chore: copy ctx.cache design

Signed-off-by: Matt Provost <mprovost@cloudflare.com>

Author: BSFishy

src/workerd/api/global-scope.c++

@@ -65,6 +65,23 @@ void ExecutionContext::passThroughOnException() {
   IoContext::current().setFailOpen();
 }
 
+kj::StringPtr AccessContext::getAud() {
+  JSG_FAIL_REQUIRE(Error, "Access context is not available.");
+}
+
+jsg::Promise<jsg::JsValue> AccessContext::getIdentity(jsg::Lock& js) {
+  JSG_FAIL_REQUIRE(Error, "Access context is not available.");
+}
+
+jsg::Optional<jsg::Ref<AccessContext>> ExecutionContext::getAccess(jsg::Lock& js) {
+  // Hook for the embedding application to provide an AccessContext.
+  // The default Worker::Api implementation returns kj::none.
+  if (IoContext::hasCurrent()) {
+    return Worker::Isolate::from(js).getApi().getCtxAccessProperty(js);
+  }
+  return kj::none;
+}
+
 void ExecutionContext::abort(jsg::Lock& js, jsg::Optional<jsg::Value> reason) {
   KJ_IF_SOME(r, reason) {
     IoContext::current().abort(js.exceptionToKj(kj::mv(r)));

src/workerd/api/global-scope.h

@@ -191,6 +191,30 @@ class TestController: public jsg::Object {
   JSG_RESOURCE_TYPE(TestController) {}
 };
 
+// Base class for the ctx.access object providing Cloudflare Access authentication context.
+// Subclass when embedding to provide an implementation.
+class AccessContext: public jsg::Object {
+ public:
+  // Returns the audience claim from the Access JWT.
+  //
+  // The default implementation throws — only meaningful when overridden by the embedding.
+  virtual kj::StringPtr getAud();
+
+  // Fetches the full identity information for the authenticated user.
+  //
+  // The default implementation throws — only meaningful when overridden by the embedding.
+  virtual jsg::Promise<jsg::JsValue> getIdentity(jsg::Lock& js);
+
+  JSG_RESOURCE_TYPE(AccessContext) {
+    JSG_READONLY_INSTANCE_PROPERTY(aud, getAud);
+    JSG_METHOD(getIdentity);
+    JSG_TS_OVERRIDE(CloudflareAccessContext {
+      readonly aud: string;
+      getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
+    });
+  }
+};
+
 class ExecutionContext: public jsg::Object {
  public:
   ExecutionContext(jsg::Lock& js, jsg::JsValue exports)
@@ -239,24 +263,9 @@ class ExecutionContext: public jsg::Object {
     return js.undefined();
   }
 
-  // Called by the host runtime (edgeworker) to set the Access context for this request.
-  // Must be called before the worker's handler is invoked.
-  //
-  // Unlike other ExecutionContext fields (props, version, exports) which are injected through the
-  // constructor, access uses a post-construction setter because the Access context is assembled by
-  // the host runtime after ExecutionContext construction but before handler invocation. The access
-  // data (audience claim, identity fetcher) originates from the Cloudflare Access integration
-  // pipeline and is not available during ExecutionContext construction in edgeworker.
-  void setAccess(jsg::Lock& js, jsg::JsRef<jsg::JsValue> value) {
-    access = kj::mv(value);
-  }
-
-  jsg::JsValue getAccess(jsg::Lock& js) {
-    KJ_IF_SOME(a, access) {
-      return a.getHandle(js);
-    }
-    return js.undefined();
-  }
+  // Returns an AccessContext for the current request, or empty jsg::Optional otherwise.
+  // Called by the runtime to provide Cloudflare Access authentication context.
+  jsg::Optional<jsg::Ref<AccessContext>> getAccess(jsg::Lock& js);
 
   JSG_RESOURCE_TYPE(ExecutionContext, CompatibilityFlags::Reader flags) {
     JSG_METHOD(waitUntil);
@@ -268,9 +277,7 @@ class ExecutionContext: public jsg::Object {
     if (flags.getEnableVersionApi()) {
       JSG_LAZY_INSTANCE_PROPERTY(version, getVersion);
     }
-    if (flags.getEnableCtxAccess()) {
-      JSG_LAZY_INSTANCE_PROPERTY(access, getAccess);
-    }
+    JSG_LAZY_INSTANCE_PROPERTY(access, getAccess);
 
     if (flags.getWorkerdExperimental()) {
       // TODO(soon): Before making this generally available we need to:
@@ -287,11 +294,6 @@ class ExecutionContext: public jsg::Object {
     }
 
     // TODO(soon): This is getting unwieldy.
-    // Note: `access` is included unconditionally in all TS_OVERRIDE branches (unlike `version`
-    // which is gated by enableVersionApi). This is intentional — adding another conditional would
-    // double the branch count (from 4 to 8). Since `access` is optional (`?`), the type is
-    // correct regardless of whether the flag is enabled (the property will be undefined at runtime
-    // when the flag is off or when setAccess() hasn't been called).
     if (flags.getEnableCtxExports()) {
       if (flags.getEnableVersionApi()) {
         JSG_TS_OVERRIDE(<Props = unknown> {
@@ -336,19 +338,16 @@ class ExecutionContext: public jsg::Object {
   void visitForMemoryInfo(jsg::MemoryTracker& tracker) const {
     tracker.trackField("props", props);
     tracker.trackField("version", version);
-    tracker.trackField("access", access);
   }
 
  private:
   jsg::JsRef<jsg::JsValue> exports;
   jsg::JsRef<jsg::JsValue> props;
   kj::Maybe<jsg::JsRef<jsg::JsValue>> version;
-  kj::Maybe<jsg::JsRef<jsg::JsValue>> access;
 
   void visitForGc(jsg::GcVisitor& visitor) {
     visitor.visit(props);
     visitor.visit(version);
-    visitor.visit(access);
   }
 };
 
@@ -1058,6 +1057,6 @@ class ServiceWorkerGlobalScope: public WorkerGlobalScope {
   api::WorkerGlobalScope, api::ServiceWorkerGlobalScope, api::TestController,                      \
       api::ExecutionContext, api::ExportedHandler,                                                 \
       api::ServiceWorkerGlobalScope::StructuredCloneOptions, api::Navigator,                       \
-      api::AlarmInvocationInfo, api::Immediate, api::Cloudflare
+      api::AlarmInvocationInfo, api::Immediate, api::Cloudflare, api::AccessContext
 // The list of global-scope.h types that are added to worker.c++'s JSG_DECLARE_ISOLATE_TYPE
 }  // namespace workerd::api

src/workerd/api/tests/BUILD.bazel

@@ -124,7 +124,6 @@ wd_test(
 
 wd_test(
     src = "ctx-access-test.wd-test",
-    args = ["--experimental"],
     data = ["ctx-access-test.js"],
 )
 

src/workerd/api/tests/ctx-access-test.js

@@ -6,9 +6,9 @@ import { strictEqual } from 'node:assert';
 
 export const ctxAccessPropertyExists = {
   test(controller, env, ctx) {
-    // When enable_ctx_access is enabled, the property should exist on ctx
-    // (as a lazy instance property), even though its value is undefined
-    // because setAccess() is only called by the host runtime (edgeworker).
+    // The access property is always present on ctx as a lazy instance property.
+    // In standalone workerd (no embedding override), the value is undefined because
+    // the default Worker::Api::getCtxAccessProperty() returns kj::none.
     strictEqual('access' in ctx, true);
     strictEqual(ctx.access, undefined);
   },

src/workerd/api/tests/ctx-access-test.wd-test

@@ -7,7 +7,7 @@ const unitTests :Workerd.Config = (
         modules = [
           (name = "worker", esModule = embed "ctx-access-test.js")
         ],
-        compatibilityFlags = ["nodejs_compat", "experimental", "enable_ctx_access"],
+        compatibilityFlags = ["nodejs_compat"],
       )
     ),
   ],

src/workerd/io/compatibility-date.capnp

@@ -1508,13 +1508,4 @@ struct CompatibilityFlags @0x8f8c1b68151b6cef {
     $compatDisableFlag("resizable_array_buffer_in_blob");
   # When enabled, creating a Blob with a resizable ArrayBuffer will throw a TypeError, matching
   # expected spec behavior.
-
-  enableCtxAccess @174 :Bool
-    $compatEnableFlag("enable_ctx_access")
-    $experimental;
-  # Enables the ctx.access property for Cloudflare Access integration.
-  # When enabled, ctx.access provides Access authentication context including the
-  # matched application audience (AUD) and an identity-fetching function. The value
-  # is set by the host runtime (edgeworker) per-request; in open-source workerd the
-  # property will always be undefined.
 }

src/workerd/io/worker.c++

@@ -520,6 +520,10 @@ kj::Maybe<const Worker::Api&> Worker::Api::tryCurrent() {
   return kj::none;
 }
 
+jsg::Optional<jsg::Ref<api::AccessContext>> Worker::Api::getCtxAccessProperty(jsg::Lock& js) const {
+  return kj::none;
+}
+
 struct Worker::Impl {
   kj::Maybe<jsg::JsContext<api::ServiceWorkerGlobalScope>> context;
 

src/workerd/io/worker.h

@@ -46,6 +46,7 @@ struct CryptoAlgorithm;
 struct QueueExportedHandler;
 class WebSocket;
 class WebSocketRequestResponsePair;
+class AccessContext;
 class ExecutionContext;
 namespace pyodide {
 struct ArtifactBundler_State;
@@ -663,6 +664,10 @@ class Worker::Api {
   virtual jsg::JsObject wrapExecutionContext(
       jsg::Lock& lock, jsg::Ref<api::ExecutionContext> ref) const = 0;
 
+  // Hook for the embedding application to provide an AccessContext for the ctx.access property.
+  // The default implementation returns kj::none (undefined).
+  virtual jsg::Optional<jsg::Ref<api::AccessContext>> getCtxAccessProperty(jsg::Lock& js) const;
+
   virtual const jsg::IsolateObserver& getObserver() const = 0;
   virtual void setIsolateObserver(IsolateObserver&) = 0;
 

types/defines/access.d.ts

@@ -34,24 +34,3 @@ interface CloudflareAccessIdentity extends Record<string, unknown> {
   /** True if the user is authenticated via Cloudflare Gateway. */
   is_gateway?: boolean;
 }
-
-/**
- * Cloudflare Access authentication information for the current request.
- */
-interface CloudflareAccessContext {
-  /**
-   * The audience claim from the Access JWT. This identifies which Access
-   * application the request matched.
-   */
-  readonly aud: string;
-
-  /**
-   * Fetches the full identity information for the authenticated user.
-   * This makes a call to the Access identity service to retrieve extended
-   * user information such as groups, device posture, and identity provider data.
-   *
-   * @returns The subject's identity, if one exists
-   * @throws May throw if the identity service is unreachable or returns an error.
-   */
-  getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
-}

types/generated-snapshot/experimental/index.d.ts

@@ -586,6 +586,10 @@ interface AlarmInvocationInfo {
 interface Cloudflare {
   readonly compatibilityFlags: Record<string, boolean>;
 }
+interface CloudflareAccessContext {
+  readonly aud: string;
+  getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
+}
 declare abstract class ColoLocalActorNamespace {
   get(actorId: string): Fetcher;
 }
@@ -4729,25 +4733,6 @@ interface CloudflareAccessIdentity extends Record<string, unknown> {
   /** True if the user is authenticated via Cloudflare Gateway. */
   is_gateway?: boolean;
 }
-/**
- * Cloudflare Access authentication information for the current request.
- */
-interface CloudflareAccessContext {
-  /**
-   * The audience claim from the Access JWT. This identifies which Access
-   * application the request matched.
-   */
-  readonly aud: string;
-  /**
-   * Fetches the full identity information for the authenticated user.
-   * This makes a call to the Access identity service to retrieve extended
-   * user information such as groups, device posture, and identity provider data.
-   *
-   * @returns The subject's identity, if one exists
-   * @throws May throw if the identity service is unreachable or returns an error.
-   */
-  getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
-}
 // ============ AI Search Error Interfaces ============
 interface AiSearchInternalError extends Error {}
 interface AiSearchNotFoundError extends Error {}