Skip to content

[miniflare] Warn when remote-bindings requests are blocked by Cloudflare Access#14011

Merged
petebacondarwin merged 2 commits into
mainfrom
warn-remote-bindings-cf-access-block
May 22, 2026
Merged

[miniflare] Warn when remote-bindings requests are blocked by Cloudflare Access#14011
petebacondarwin merged 2 commits into
mainfrom
warn-remote-bindings-cf-access-block

Conversation

@petebacondarwin

@petebacondarwin petebacondarwin commented May 22, 2026

Copy link
Copy Markdown
Contributor

When wrangler dev uses remote bindings, requests from the local remote-bindings proxy client to the deployed proxy server can be intercepted by Cloudflare Access (e.g. when the workers.dev account is protected and the user hasn't set CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET). Today the resulting HTTP 403 + Cloudflare Access HTML page is returned to user code verbatim with no guidance, which makes the failure mode hard to diagnose.

This change detects the Access block at the proxy client and surfaces a single, actionable warning per dev session pointing the user at the existing Service Token env vars or cloudflared access login.

Design

  • Detection lives inside makeFetch in the remote-bindings proxy CLIENT worker (packages/miniflare/src/workers/shared/remote-bindings-utils.ts). This worker only ever calls the remoteProxyConnectionString, so a 403 + "Cloudflare Access" in the body cannot be confused with a user-worker 403 (e.g. when a user is running wrangler dev --remote against their own worker that legitimately returns 403).
  • The proxy client reports the block to Miniflare via a new /core/remote-bindings-access-warning loopback endpoint (wired in via WORKER_BINDING_SERVICE_LOOPBACK, which remoteProxyClientWorker() now attaches across all ~18 remote-binding plugins automatically).
  • Miniflare dedupes to one warning per instance via a new #warnedRemoteBindingsAccessBlock private flag.
  • The happy path (non-403 response) short-circuits before any body read or loopback call, so there is no measurable latency added on successful requests.

Limitations (deferred)

  • The capnweb RPC/WebSocket path (e.g. env.KV.get('key')) doesn't flow through makeFetch and surfaces failures as opaque connection errors. Detecting Access blocks on the WS upgrade is worth a follow-up.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: This is a developer-facing warning surfaced during wrangler dev sessions. The remediation steps in the warning point at existing Cloudflare One Service Tokens documentation; no docs changes are required.

Open in Devin Review

…are Access

When wrangler dev is used with remote bindings and a request from the local
remote-bindings proxy client to the remote workers.dev proxy server is blocked
by Cloudflare Access (HTTP 403 with the Cloudflare Access block page), surface
a single, actionable warning per dev session that points the user at the
CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET env vars or
'cloudflared access login'.

Detection lives in the proxy CLIENT worker (which only ever calls the
remote-bindings proxy URL) so user-worker 403s in --remote dev cannot trigger
false positives. The worker reports the block via a new /core/remote-bindings-
access-warning loopback endpoint; Miniflare dedupes to one warning per
instance via a private flag.
@changeset-bot

changeset-bot Bot commented May 22, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 7ff320c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
miniflare Patch
wrangler Patch
@cloudflare/pages-shared Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 22, 2026
@workers-devprod workers-devprod requested review from a team and edmundhung and removed request for a team May 22, 2026 13:04
@workers-devprod

workers-devprod commented May 22, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@github-actions

github-actions Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

Changeset Review

✅ All changesets look good

Reviewed Changeset

  • .changeset/warn-when-remote-bindings-blocked-by-access.md

Checks

  1. Version Type: patch is appropriate for this bug fix / UX improvement (better error handling when Cloudflare Access blocks remote bindings).
  2. Changelog Quality: The description is detailed and meaningful. It explains what changed, why it matters, and the scope of the fix.
  3. Markdown Headers: No h1/h2/h3 headers found.
  4. Analytics: No analytics changes.
  5. Dependabot: N/A.
  6. Experimental features: N/A.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

Open in Devin Review

@ask-bonk

ask-bonk Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

UnknownError: ProviderInitError

github run

@ask-bonk

ask-bonk Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

@petebacondarwin Bonk workflow failed. Check the logs for details.

View workflow run · To retry, trigger Bonk again.

@pkg-pr-new

pkg-pr-new Bot commented May 22, 2026

Copy link
Copy Markdown
create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14011

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14011

miniflare

npm i https://pkg.pr.new/miniflare@14011

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14011

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14011

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14011

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14011

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14011

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14011

wrangler

npm i https://pkg.pr.new/wrangler@14011

commit: 7ff320c

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 22, 2026
… the HTML body

- Visual formatting: the warning is now bracketed by box-drawing separator
  lines, with a bold yellow heading and bold-emphasised env-var names and
  remediation commands. This stops it being drowned out by the binding
  error / stack trace lines that follow.

- Replace the original Cloudflare Access HTML body with a readable
  plain-text body containing the same actionable guidance. This means:
    * Bindings whose error parser propagates the upstream body (e.g.
      AI: 'InferenceUpstreamError: ...') now surface the remediation
      steps in the error message instead of just 'Error - Cloudflare
      Access' or a chunk of HTML.
    * Service-binding .fetch() callers that pipe the response straight
      back to a browser see the same guidance there.

The first line of the substituted body is a self-contained 'headline' so
error-parsers that only show the first line still surface the key info.
@petebacondarwin petebacondarwin enabled auto-merge (squash) May 22, 2026 14:35
@petebacondarwin petebacondarwin merged commit 420e457 into main May 22, 2026
61 of 63 checks passed
@petebacondarwin petebacondarwin deleted the warn-remote-bindings-cf-access-block branch May 22, 2026 14:46
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

4 participants