Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

🐛 BUG: Routes do not work if api token is restricted to zone

See original GitHub issue

What version of `Wrangler` are you using?

0.0.0-21ee93e

What operating system are you using?

Linux

Describe the Bug

Restrict API token to a zone, for example:

Account - Workers R2 Storage:Edit, Workers Tail:Read, Workers KV Storage:Edit, Workers Scripts:Edit, Account Settings:Read
    example.com - Workers Routes:Edit
All users - User Details:Read

Try to deploy to routes = ["https://example.com/*"]
Error:

 ⛅️ wrangler 0.0.0-21ee93e 
---------------------------
Uploaded test-worker (1.71 sec)

✘ [ERROR] Received a bad response from the API

  Authentication error [code: 10000]

Not sure if this is related with the zone inference or a bug on Cloudflare’s side

Issue Analytics

State:
Created 2 years ago
Reactions:7
Comments:14 (8 by maintainers)

Top GitHub Comments

4reactions

MattIPv4commented, May 22, 2022

👋 Any update on this issue?

Having to generate a token that can control workers routes across all zones in an account seems like a pretty big security risk to me, and this seems like a pretty major regression over v1?

3reactions

petebacondarwincommented, May 31, 2022

Latest update…

In Wrangler 1, you had to specify the zone_id and so it was able to hit a zone specific REST endpoint that only updated the routes on that one zone.

The problem is that in Wrangler 2 we avoid you having to write out your zone_id by inferring it from the routes. The REST endpoint that we hit to do this accepts a list of routes and will work out which zones to publish to.

In order to do this the endpoint currently requires that you have permission to access “all zones” before it will even trigger the underlying logic that does the upload. The permission checking is done in a layer before the application logic, which means that it doesn’t necessarily have the same fine-grain understanding. The security layer would need to do the mapping from routes to zones in order to know whether you have permission to run the application logic, which is going to do the same mapping.

We have two proposed options to resolve this:

Increase the sophistication of the security layer to be able to decide whether the request has the right permissions to do the bulk route upload. This should allow Wrangler 2 to continue to work as it does now and your API tokens will just start to work.
Add a new REST endpoint that Wrangler can call to get a mapping of routes to zone_ids. Then it can use these zone_ids to hit the original Wrangler 1 zone based REST endpoint to publish the routes.

Obviously the first option is the preferred one and we should have an idea of whether this is a goer by the end of this week. The second option is much more clunky and would also slow down publishing Workers as we would need to do additional requests.