[FR] Update Cloudflare driver to use scoped tokens

Question

[FR] Update Cloudflare driver to use scoped tokens

Closed this issue 4 years ago · 3 comments

The CloudFlare driver currently requires the user to use their account level API key, a key which if compromised gives an attacker complete control over their CloudFlare account. Needless to say this is somewhat less than ideal.

As of August 2019 CloudFlare allows the creation of scoped tokens than just have the privileges required to clear caches in a zone / domain:

This is then just passed in a Authorization: Bearer <token> header on the CF request in place of the X-Auth-Key / X-Auth-Email headers.

I appreciate this would be a breaking change for CF users, but it's much more secure, so still seems like a good idea. Perhaps we could support both for now with a deprecation warning for users of X-Auth-Key?

Happy to take a stab at a PR if it would be welcome and/or you don't have time @ostark

Answer 1 · 2020-04-09T10:58:57.000Z

It makes sense to support both, otherwise, a major version bump would be required.
@tomdavies PR?

Answer 2 · 2020-04-09T13:18:45.000Z

Cool, will hop on it this weekend

Answer 3 · 2020-06-16T22:09:17.000Z

Sorry for the late release https://github.com/ostark/upper/releases/tag/1.6.0