[miniflare] Warn when remote-bindings requests are blocked by Cloudflare Access#14011
Merged
Merged
Conversation
…are Access When wrangler dev is used with remote bindings and a request from the local remote-bindings proxy client to the remote workers.dev proxy server is blocked by Cloudflare Access (HTTP 403 with the Cloudflare Access block page), surface a single, actionable warning per dev session that points the user at the CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET env vars or 'cloudflared access login'. Detection lives in the proxy CLIENT worker (which only ever calls the remote-bindings proxy URL) so user-worker 403s in --remote dev cannot trigger false positives. The worker reports the block via a new /core/remote-bindings- access-warning loopback endpoint; Miniflare dedupes to one warning per instance via a private flag.
🦋 Changeset detectedLatest commit: 7ff320c The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Codeowners approval required for this PR:
Show detailed file reviewers |
Contributor
Changeset Review✅ All changesets look good Reviewed Changeset
Checks
|
Contributor
|
UnknownError: ProviderInitError |
Contributor
|
@petebacondarwin Bonk workflow failed. Check the logs for details. View workflow run · To retry, trigger Bonk again. |
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
ascorbic
approved these changes
May 22, 2026
workers-devprod
approved these changes
May 22, 2026
workers-devprod
left a comment
Contributor
There was a problem hiding this comment.
Codeowners reviews satisfied
… the HTML body
- Visual formatting: the warning is now bracketed by box-drawing separator
lines, with a bold yellow heading and bold-emphasised env-var names and
remediation commands. This stops it being drowned out by the binding
error / stack trace lines that follow.
- Replace the original Cloudflare Access HTML body with a readable
plain-text body containing the same actionable guidance. This means:
* Bindings whose error parser propagates the upstream body (e.g.
AI: 'InferenceUpstreamError: ...') now surface the remediation
steps in the error message instead of just 'Error - Cloudflare
Access' or a chunk of HTML.
* Service-binding .fetch() callers that pipe the response straight
back to a browser see the same guidance there.
The first line of the substituted body is a self-contained 'headline' so
error-parsers that only show the first line still surface the key info.
emily-shen
approved these changes
May 22, 2026
Merged
penalosa
pushed a commit
that referenced
this pull request
May 28, 2026
2 tasks
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When
wrangler devuses remote bindings, requests from the local remote-bindings proxy client to the deployed proxy server can be intercepted by Cloudflare Access (e.g. when the workers.dev account is protected and the user hasn't setCLOUDFLARE_ACCESS_CLIENT_ID/CLOUDFLARE_ACCESS_CLIENT_SECRET). Today the resulting HTTP 403 + Cloudflare Access HTML page is returned to user code verbatim with no guidance, which makes the failure mode hard to diagnose.This change detects the Access block at the proxy client and surfaces a single, actionable warning per dev session pointing the user at the existing Service Token env vars or
cloudflared access login.Design
makeFetchin the remote-bindings proxy CLIENT worker (packages/miniflare/src/workers/shared/remote-bindings-utils.ts). This worker only ever calls theremoteProxyConnectionString, so a403+"Cloudflare Access"in the body cannot be confused with a user-worker 403 (e.g. when a user is runningwrangler dev --remoteagainst their own worker that legitimately returns 403)./core/remote-bindings-access-warningloopback endpoint (wired in viaWORKER_BINDING_SERVICE_LOOPBACK, whichremoteProxyClientWorker()now attaches across all ~18 remote-binding plugins automatically).#warnedRemoteBindingsAccessBlockprivate flag.Limitations (deferred)
env.KV.get('key')) doesn't flow throughmakeFetchand surfaces failures as opaque connection errors. Detecting Access blocks on the WS upgrade is worth a follow-up.wrangler devsessions. The remediation steps in the warning point at existing Cloudflare One Service Tokens documentation; no docs changes are required.