remove comments

mattzcarey · mattzcarey · commit 6687c4262c48 · 2025-10-30T18:09:49.000Z
diff --git a/demos/remote-mcp-github-oauth/src/workers-oauth-utils.ts b/demos/remote-mcp-github-oauth/src/workers-oauth-utils.ts
@@ -1,13 +1,8 @@
-// workers-oauth-utils.ts
-
 import type { AuthRequest, ClientInfo } from "@cloudflare/workers-oauth-provider";
 
 const COOKIE_NAME = "__Host-MCP_APPROVED_CLIENTS";
 const ONE_YEAR_IN_SECONDS = 31536000;
 
-// --- Helper Functions ---
-
-
 /**
  * Imports a secret key string for HMAC-SHA256 signing.
  * @param secret - The raw secret key string.
@@ -124,8 +119,6 @@ async function getApprovedClientsFromCookie(
 	}
 }
 
-// --- Exported Functions ---
-
 /**
  * Checks if a given client ID has already been approved by the user,
  * based on a signed cookie.
@@ -191,30 +184,25 @@ export function renderApprovalDialog(request: Request, options: ApprovalDialogOp
 	const { client, server, state, csrfToken, setCookie } = options;
 	const encodedState = btoa(JSON.stringify(state));
 
-	// Sanitize any untrusted content
 	const serverName = sanitizeHtml(server.name);
 	const clientName = client?.clientName ? sanitizeHtml(client.clientName) : "Unknown MCP Client";
 	const serverDescription = server.description ? sanitizeHtml(server.description) : "";
 
-	// Safe URLs
 	const logoUrl = server.logo ? sanitizeHtml(server.logo) : "";
 	const clientUri = client?.clientUri ? sanitizeHtml(client.clientUri) : "";
 	const policyUri = client?.policyUri ? sanitizeHtml(client.policyUri) : "";
 	const tosUri = client?.tosUri ? sanitizeHtml(client.tosUri) : "";
 
-	// Client contacts
 	const contacts =
 		client?.contacts && client.contacts.length > 0
 			? sanitizeHtml(client.contacts.join(", "))
 			: "";
 
-	// Get redirect URIs
 	const redirectUris =
 		client?.redirectUris && client.redirectUris.length > 0
 			? client.redirectUris.map((uri) => sanitizeHtml(uri)).filter((uri) => uri !== "")
 			: [];
 
-	// Generate HTML for the approval dialog
 	const htmlContent = `
     <!DOCTYPE html>
     <html lang="en">
@@ -545,7 +533,6 @@ export async function parseRedirectApproval(
 	
 	const formData = await request.formData();
 
-	// Validate CSRF token
 	const tokenFromForm = formData.get("csrf_token");
 	if (!tokenFromForm || typeof tokenFromForm !== "string") {
 		throw new Error("Missing CSRF token in form data");
@@ -570,29 +557,24 @@ export async function parseRedirectApproval(
 		throw new Error("Invalid state data");
 	}
 
-	// Add client to approved list
 	const existingApprovedClients =
 		(await getApprovedClientsFromCookie(request.headers.get("Cookie"), cookieSecret)) || [];
 	const updatedApprovedClients = Array.from(
 		new Set([...existingApprovedClients, state.oauthReqInfo.clientId]),
 	);
 
-	// Sign the updated list
 	const payload = JSON.stringify(updatedApprovedClients);
 	const key = await importKey(cookieSecret);
 	const signature = await signData(key, payload);
 	const newCookieValue = `${signature}.${btoa(payload)}`; // signature.base64(payload)
 
-	// Generate Set-Cookie header
 	const headers: Record<string, string> = {
 		"Set-Cookie": `${COOKIE_NAME}=${newCookieValue}; HttpOnly; Secure; Path=/; SameSite=Lax; Max-Age=${ONE_YEAR_IN_SECONDS}`,
 	};
 
 	return { headers, state };
 }
 
-// --- New security functions for KV state storage ---
-
 /**
  * Result from bindStateToSession containing the cookie to set
  */
@@ -637,15 +619,6 @@ export async function createOAuthState(
 
 /**
  * Binds an OAuth state token to the user's browser session using a secure cookie.
- * This prevents CSRF attacks where an attacker's state token is used by a victim.
- *
- * SECURITY: This cookie proves that the browser completing the OAuth callback
- * is the same browser that consented to the authorization request.
- *
- * We hash the state token rather than storing it directly for defense-in-depth:
- * - Even if the state parameter leaks (URL logs, referrer headers), the cookie value cannot be derived
- * - The cookie serves as cryptographic proof of consent, not just a copy of the state
- * - Provides an additional layer of security beyond HttpOnly/Secure flags
  *
  * @param stateToken - The state token to bind to the session
  * @returns Object containing the Set-Cookie header to send to the client
