This PR allows for a second API token to be optionally configured, used for fetching info about the Zones in Cloudflare.
The change is backwards compatible with existing configs - if the Zone API token is not provided, the regular API token is used for all requests.
Why
The /zones API endpoint requires that the entire token be scoped globally, which then means that the DNS edit permission must also be scoped globally. This prevents the use of a single API token to perform DNS updates to be restricted to a single zone in a multi-zone account.
By splitting the token out, this global scoped token can be left as read-only, and the DNS read/write token can be scoped to a single Zone.
I believe this should address #2 (at least the original issue, I think there might be a separate issue being discussed in the comments)
Testing
I've written some small tests for this module which can be run with go test. I believe these tests cover the old Caddyfile syntax as well as the updated one with two tokens.
TODO
[ ] If libdns/cloudflare gets a release tag then go.mod can be updated to target this instead of the manual git SHA
[ ] Actual real-world tests with old configs to ensure that nothing breaks
Overview
This PR allows for a second API token to be optionally configured, used for fetching info about the Zones in Cloudflare.
The change is backwards compatible with existing configs - if the Zone API token is not provided, the regular API token is used for all requests.
Why
The
/zones
API endpoint requires that the entire token be scoped globally, which then means that the DNS edit permission must also be scoped globally. This prevents the use of a single API token to perform DNS updates to be restricted to a single zone in a multi-zone account.By splitting the token out, this global scoped token can be left as read-only, and the DNS read/write token can be scoped to a single Zone.
I believe this should address #2 (at least the original issue, I think there might be a separate issue being discussed in the comments)
Testing
I've written some small tests for this module which can be run with
go test
. I believe these tests cover the old Caddyfile syntax as well as the updated one with two tokens.TODO
libdns/cloudflare
gets a release tag thengo.mod
can be updated to target this instead of the manual git SHA