Skip to content
Cosmos Digital Services Docs

Worker flow

Implementation: apps/cosmos/digital-services/workers/auth-gateway.js, image-optimizer.js, and wrangler.*.toml.

GET /api/auth/session

Section titled “GET /api/auth/session”
  1. Browser calls GET /api/auth/session (with credentials / Access cookies as applicable).
  2. Gateway reads cf-access-jwt-assertion, or CF_Authorization / cf_authorization cookies, or Authorization: Bearer.
  3. Gateway POSTs a JSON body { token, tokenType } to AUTH_WORKER_VERIFY_URL (default in code: https://auth.cosmos-platform.com/api/v1/verify; overridden per env in wrangler.gateway.toml).
  4. If the auth worker returns success with a user, gateway responds with JSON success: true and a public user object (id, email, name, roles, permissions).
  5. On failure, gateway returns JSON success: false with an appropriate status (401, 502, etc.).

GET /api/auth/logout

Section titled “GET /api/auth/logout”
  1. Browser calls GET /api/auth/logout.
  2. Gateway responds with 302 to /cdn-cgi/access/logout on the same origin so Cloudflare Access clears the session.

Protected routes

Section titled “Protected routes”
  1. Request path matches PROTECTED_PATH_PREFIXES (default /portal, /admin; comma-separated in Wrangler).
  2. Gateway runs the same verification as session. If verification fails, 302 to /login?redirect=<original path>.
  3. If verification succeeds, gateway fetch(request) continues to the static site (worker site bucket).

Wrangler routes must include the host patterns for /portal* and /admin* (see workers/wrangler.gateway.toml); otherwise the worker never runs and protection is ineffective.

Image optimization

Section titled “Image optimization”
  • Routes are declared in wrangler.image.toml by file extension (e.g. *.jpg, *.webp) per hostname/environment.
  • image-optimizer.js calls handleImageResize from @cosmos/edge-utils/image-optimizer when the path matches an image extension and the query string includes width; otherwise it falls through with fetch(request).
  • ENABLE_IMAGE_RESIZING in wrangler.image.toml is the worker-side feature toggle string.

Fallback and /api/*

Section titled “Fallback and /api/*”
  • After auth session/logout handling and protected-path checks, paths starting with /api/ are handled by handleApiRequest imported from @cosmos/edge-utils/image-optimizer (shared package behavior—not Astro routes).
  • Other requests return fetch(request) to the static asset pipeline.

Source anchors

Section titled “Source anchors”
  • apps/cosmos/digital-services/workers/auth-gateway.js
  • apps/cosmos/digital-services/workers/image-optimizer.js
  • apps/cosmos/digital-services/workers/wrangler.gateway.toml
  • apps/cosmos/digital-services/workers/wrangler.image.toml