ -295,12 +295,12 @@ class ExecutionContext: public jsg::Object { readonly key?: string; readonly override?: string; }; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; }); } else { JSG_TS_OVERRIDE( { readonly props: Props; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; }); } } diff --git a/types/defines/access.d.ts b/types/defines/access.d.ts index 818d9541baa..c7442a09995 100644 --- a/types/defines/access.d.ts +++ b/types/defines/access.d.ts @@ -2,12 +2,12 @@ * Represents the identity of a user authenticated via Cloudflare Access. * This matches the result of calling /cdn-cgi/access/get-identity. */ -type Identity = object; +type CloudflareAccessIdentity = object; /** * Cloudflare Access authentication information for the current request. */ -interface AccessContext { +interface CloudflareAccessContext { /** * The audience claim from the Access JWT. This identifies which Access * application the request matched. @@ -19,5 +19,5 @@ interface AccessContext { * * @returns The subject's identity, if one exists */ - getIdentity(): Promise; + getIdentity(): Promise; } diff --git a/types/generated-snapshot/experimental/index.d.ts b/types/generated-snapshot/experimental/index.d.ts index 19087b8b55d..9645af9fa3d 100755 --- a/types/generated-snapshot/experimental/index.d.ts +++ b/types/generated-snapshot/experimental/index.d.ts @@ -501,7 +501,7 @@ interface ExecutionContext { readonly override?: string; }; abort(reason?: any): void; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; } type ExportedHandlerFetchHandler< Env = unknown, @@ -4664,11 +4664,11 @@ interface EventCounts { * Represents the identity of a user authenticated via Cloudflare Access. * This matches the result of calling /cdn-cgi/access/get-identity. */ -type Identity = object; +type CloudflareAccessIdentity = object; /** * Cloudflare Access authentication information for the current request. */ -interface AccessContext { +interface CloudflareAccessContext { /** * The audience claim from the Access JWT. This identifies which Access * application the request matched. @@ -4679,7 +4679,7 @@ interface AccessContext { * * @returns The subject's identity, if one exists */ - getIdentity(): Promise; + getIdentity(): Promise; } // ============ AI Search Error Interfaces ============ interface AiSearchInternalError extends Error {} diff --git a/types/generated-snapshot/experimental/index.ts b/types/generated-snapshot/experimental/index.ts index 0be1b6b56c4..4bc97b80cfa 100755 --- a/types/generated-snapshot/experimental/index.ts +++ b/types/generated-snapshot/experimental/index.ts @@ -503,7 +503,7 @@ export interface ExecutionContext { readonly override?: string; }; abort(reason?: any): void; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; } export type ExportedHandlerFetchHandler< Env = unknown, @@ -4670,11 +4670,11 @@ export interface EventCounts { * Represents the identity of a user authenticated via Cloudflare Access. * This matches the result of calling /cdn-cgi/access/get-identity. */ -export type Identity = object; +export type CloudflareAccessIdentity = object; /** * Cloudflare Access authentication information for the current request. */ -export interface AccessContext { +export interface CloudflareAccessContext { /** * The audience claim from the Access JWT. This identifies which Access * application the request matched. @@ -4685,7 +4685,7 @@ export interface AccessContext { * * @returns The subject's identity, if one exists */ - getIdentity(): Promise; + getIdentity(): Promise; } // ============ AI Search Error Interfaces ============ export interface AiSearchInternalError extends Error {} diff --git a/types/generated-snapshot/latest/index.d.ts b/types/generated-snapshot/latest/index.d.ts index bde751ac14a..ebac9cb993b 100755 --- a/types/generated-snapshot/latest/index.d.ts +++ b/types/generated-snapshot/latest/index.d.ts @@ -479,7 +479,7 @@ interface ExecutionContext { passThroughOnException(): void; readonly exports: Cloudflare.Exports; readonly props: Props; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; } type ExportedHandlerFetchHandler< Env = unknown, @@ -3939,11 +3939,11 @@ declare abstract class Performance { * Represents the identity of a user authenticated via Cloudflare Access. * This matches the result of calling /cdn-cgi/access/get-identity. */ -type Identity = object; +type CloudflareAccessIdentity = object; /** * Cloudflare Access authentication information for the current request. */ -interface AccessContext { +interface CloudflareAccessContext { /** * The audience claim from the Access JWT. This identifies which Access * application the request matched. @@ -3954,7 +3954,7 @@ interface AccessContext { * * @returns The subject's identity, if one exists */ - getIdentity(): Promise; + getIdentity(): Promise; } // ============ AI Search Error Interfaces ============ interface AiSearchInternalError extends Error {} diff --git a/types/generated-snapshot/latest/index.ts b/types/generated-snapshot/latest/index.ts index 7f0e65e81ff..36703d34067 100755 --- a/types/generated-snapshot/latest/index.ts +++ b/types/generated-snapshot/latest/index.ts @@ -481,7 +481,7 @@ export interface ExecutionContext { passThroughOnException(): void; readonly exports: Cloudflare.Exports; readonly props: Props; - readonly access?: AccessContext; + readonly access?: CloudflareAccessContext; } export type ExportedHandlerFetchHandler< Env = unknown, @@ -3945,11 +3945,11 @@ export declare abstract class Performance { * Represents the identity of a user authenticated via Cloudflare Access. * This matches the result of calling /cdn-cgi/access/get-identity. */ -export type Identity = object; +export type CloudflareAccessIdentity = object; /** * Cloudflare Access authentication information for the current request. */ -export interface AccessContext { +export interface CloudflareAccessContext { /** * The audience claim from the Access JWT. This identifies which Access * application the request matched. @@ -3960,7 +3960,7 @@ export interface AccessContext { * * @returns The subject's identity, if one exists */ - getIdentity(): Promise; + getIdentity(): Promise; } // ============ AI Search Error Interfaces ============ export interface AiSearchInternalError extends Error {}