Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using an API Token restricted only to the website's domain, causes a "Forbidden" error in the plugin #255

Closed
brandomeniconi opened this issue May 14, 2020 · 9 comments

Comments

@brandomeniconi
Copy link
Contributor

We have multiple sites under the same CF account and we would like to use API Tokens to authenticate the Wordpress plugin to prevent a breach in one website to potentially cause drama in other ones.

When we restrict the token to only the zone of the website, the plugin GUI stops working with a "Forbidden" error in the bottom red bar. This defies the benefit of using API Tokens because the API Token for one website can edit any zone in the Cloudflare account.

Steps to recreate:

  1. Create a new API Token with the "Wordpress" template or edit an existing one
  2. in the "Zone Resources" settings select "Include" - "Specific Zone" - "the domain of your website"
  3. Use the token to authenticate the WP plugin
  4. When you try to login in the plugin it will show a "Forbidden" error
  5. If you remove the setting at (2) the plugin is able to login successfully
@rmens
Copy link

rmens commented May 14, 2020

We currently have the samen problem. In release https://github.com/cloudflare/Cloudflare-WordPress/releases/tag/v3.4.0 it says the plug-in now supports API Tokens, but it's not working as intended with tokens that are restricted to the specific domain.

@brandomeniconi
Copy link
Contributor Author

brandomeniconi commented May 18, 2020

Upon further investigation, I think that the problem has it's source in the shared cloudflare-plugin-frontend package that this plugin uses to manage the CF connection.

The request that fail is
/wp-admin/admin-ajax.php?action=cloudflare_proxy&proxyURL=zones&proxyURLType=CLIENT

which is triggered by this function that tries to fetch all the zones in the connected account:
https://github.com/cloudflare/cloudflare-plugin-frontend/blob/5fa743fd903ec677806dda9fcf38c203612d9bac/src/actions/zones.js#L66

I tried to do the request manually with the restricted token and the response is:

{
  "success":false,
  "errors":[
      {
       "code":0,
       "message":"Actor 'com.cloudflare.api.token...' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
      }
  ],
  "messages":[],
  "result":null
}

So if we set an API token to only access one zone, it will not have the ability to get the list of available zones. I'm not been able to grant that permission manually.

I'll try to open an Issue on the cloudflare-plugin-frontend to see if they can address this issue by catching the error and try another way to get the zone ID.

@rmens
Copy link

rmens commented Jun 3, 2020

I tried bringing this to the attention of Cloudflare support (we have an Enterprise contract). But explaining the error has been hard. We get a different person with every answer on the ticket and it feels like with every person you have to explain it again. Maybe one of the maintainers of this plug-in (@deuill or @manatarms) can take a look at this issue.

@garrettgalow
Copy link
Contributor

Our GET /zones endpoint unfortunately produces some complicated interactions with API tokens because the endpoint tries to do lots of things at once. In proper REST it would be a GET /accounts/*ALL*/zones endpoint which is not conducive to strict permissioning. In that light the permission needed is zones.list which belongs at the account level. That's why the endpoint requires you granting access to all zones at the account level as that gives you the list permission. The current way around this in the API is to provide a query param searching for a specific zone - aka GET /zones?name=<zone.name>

For now the workaround is granting read access to the account in question. The fix in the WP plugin would be for us to filter the list by the WP domain name when we look for a zone to pick.

@rmens
Copy link

rmens commented Jul 1, 2020

Since there is quite some activity in this repository again: I would love to know if this is on any roadmap. It's tough to decide if we should invest in rolling our own plug-in that works with the domain restricted API Token, or just wait a little longer.

@spenweb
Copy link

spenweb commented Sep 6, 2020

Are there any plans on implementing this? If so, what is the timeline? Thanks!

@spenweb
Copy link

spenweb commented Sep 6, 2020

I was able to update the Zone Settings permission from Update to Read and I am now able to use this API token to login to the WordPress plugin. This seems to allow for purging, but it displays an error message for any option that seems to be editing a zone setting.
This screenshot show the closest I could get with restricting access:
screencapture-dash-cloudflare-profile-api-tokens-2020-09-06-14_25_39

@manatarms
Copy link
Contributor

This issue was fixed as part of v3.7.0. Thanks for reporting the issue.

@gingibash
Copy link

4.11.0 cloudflare plugin, same problem with API token. Only works with global API key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants