feat: Add Cloudflare Access middleware (honojs#880)

.changeset/sharp-moles-knock.md

@@ -0,0 +1,5 @@
+---
+'@hono/cloudflare-access': minor
+---
+
+Initial release

.github/workflows/ci-cloudflare-access.yml

@@ -0,0 +1,25 @@
+name: ci-cloudflare-access
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'packages/cloudflare-access/**'
+  pull_request:
+    branches: ['*']
+    paths:
+      - 'packages/cloudflare-access/**'
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./packages/cloudflare-access
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+      - run: yarn install --frozen-lockfile
+      - run: yarn build
+      - run: yarn test

package.json

@@ -40,6 +40,7 @@
     "build:casbin": "yarn workspace @hono/casbin build",
     "build:ajv-validator": "yarn workspace @hono/ajv-validator build",
     "build:tsyringe": "yarn workspace @hono/tsyringe build",
+    "build:cloudflare-access": "yarn workspace @hono/cloudflare-access build",
     "build": "run-p 'build:*'",
     "lint": "eslint 'packages/**/*.{ts,tsx}'",
     "lint:fix": "eslint --fix 'packages/**/*.{ts,tsx}'",

packages/cloudflare-access/README.md

@@ -0,0 +1,65 @@
+# Cloudflare Access middleware for Hono
+
+This is a [Cloudflare Access](https://www.cloudflare.com/zero-trust/products/access/) third-party middleware
+for [Hono](https://github.com/honojs/hono).
+
+This middleware can be used to validate that your application is being served behind Cloudflare Access by verifying the
+JWT received, User details from the JWT are also available inside the request context.
+
+This middleware will also ensure the Access policy serving the application is from a
+specific [Access Team](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#whats-a-team-domainteam-name).
+
+## Usage
+
+```ts
+import { cloudflareAccess } from '@hono/cloudflare-access'
+import { Hono } from 'hono'
+
+const app = new Hono()
+
+app.use('*', cloudflareAccess('my-access-team-name'))
+app.get('/', (c) => c.text('foo'))
+
+export default app
+```
+
+## Access JWT payload
+
+```ts
+import { cloudflareAccess, CloudflareAccessVariables } from '@hono/cloudflare-access'
+import { Hono } from 'hono'
+
+type myVariables = {
+  user: number
+}
+
+const app = new Hono<{ Variables: myVariables & CloudflareAccessVariables }>()
+
+app.use('*', cloudflareAccess('my-access-team-name'))
+app.get('/', (c) => {
+  const payload = c.get('accessPayload')
+
+  return c.text(`You just authenticated with the email ${payload.email}`)
+})
+
+export default app
+```
+
+
+## Errors throw by the middleware
+
+| Error                                                                                                  | HTTP Code |
+|--------------------------------------------------------------------------------------------------------|-----------|
+| Authentication error: Missing bearer token                                                             | 401       |
+| Authentication error: Unable to decode Bearer token                                                    | 401       |
+| Authentication error: Token is expired                                                                 | 401       |
+| Authentication error: Expected team name {your-team-name}, but received ${different-team-signed-token} | 401       |
+| Authentication error: Invalid Token                                                                    | 401       |
+
+## Author
+
+Gabriel Massadas <https://github.com/g4brym>
+
+## License
+
+MIT

packages/cloudflare-access/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@hono/cloudflare-access",
+  "version": "0.0.0",
+  "description": "A third-party Cloudflare Access auth middleware for Hono",
+  "type": "module",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "test": "vitest --run",
+    "build": "tsup ./src/index.ts --format esm,cjs --dts",
+    "publint": "publint",
+    "release": "yarn build && yarn test && yarn publint && yarn publish"
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "license": "MIT",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/honojs/middleware.git"
+  },
+  "homepage": "https://github.com/honojs/middleware",
+  "peerDependencies": {
+    "hono": "*"
+  },
+  "devDependencies": {
+    "hono": "^4.4.12",
+    "tsup": "^8.1.0",
+    "vitest": "^1.6.0"
+  }
+}