fix CF deploy: handle non-JSON responses, infer account ID from token

Two fixes for Cloudflare Workers integration:

1. `cfApi()` now checks `Content-Type` before calling `.json()` — the
   CF Workers upload endpoint can return multipart boundaries instead of
   JSON, which caused `SyntaxError` in GHA deploys.

2. `resolveAccountId()` infers account ID from API token via
   `GET /accounts` when `CLOUDFLARE_ACCOUNT_ID` is not set. Single
   account auto-resolves; multiple accounts lists them with an error.
   Used by both `deploy` and `ls`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ryan-williams

specs/fix-cf-deploy-multipart-response.md

@@ -0,0 +1,63 @@
+# Fix CF deploy: multipart upload response parsing
+
+## Bug
+
+`cors-prxy deploy` fails in GHA (and likely any non-interactive env) with:
+
+```
+SyntaxError: No number after minus sign in JSON at position 1 (line 1 column 2)
+    at JSON.parse (<anonymous>)
+    ...
+    at async deployCf (deploy-cf.js:46:22)
+```
+
+The response body starts with `--591155c8b58d...` — a multipart boundary string, not JSON.
+
+## Cause
+
+`cfApi()` unconditionally calls `resp.json()` on every response. The CF Workers upload endpoint (`PUT /accounts/{id}/workers/scripts/{name}`) with a `multipart/form-data` body may return a non-JSON response (or echo the boundary). The function doesn't check `Content-Type` or response status before parsing.
+
+## Fix
+
+In `deploy-cf.ts`, `cfApi` should:
+1. Check `response.ok` or at least `Content-Type` before calling `.json()`
+2. If the response isn't JSON, read as text and wrap in a structured error
+3. Ideally log the raw response body on failure for debugging
+
+```typescript
+async function cfApi(path: string, apiToken: string, opts: RequestInit = {}) {
+  const resp = await fetch(`https://api.cloudflare.com/client/v4${path}`, {
+    ...opts,
+    headers: {
+      "Authorization": `Bearer ${apiToken}`,
+      ...opts.headers as Record<string, string>,
+    },
+  })
+  const contentType = resp.headers.get("content-type") ?? ""
+  if (!contentType.includes("application/json")) {
+    const text = await resp.text()
+    if (!resp.ok) {
+      throw new Error(`CF API ${resp.status}: ${text.slice(0, 200)}`)
+    }
+    // Some success responses may not be JSON
+    return { success: resp.ok, result: undefined, errors: [] }
+  }
+  return resp.json()
+}
+```
+
+## Reproducer
+
+Deploy from GHA with `CLOUDFLARE_API_TOKEN` secret set:
+
+```yaml
+- run: cors-prxy deploy
+  env:
+    CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+```
+
+Works locally, fails in GHA. May be a difference in Node.js fetch behavior or CF API response based on request details.
+
+## Context
+
+Hit in https://github.com/runsascoded/aws-static-sso CI — GHA run 22867512771, `deploy-worker` job.

specs/infer-cf-account-id.md

@@ -0,0 +1,35 @@
+# Infer Cloudflare account ID from API token
+
+## Problem
+
+`cors-prxy ls` requires `CLOUDFLARE_ACCOUNT_ID` env var to list CF Workers. If it's not set, CF workers are silently skipped (`listCfProxies` returns `[]`). This is surprising — the user has `CLOUDFLARE_API_TOKEN` set and expects `ls` to work.
+
+Similarly, `deploy` requires `cloudflare.accountId` in config or `CLOUDFLARE_ACCOUNT_ID` env var.
+
+## Fix
+
+The Cloudflare API supports listing accounts a token has access to:
+
+```
+GET https://api.cloudflare.com/client/v4/accounts
+Authorization: Bearer <token>
+```
+
+If `CLOUDFLARE_ACCOUNT_ID` is not set:
+1. Call `GET /accounts` with the token
+2. If exactly one account is returned, use it
+3. If multiple accounts, error with a message listing them and asking the user to set `CLOUDFLARE_ACCOUNT_ID` or `cloudflare.accountId`
+4. If zero accounts (or the call fails), skip CF as today
+
+### Where to apply
+
+- `listCfProxies()` in `tags.ts` — currently bails if no `accountId`
+- `getCfAccountId()` in `deploy-cf.ts` — currently throws if no `accountId`
+
+Extract a shared `resolveAccountId(apiToken: string): Promise<string>` helper in `deploy-cf.ts` that both can use.
+
+## Context
+
+Came up using `cors-prxy ls` in [aws-static-sso] — `CLOUDFLARE_API_TOKEN` was set but `ls` showed no CF workers until `CLOUDFLARE_ACCOUNT_ID` was also set.
+
+[aws-static-sso]: https://github.com/runsascoded/aws-static-sso

src/deploy-cf.ts

@@ -14,34 +14,59 @@ function getCfAuth(): { apiToken: string } {
   return { apiToken }
 }
 
-function getCfAccountId(config: CorsProxyConfig): string {
-  const accountId = config.cloudflare?.accountId ?? process.env.CLOUDFLARE_ACCOUNT_ID
-  if (!accountId) {
-    throw new Error(
-      "Cloudflare account ID is required. Set it in config (cloudflare.accountId) " +
-      "or via CLOUDFLARE_ACCOUNT_ID env var."
-    )
+export async function resolveAccountId(apiToken: string, config?: CorsProxyConfig): Promise<string> {
+  const explicit = config?.cloudflare?.accountId ?? process.env.CLOUDFLARE_ACCOUNT_ID
+  if (explicit) return explicit
+
+  // Infer from API token
+  const resp = await cfApi("/accounts", apiToken)
+  if (!resp.success || !resp.result) {
+    throw new Error("Failed to list Cloudflare accounts. Set CLOUDFLARE_ACCOUNT_ID or cloudflare.accountId in config.")
+  }
+  const accounts = resp.result as unknown as Array<{ id: string; name: string }>
+  if (accounts.length === 0) {
+    throw new Error("No Cloudflare accounts found for this API token.")
   }
-  return accountId
+  if (accounts.length === 1) {
+    return accounts[0].id
+  }
+  const list = accounts.map(a => `  ${a.id}  ${a.name}`).join("\n")
+  throw new Error(
+    `Multiple Cloudflare accounts found. Set CLOUDFLARE_ACCOUNT_ID or cloudflare.accountId:\n${list}`
+  )
 }
 
 function getWorkerName(config: CorsProxyConfig): string {
   return config.cloudflare?.workerName ?? `cors-prxy-${config.name}`
 }
 
+interface CfApiResponse {
+  success: boolean
+  result?: Record<string, unknown>
+  errors?: Array<{ message: string }>
+}
+
 async function cfApi(
   path: string,
   apiToken: string,
   opts: RequestInit = {},
-): Promise<{ success: boolean; result?: Record<string, unknown>; errors?: Array<{ message: string }> }> {
+): Promise<CfApiResponse> {
   const resp = await fetch(`https://api.cloudflare.com/client/v4${path}`, {
     ...opts,
     headers: {
       "Authorization": `Bearer ${apiToken}`,
       ...opts.headers as Record<string, string>,
     },
   })
-  return resp.json() as Promise<{ success: boolean; result?: Record<string, unknown>; errors?: Array<{ message: string }> }>
+  const contentType = resp.headers.get("content-type") ?? ""
+  if (!contentType.includes("application/json")) {
+    const text = await resp.text()
+    if (!resp.ok) {
+      throw new Error(`CF API ${resp.status}: ${text.slice(0, 200)}`)
+    }
+    return { success: resp.ok, result: undefined, errors: [] }
+  }
+  return resp.json() as Promise<CfApiResponse>
 }
 
 function loadCfBundle(): string {
@@ -51,7 +76,7 @@ function loadCfBundle(): string {
 
 export async function deployCf(config: CorsProxyConfig): Promise<DeployResult> {
   const { apiToken } = getCfAuth()
-  const accountId = getCfAccountId(config)
+  const accountId = await resolveAccountId(apiToken, config)
   const workerName = getWorkerName(config)
 
   // Load pre-built worker bundle
@@ -147,7 +172,7 @@ export async function deployCf(config: CorsProxyConfig): Promise<DeployResult> {
 
 export async function destroyCf(config: CorsProxyConfig): Promise<void> {
   const { apiToken } = getCfAuth()
-  const accountId = getCfAccountId(config)
+  const accountId = await resolveAccountId(apiToken, config)
   const workerName = getWorkerName(config)
 
   console.log(`Deleting Cloudflare Worker: ${workerName}`)

src/tags.ts

@@ -104,11 +104,11 @@ async function listLambdaProxies(regions: string[]): Promise<ProxyInfo[]> {
 
 async function listCfProxies(): Promise<ProxyInfo[]> {
   const apiToken = process.env.CLOUDFLARE_API_TOKEN
-  const accountId = process.env.CLOUDFLARE_ACCOUNT_ID
-  if (!apiToken || !accountId) return []
+  if (!apiToken) return []
 
   try {
-    const { listCfWorkers } = await import("./deploy-cf.js")
+    const { resolveAccountId, listCfWorkers } = await import("./deploy-cf.js")
+    const accountId = await resolveAccountId(apiToken)
     const workers = await listCfWorkers(accountId, apiToken)
     return workers.map(w => ({
       name: w.name,