deps: bump @cloudflare/workers-oauth-provider from 0.3.0 to 0.6.0

[dependabot]

Bumps @cloudflare/workers-oauth-provider from 0.3.0 to 0.6.0.

Release notes

Sourced from @​cloudflare/workers-oauth-provider's releases.

v0.6.0

Minor Changes

• #199 bf7d91e Thanks @​mattzcarey! - Convert OAuthError thrown from tokenExchangeCallback into structured /token responses and convert token storage KV rate limits into retryable OAuth errors.

  Previously, an error thrown from tokenExchangeCallback during the authorization_code or refresh_token grant flows would bubble up as an unhandled exception and be served as 500 Internal Server Error. This forced clients to keep retrying with the same dead refresh token, producing "refresh-token retry storms" against upstream providers.

  The provider now catches OAuthError thrown from the callback (or any code it calls — errors propagate naturally up through deep call stacks) and returns a standard { error, error_description } response with the supplied status code and headers. KV 429 Too Many Requests write failures while issuing tokens are also returned as temporarily_unavailable with Retry-After: 30, so transient storage pressure does not leak Worker 500 responses from the token endpoint.

  import { OAuthError } from '@cloudflare/workers-oauth-provider';
  tokenExchangeCallback: async (options) => {
  if (options.grantType === 'refresh_token') {
  // refreshUpstream may throw OAuthError from any depth.
  return { newProps: await refreshUpstream(options.props) };
  }
  };
  async function refreshUpstream(props) {
  const res = await fetch(/* upstream token endpoint */);
  if (res.status === 401) {
  throw new OAuthError('invalid_grant', {
  description: 'upstream refresh token is invalid',
  });
  }
  if (res.status === 429) {
  throw new OAuthError('temporarily_unavailable', {
  description: 'upstream rate limited',
  statusCode: 429,
  headers: { 'Retry-After': res.headers.get('retry-after') ?? '60' },
  });
  }
  return await res.json();
  }

  OAuthError(code, options) takes:

... (truncated)

Changelog

Sourced from @​cloudflare/workers-oauth-provider's changelog.

0.6.0

Minor Changes

• #199 bf7d91e Thanks @​mattzcarey! - Convert OAuthError thrown from tokenExchangeCallback into structured /token responses and convert token storage KV rate limits into retryable OAuth errors.

  Previously, an error thrown from tokenExchangeCallback during the authorization_code or refresh_token grant flows would bubble up as an unhandled exception and be served as 500 Internal Server Error. This forced clients to keep retrying with the same dead refresh token, producing "refresh-token retry storms" against upstream providers.

  The provider now catches OAuthError thrown from the callback (or any code it calls — errors propagate naturally up through deep call stacks) and returns a standard { error, error_description } response with the supplied status code and headers. KV 429 Too Many Requests write failures while issuing tokens are also returned as temporarily_unavailable with Retry-After: 30, so transient storage pressure does not leak Worker 500 responses from the token endpoint.

  import { OAuthError } from '@cloudflare/workers-oauth-provider';
  tokenExchangeCallback: async (options) => {
  if (options.grantType === 'refresh_token') {
  // refreshUpstream may throw OAuthError from any depth.
  return { newProps: await refreshUpstream(options.props) };
  }
  };
  async function refreshUpstream(props) {
  const res = await fetch(/* upstream token endpoint */);
  if (res.status === 401) {
  throw new OAuthError('invalid_grant', {
  description: 'upstream refresh token is invalid',
  });
  }
  if (res.status === 429) {
  throw new OAuthError('temporarily_unavailable', {
  description: 'upstream rate limited',
  statusCode: 429,
  headers: { 'Retry-After': res.headers.get('retry-after') ?? '60' },
  });
  }
  return await res.json();
  }

  OAuthError(code, options) takes:

... (truncated)

Commits

• 0062d12 Version Packages (#204)
• 2d651d3 build(deps-dev): bump vite from 7.3.0 to 7.3.3 (#202)
• bf7d91e feat: convert OAuthError thrown from tokenExchangeCallback into structured /t...
• 52f36f3 ci: add Semgrep OSS scanning workflow (#197)
• 702fbb8 build(deps-dev): bump postcss from 8.5.6 to 8.5.14 (#200)
• b4bc502 Version Packages (#195)
• 251d641 Prevent unbounded KV namespace growth with TTL defaults, cascade deletes, and...
• 439848c Version Packages (#180)
• 57cdbe9 feat: path-aware resource URIs (RFC 9728) + resourceMatchOriginOnly migration...
• dc350f3 Version Packages (#177)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #34.