feat(cloudflare-access): Add support to read JWT from Cookie (#1001)

JoaquinGimenez1 · web-flow · commit 69c3983d2073 · 2025-03-05T09:20:59.000+09:00
diff --git a/.changeset/sixty-geese-knock.md b/.changeset/sixty-geese-knock.md
@@ -0,0 +1,5 @@
+---
+'@hono/cloudflare-access': minor
+---
+
+Add support to read JWT from Cookie
diff --git a/packages/cloudflare-access/src/index.test.ts b/packages/cloudflare-access/src/index.test.ts
@@ -229,6 +229,22 @@ describe('Cloudflare Access middleware', async () => {
     expect(await res.text()).toBe('foo')
   })
 
+  it('Should work when sending jwt as a Cookie', async () => {
+    const token = generateJWT(keyPair1.privateKey, {
+      sub: '1234567890',
+      iss: 'https://my-cool-team-name.cloudflareaccess.com',
+    })
+
+    const res = await app.request('http://localhost/hello-behind-access', {
+      headers: {
+        Cookie: `CF_Authorization=${token}`,
+      },
+    })
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(200)
+    expect(await res.text()).toBe('foo')
+  })
+
   it('Should work with tokens signed by the 2º key in the public keys list', async () => {
     const token = generateJWT(keyPair2.privateKey, {
       sub: '1234567890',
@@ -279,7 +295,7 @@ describe('Cloudflare Access middleware', async () => {
     expect(res).not.toBeNull()
     expect(res.status).toBe(500)
     expect(await res.json()).toEqual({
-      err: 'Error: Authentication error: The Access Organization \'my-cool-team-name\' does not exist',
+      err: "Error: Authentication error: The Access Organization 'my-cool-team-name' does not exist",
     })
   })
 
diff --git a/packages/cloudflare-access/src/index.ts b/packages/cloudflare-access/src/index.ts
@@ -1,4 +1,5 @@
 import type { Context } from 'hono'
+import { getCookie } from 'hono/cookie';
 import { createMiddleware } from 'hono/factory'
 import { HTTPException } from 'hono/http-exception'
 
@@ -133,11 +134,11 @@ async function getPublicKeys(accessTeamName: string) {
 }
 
 function getJwt(c: Context) {
-  const authHeader = c.req.header('cf-access-jwt-assertion')
-  if (!authHeader) {
+  const jwt = c.req.header('cf-access-jwt-assertion') ?? getCookie(c, 'CF_Authorization')
+  if (!jwt) {
     return null
   }
-  return authHeader.trim()
+  return jwt.trim()
 }
 
 function decodeJwt(token: string): DecodedToken {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`import type { Context } from 'hono'`
	`2`	`+import { getCookie } from 'hono/cookie';`
`2`	`3`	`import { createMiddleware } from 'hono/factory'`
`3`	`4`	`import { HTTPException } from 'hono/http-exception'`
`4`	`5`
`@@ -133,11 +134,11 @@ async function getPublicKeys(accessTeamName: string) {`
`133`	`134`	`}`
`134`	`135`
`135`	`136`	`function getJwt(c: Context) {`
`136`		`- const authHeader = c.req.header('cf-access-jwt-assertion')`
`137`		`- if (!authHeader) {`
	`137`	`+ const jwt = c.req.header('cf-access-jwt-assertion') ?? getCookie(c, 'CF_Authorization')`
	`138`	`+ if (!jwt) {`
`138`	`139`	`return null`
`139`	`140`	`}`
`140`		`- return authHeader.trim()`
	`141`	`+ return jwt.trim()`
`141`	`142`	`}`
`142`	`143`
`143`	`144`	`function decodeJwt(token: string): DecodedToken {`