-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API authorization failed #78
Comments
Hi |
I think your problem is with some configuration on your account. CloudFlare's API documentation makes the authentication methods for endpoints very confusing, but tokens are not only an allowed method, but are in fact the preferred method due to the ability to tightly restrict their scope.
This community post by a CloudFlare employee confirms tokens are definitely the preferred method for API access, and in fact they are adding a account based tokens in addition to the user based tokens. TL;DRTokens are still supported and in fact preferred, just the API docs don't make that clear so it's harder to find a definitive answer than I would have thought. So were you originally trying to use an API token or an API key with the worker? Your Global API Key will definitely not work with this worker for the reasons you noted with the different headers that are used for the API key. |
FWIW I have this working using an account level bearer API token, and bearer tokens are the way to go. Using the global account keys is definitely depreciated on CF platform, and they are something of a security anti pattern as anything using your global keys is operating in the entirety of your user's security context. Unlike a API token which has a scope, and hopefully a tightly focused scope as suggested in the configuration guide. Cloudflare's API documentation could certainly use some improvement. That they have removed the instructions for using and the code examples featuring bearer token authentication from the current documentation, and omitted it from the new API documentation while stating that API keys are deprecated, is, frankly, insane. |
So after deploying it to my CF workers I keep getting this error from my unifi system:
After some digging I found that it's because of how the script tries to authenticate itself by attaching the token in the header:
unifi-ddns/src/index.js
Line 63 in 7e12b8a
This will lead to an API error from the CF:
If I change the headers to include both
X-Auth-Email
andX-Auth-Key
following the documentation, everything works as expected. I'm just not sure if this is due to some configuration error on my account, or CF has updated their API authorization logic.The text was updated successfully, but these errors were encountered: