Add support for new cloudflare API tokens

binaryfire commented 5 years ago

Hi guys

Cloudflare have just released a new API tokens feature. This allows the creation of API credentials with restricted permissions and is the new recommended way of granting access to apps like Wordpress. Additionally, tokens can be restricted to a specific domain which is a huge for security. They have a Wordpress template too. From https://api.cloudflare.com/#getting-started-requests:

API Tokens API Tokens provide a new way to authenticate with the Cloudflare API. They allow for scoped and permissioned access to resources and use the RFC compliant Authorization Bearer Token Header.

Here's a screenshot of their Wordpress template:

The "cache purge" functionality wasn't set in the template however it's very easy to add this permission manually. I've posted on the cloudflare forum so hopefully it will be added to the wordpress template soon.

These new API requests use a single H "Authorization: Bearer xxxxxxxxx" header instead of the "X-Auth-Email" and "X-Auth-Key" headers. So using the token in WP Rocket's existing "Global API" field doesn't work.

Would it be possible to add support for tokens in the next update? All other API request headers are identical so it would be easy to add the option to use a token instead of the global key if desired. Please note that the account email is no longer required with tokens. So the email field shouldn't be a required field if "API Token" is selected instead of "Global access key".

We would also need to option to define it in wp-config.php i.e: define('WP_ROCKET_CF_API_TOKEN', 'put-your-API-token-here'); define( 'WP_ROCKET_CF_API_TOKEN_HIDDEN', true );

Cheers!

Tabrisrp commented 5 years ago

There is 2 things that will have to be overcome before being able to implement that in WP Rocket:

The current library we use to interact with Cloudflare API is no longer maintained, so the new way to send the API requests won't be implemented
The official Cloudflare PHP SDK requires a minimum of PHP 7, when WP Rocket requires 5.4 currently. Also, the SDK has not yet been updated to handle these requests

For now we can't implement the support for tokens, but I'll keep the issue open for the future.

binaryfire commented 5 years ago

Ok no problems, look forward to this being added. I might try disabling the cloudflare addon and writing something myself until then. Are there any hooks that rocket fires when it clears the cache for a page or post? Or is save_post the best option?

Tabrisrp commented 5 years ago

There is, for example: https://github.com/wp-media/wp-rocket/blob/b8a54656afd7acc86fec1b1ac4e85d7b72ba5317/inc/common/purge.php#L207

You also have others if needed, you can easily fine them in the source code.

BenHarris commented 4 years ago

Here's a very simple implementation.

<?php

// Set in WP Config
// define('CLOUDFLARE_API_TOKEN', 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
// define('CLOUDFLARE_ZONE_ID',   'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');

function bh_purge_cloudflare_cache(){
    if(empty(CLOUDFLARE_API_TOKEN) || empty(CLOUDFLARE_ZONE_ID)){
        return false;
    }

    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, sprintf("https://api.cloudflare.com/client/v4/zones/%s/purge_cache", CLOUDFLARE_ZONE_ID));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, '{"purge_everything":true}');
    curl_setopt($ch, CURLOPT_POST, 1);

    $headers = array();
    $headers[] = sprintf('Authorization: Bearer %s', CLOUDFLARE_API_TOKEN);
    $headers[] = 'Content-Type: application/json';
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

    $response = curl_exec($ch);
    $error    = curl_error($ch);

    curl_close($ch);

    if($error) {
        //echo 'Error:' . $error;
        return false;
    }else{
        //echo $response;
        $resp = json_decode($response);
        if($resp->success == 'true'){
            return true;
        }
        return false;
    }
}
add_action( 'after_rocket_clean_domain', 'bh_purge_cloudflare_cache' );

alfonso100 commented 4 years ago

another request https://secure.helpscout.net/mailbox/5de4805abf96951b/2683093/

WordPresseur commented 3 years ago

Another request: https://secure.helpscout.net/conversation/1309531926/202524/

sandyfigueroa commented 3 years ago

Another request: https://secure.helpscout.net/conversation/1349011599/216427

jaredatch commented 3 years ago

Any thoughts or updates, given this was over a year ago?

For larger organizations, using the Global API is a huge risk and pain.

With the Cloudflare API token system that came out in mid-2019, we can mitigate this by creating tokens that are tied to specific zones and have limited or read-only access.

In many, specifically with enterprise clients with many zones/brands/products, the Global API key simply isn't an option.

viobru commented 3 years ago

girlie commented 3 years ago

mifrero commented 3 years ago

alfonso100 commented 2 years ago

fritexvz commented 2 years ago

Kindly, I've just seen either W3 Total Cache has this issue and are working on it, please add this feature as soon as possible due to security and protection: https://github.com/W3EDGE/w3-total-cache/issues/450

Tabrisrp commented 2 years ago

Before grooming this, we need to determine how we're going to display the choice between the old and new authentification system in the UI

camilamadronero-zz commented 2 years ago

New request https://secure.helpscout.net/conversation/1909733078/346740/

DahmaniAdame commented 2 years ago

jaGarcia commented 3 months ago

+1 on this

wp-media / wp-rocket

Add support for new cloudflare API tokens #2366