Using an API Token restricted only to the website's domain, causes a "Forbidden" error in the plugin

[brandomeniconi]

We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.

When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.

Steps to recreate:

1. Create a new API Token with the "Wordpress" template or edit an existing one
2. in the "Zone Resources" settings select "Include" - "Specific Zone" - "the domain of your website"
3. Use the token to authenticate the WP plugin
4. When you try to login in the plugin it will show a "Forbidden" error
5. If you remove the setting at (2) the plugin is able to login successfully

[rmens]

We currently have the samen problem. In release https://github.com/cloudflare/Cloudflare-WordPress/releases/tag/v3.4.0 it says the plug-in now supports API Tokens, but it's not working as intended with tokens that are restricted to the specific domain.

[brandomeniconi]

Upon further investigation, I think that the problem has it's source in the shared cloudflare-plugin-frontend package that this plugin uses to manage the CF connection.

The request that fail is
/wp-admin/admin-ajax.php?action=cloudflare_proxy&proxyURL=zones&proxyURLType=CLIENT

which is triggered by this function that tries to fetch all the zones in the connected account:
https://github.com/cloudflare/cloudflare-plugin-frontend/blob/5fa743fd903ec677806dda9fcf38c203612d9bac/src/actions/zones.js#L66

I tried to do the request manually with the restricted token and the response is:

{
  "success":false,
  "errors":[
      {
       "code":0,
       "message":"Actor 'com.cloudflare.api.token...' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
      }
  ],
  "messages":[],
  "result":null
}

So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually.

I'll try to open an Issue on the cloudflare-plugin-frontend to see if they can address this issue by catching the error and try another way to get the zone ID.

[rmens]

I tried bringing this to the attention of Cloudflare support (we have an Enterprise contract). But explaining the error has been hard. We get a different person with every answer on the ticket and it feels like with every person you have to explain it again. Maybe one of the maintainers of this plug-in (@deuill or @manatarms) can take a look at this issue.

[garrettgalow]

Our GET /zones endpoint unfortunately produces some complicated interactions with API tokens because the endpoint tries to do lots of things at once. In proper REST it would be a GET /accounts/*ALL*/zones endpoint which is not conducive to strict permissioning. In that light the permission needed is zones.list which belongs at the account level. That's why the endpoint requires you granting access to all zones at the account level as that gives you the list permission. The current way around this in the API is to provide a query param searching for a specific zone - aka GET /zones?name=<zone.name>

For now the workaround is granting read access to the account in question. The fix in the WP plugin would be for us to filter the list by the WP domain name when we look for a zone to pick.

[rmens]

Since there is quite some activity in this repository again: I would love to know if this is on any roadmap. It's tough to decide if we should invest in rolling our own plug-in that works with the domain restricted API Token, or just wait a little longer.

[spenweb]

Are there any plans on implementing this? If so, what is the timeline? Thanks!

[spenweb]

I was able to update the Zone Settings permission from Update to Read and I am now able to use this API token to login to the WordPress plugin. This seems to allow for purging, but it displays an error message for any option that seems to be editing a zone setting.
This screenshot show the closest I could get with restricting access:

[manatarms]

This issue was fixed as part of v3.7.0. Thanks for reporting the issue.

[gingibash]

4.11.0 cloudflare plugin, same problem with API token. Only works with global API key