[FR] Update Cloudflare driver to use scoped tokens

[tomdavies]

The CloudFlare driver currently requires the user to use their account level API key, a key which if compromised gives an attacker complete control over their CloudFlare account. Needless to say this is somewhat less than ideal.

As of August 2019 CloudFlare allows the creation of scoped tokens than just have the privileges required to clear caches in a zone / domain:

This is then just passed in a Authorization: Bearer <token> header on the CF request in place of the X-Auth-Key / X-Auth-Email headers.

I appreciate this would be a breaking change for CF users, but it's much more secure, so still seems like a good idea. Perhaps we could support both for now with a deprecation warning for users of X-Auth-Key?

Happy to take a stab at a PR if it would be welcome and/or you don't have time @ostark

[ostark]

It makes sense to support both, otherwise, a major version bump would be required. @tomdavies PR?

[tomdavies]

Cool, will hop on it this weekend

[ostark]

Sorry for the late release https://github.com/ostark/upper/releases/tag/1.6.0