chore: address comments

BSFishy · BSFishy · commit 88c585f01fc6 · 2026-04-08T13:29:45.000Z
Signed-off-by: Matt Provost &lt;mprovost@cloudflare.com&gt;
diff --git a/src/workerd/api/global-scope.h b/src/workerd/api/global-scope.h
@@ -239,8 +239,14 @@ class ExecutionContext: public jsg::Object {
     return js.undefined();
   }
 
-  // Called by the host runtime to set the Access context for this request.
+  // Called by the host runtime (edgeworker) to set the Access context for this request.
   // Must be called before the worker's handler is invoked.
+  //
+  // Unlike other ExecutionContext fields (props, version, exports) which are injected through the
+  // constructor, access uses a post-construction setter because the Access context is assembled by
+  // the host runtime after ExecutionContext construction but before handler invocation. The access
+  // data (audience claim, identity fetcher) originates from the Cloudflare Access integration
+  // pipeline and is not available during ExecutionContext construction in edgeworker.
   void setAccess(jsg::Lock& js, jsg::JsRef<jsg::JsValue> value) {
     access = kj::mv(value);
   }
@@ -281,6 +287,11 @@ class ExecutionContext: public jsg::Object {
     }
 
     // TODO(soon): This is getting unwieldy.
+    // Note: `access` is included unconditionally in all TS_OVERRIDE branches (unlike `version`
+    // which is gated by enableVersionApi). This is intentional — adding another conditional would
+    // double the branch count (from 4 to 8). Since `access` is optional (`?`), the type is
+    // correct regardless of whether the flag is enabled (the property will be undefined at runtime
+    // when the flag is off or when setAccess() hasn't been called).
     if (flags.getEnableCtxExports()) {
       if (flags.getEnableVersionApi()) {
         JSG_TS_OVERRIDE(<Props = unknown> {
diff --git a/src/workerd/api/tests/BUILD.bazel b/src/workerd/api/tests/BUILD.bazel
@@ -122,6 +122,12 @@ wd_test(
     args = ["--experimental"],
 )
 
+wd_test(
+    src = "ctx-access-test.wd-test",
+    args = ["--experimental"],
+    data = ["ctx-access-test.js"],
+)
+
 wd_test(
     src = "cache-test.wd-test",
     args = ["--experimental"],
diff --git a/src/workerd/api/tests/ctx-access-test.js b/src/workerd/api/tests/ctx-access-test.js
@@ -0,0 +1,11 @@
+import { strictEqual } from 'node:assert';
+
+export const ctxAccessPropertyExists = {
+  test(controller, env, ctx) {
+    // When enable_ctx_access is enabled, the property should exist on ctx
+    // (as a lazy instance property), even though its value is undefined
+    // because setAccess() is only called by the host runtime (edgeworker).
+    strictEqual('access' in ctx, true);
+    strictEqual(ctx.access, undefined);
+  },
+};
diff --git a/src/workerd/api/tests/ctx-access-test.wd-test b/src/workerd/api/tests/ctx-access-test.wd-test
@@ -0,0 +1,14 @@
+using Workerd = import "/workerd/workerd.capnp";
+
+const unitTests :Workerd.Config = (
+  services = [
+    ( name = "ctx-access-test",
+      worker = (
+        modules = [
+          (name = "worker", esModule = embed "ctx-access-test.js")
+        ],
+        compatibilityFlags = ["nodejs_compat", "experimental", "enable_ctx_access"],
+      )
+    ),
+  ],
+);
diff --git a/types/defines/access.d.ts b/types/defines/access.d.ts
@@ -1,8 +1,39 @@
 /**
  * Represents the identity of a user authenticated via Cloudflare Access.
  * This matches the result of calling /cdn-cgi/access/get-identity.
+ *
+ * The exact structure of the returned object depends on the identity provider
+ * configuration for the Access application. The fields below represent commonly
+ * available properties, but additional provider-specific fields may be present.
  */
-type CloudflareAccessIdentity = object;
+interface CloudflareAccessIdentity extends Record<string, unknown> {
+  /** The user's email address, if available from the identity provider. */
+  email?: string;
+  /** The user's display name. */
+  name?: string;
+  /** The user's unique identifier. */
+  user_uuid?: string;
+  /** The Cloudflare account ID. */
+  account_id?: string;
+  /** Login timestamp (Unix epoch seconds). */
+  iat?: number;
+  /** The user's IP address at authentication time. */
+  ip?: string;
+  /** Authentication methods used (e.g., "pwd"). */
+  amr?: string[];
+  /** Identity provider information. */
+  idp?: { id: string; type: string };
+  /** Geographic information about where the user authenticated. */
+  geo?: { country: string };
+  /** Group memberships from the identity provider. */
+  groups?: Array<{ id: string; name: string; email?: string }>;
+  /** Device posture check results, keyed by check ID. */
+  devicePosture?: Record<string, unknown>;
+  /** True if the user connected via Cloudflare WARP. */
+  is_warp?: boolean;
+  /** True if the user is authenticated via Cloudflare Gateway. */
+  is_gateway?: boolean;
+}
 
 /**
  * Cloudflare Access authentication information for the current request.
@@ -16,8 +47,11 @@ interface CloudflareAccessContext {
 
   /**
    * Fetches the full identity information for the authenticated user.
+   * This makes a call to the Access identity service to retrieve extended
+   * user information such as groups, device posture, and identity provider data.
    *
    * @returns The subject's identity, if one exists
+   * @throws May throw if the identity service is unreachable or returns an error.
    */
   getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
 }
diff --git a/types/generated-snapshot/experimental/index.d.ts b/types/generated-snapshot/experimental/index.d.ts
@@ -500,8 +500,8 @@ interface ExecutionContext<Props = unknown> {
     readonly key?: string;
     readonly override?: string;
   };
-  abort(reason?: any): void;
   readonly access?: CloudflareAccessContext;
+  abort(reason?: any): void;
 }
 type ExportedHandlerFetchHandler<
   Env = unknown,
@@ -4687,8 +4687,48 @@ interface EventCounts {
 /**
  * Represents the identity of a user authenticated via Cloudflare Access.
  * This matches the result of calling /cdn-cgi/access/get-identity.
- */
-type CloudflareAccessIdentity = object;
+ *
+ * The exact structure of the returned object depends on the identity provider
+ * configuration for the Access application. The fields below represent commonly
+ * available properties, but additional provider-specific fields may be present.
+ */
+interface CloudflareAccessIdentity extends Record<string, unknown> {
+  /** The user's email address, if available from the identity provider. */
+  email?: string;
+  /** The user's display name. */
+  name?: string;
+  /** The user's unique identifier. */
+  user_uuid?: string;
+  /** The Cloudflare account ID. */
+  account_id?: string;
+  /** Login timestamp (Unix epoch seconds). */
+  iat?: number;
+  /** The user's IP address at authentication time. */
+  ip?: string;
+  /** Authentication methods used (e.g., "pwd"). */
+  amr?: string[];
+  /** Identity provider information. */
+  idp?: {
+    id: string;
+    type: string;
+  };
+  /** Geographic information about where the user authenticated. */
+  geo?: {
+    country: string;
+  };
+  /** Group memberships from the identity provider. */
+  groups?: Array<{
+    id: string;
+    name: string;
+    email?: string;
+  }>;
+  /** Device posture check results, keyed by check ID. */
+  devicePosture?: Record<string, unknown>;
+  /** True if the user connected via Cloudflare WARP. */
+  is_warp?: boolean;
+  /** True if the user is authenticated via Cloudflare Gateway. */
+  is_gateway?: boolean;
+}
 /**
  * Cloudflare Access authentication information for the current request.
  */
@@ -4700,8 +4740,11 @@ interface CloudflareAccessContext {
   readonly aud: string;
   /**
    * Fetches the full identity information for the authenticated user.
+   * This makes a call to the Access identity service to retrieve extended
+   * user information such as groups, device posture, and identity provider data.
    *
    * @returns The subject's identity, if one exists
+   * @throws May throw if the identity service is unreachable or returns an error.
    */
   getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
 }
diff --git a/types/generated-snapshot/experimental/index.ts b/types/generated-snapshot/experimental/index.ts
@@ -502,8 +502,8 @@ export interface ExecutionContext<Props = unknown> {
     readonly key?: string;
     readonly override?: string;
   };
-  abort(reason?: any): void;
   readonly access?: CloudflareAccessContext;
+  abort(reason?: any): void;
 }
 export type ExportedHandlerFetchHandler<
   Env = unknown,
@@ -4693,8 +4693,48 @@ export interface EventCounts {
 /**
  * Represents the identity of a user authenticated via Cloudflare Access.
  * This matches the result of calling /cdn-cgi/access/get-identity.
- */
-export type CloudflareAccessIdentity = object;
+ *
+ * The exact structure of the returned object depends on the identity provider
+ * configuration for the Access application. The fields below represent commonly
+ * available properties, but additional provider-specific fields may be present.
+ */
+export interface CloudflareAccessIdentity extends Record<string, unknown> {
+  /** The user's email address, if available from the identity provider. */
+  email?: string;
+  /** The user's display name. */
+  name?: string;
+  /** The user's unique identifier. */
+  user_uuid?: string;
+  /** The Cloudflare account ID. */
+  account_id?: string;
+  /** Login timestamp (Unix epoch seconds). */
+  iat?: number;
+  /** The user's IP address at authentication time. */
+  ip?: string;
+  /** Authentication methods used (e.g., "pwd"). */
+  amr?: string[];
+  /** Identity provider information. */
+  idp?: {
+    id: string;
+    type: string;
+  };
+  /** Geographic information about where the user authenticated. */
+  geo?: {
+    country: string;
+  };
+  /** Group memberships from the identity provider. */
+  groups?: Array<{
+    id: string;
+    name: string;
+    email?: string;
+  }>;
+  /** Device posture check results, keyed by check ID. */
+  devicePosture?: Record<string, unknown>;
+  /** True if the user connected via Cloudflare WARP. */
+  is_warp?: boolean;
+  /** True if the user is authenticated via Cloudflare Gateway. */
+  is_gateway?: boolean;
+}
 /**
  * Cloudflare Access authentication information for the current request.
  */
@@ -4706,8 +4746,11 @@ export interface CloudflareAccessContext {
   readonly aud: string;
   /**
    * Fetches the full identity information for the authenticated user.
+   * This makes a call to the Access identity service to retrieve extended
+   * user information such as groups, device posture, and identity provider data.
    *
    * @returns The subject's identity, if one exists
+   * @throws May throw if the identity service is unreachable or returns an error.
    */
   getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
 }
diff --git a/types/generated-snapshot/latest/index.d.ts b/types/generated-snapshot/latest/index.d.ts
@@ -3995,8 +3995,48 @@ declare abstract class Performance {
 /**
  * Represents the identity of a user authenticated via Cloudflare Access.
  * This matches the result of calling /cdn-cgi/access/get-identity.
+ *
+ * The exact structure of the returned object depends on the identity provider
+ * configuration for the Access application. The fields below represent commonly
+ * available properties, but additional provider-specific fields may be present.
  */
-type CloudflareAccessIdentity = object;
+interface CloudflareAccessIdentity extends Record<string, unknown> {
+  /** The user's email address, if available from the identity provider. */
+  email?: string;
+  /** The user's display name. */
+  name?: string;
+  /** The user's unique identifier. */
+  user_uuid?: string;
+  /** The Cloudflare account ID. */
+  account_id?: string;
+  /** Login timestamp (Unix epoch seconds). */
+  iat?: number;
+  /** The user's IP address at authentication time. */
+  ip?: string;
+  /** Authentication methods used (e.g., "pwd"). */
+  amr?: string[];
+  /** Identity provider information. */
+  idp?: {
+    id: string;
+    type: string;
+  };
+  /** Geographic information about where the user authenticated. */
+  geo?: {
+    country: string;
+  };
+  /** Group memberships from the identity provider. */
+  groups?: Array<{
+    id: string;
+    name: string;
+    email?: string;
+  }>;
+  /** Device posture check results, keyed by check ID. */
+  devicePosture?: Record<string, unknown>;
+  /** True if the user connected via Cloudflare WARP. */
+  is_warp?: boolean;
+  /** True if the user is authenticated via Cloudflare Gateway. */
+  is_gateway?: boolean;
+}
 /**
  * Cloudflare Access authentication information for the current request.
  */
@@ -4008,8 +4048,11 @@ interface CloudflareAccessContext {
   readonly aud: string;
   /**
    * Fetches the full identity information for the authenticated user.
+   * This makes a call to the Access identity service to retrieve extended
+   * user information such as groups, device posture, and identity provider data.
    *
    * @returns The subject's identity, if one exists
+   * @throws May throw if the identity service is unreachable or returns an error.
    */
   getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
 }
diff --git a/types/generated-snapshot/latest/index.ts b/types/generated-snapshot/latest/index.ts
@@ -4001,8 +4001,48 @@ export declare abstract class Performance {
 /**
  * Represents the identity of a user authenticated via Cloudflare Access.
  * This matches the result of calling /cdn-cgi/access/get-identity.
+ *
+ * The exact structure of the returned object depends on the identity provider
+ * configuration for the Access application. The fields below represent commonly
+ * available properties, but additional provider-specific fields may be present.
  */
-export type CloudflareAccessIdentity = object;
+export interface CloudflareAccessIdentity extends Record<string, unknown> {
+  /** The user's email address, if available from the identity provider. */
+  email?: string;
+  /** The user's display name. */
+  name?: string;
+  /** The user's unique identifier. */
+  user_uuid?: string;
+  /** The Cloudflare account ID. */
+  account_id?: string;
+  /** Login timestamp (Unix epoch seconds). */
+  iat?: number;
+  /** The user's IP address at authentication time. */
+  ip?: string;
+  /** Authentication methods used (e.g., "pwd"). */
+  amr?: string[];
+  /** Identity provider information. */
+  idp?: {
+    id: string;
+    type: string;
+  };
+  /** Geographic information about where the user authenticated. */
+  geo?: {
+    country: string;
+  };
+  /** Group memberships from the identity provider. */
+  groups?: Array<{
+    id: string;
+    name: string;
+    email?: string;
+  }>;
+  /** Device posture check results, keyed by check ID. */
+  devicePosture?: Record<string, unknown>;
+  /** True if the user connected via Cloudflare WARP. */
+  is_warp?: boolean;
+  /** True if the user is authenticated via Cloudflare Gateway. */
+  is_gateway?: boolean;
+}
 /**
  * Cloudflare Access authentication information for the current request.
  */
@@ -4014,8 +4054,11 @@ export interface CloudflareAccessContext {
   readonly aud: string;
   /**
    * Fetches the full identity information for the authenticated user.
+   * This makes a call to the Access identity service to retrieve extended
+   * user information such as groups, device posture, and identity provider data.
    *
    * @returns The subject's identity, if one exists
+   * @throws May throw if the identity service is unreachable or returns an error.
    */
   getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
 }
