janj
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
will do, curious why not. but i assume the usage of cf access + cf workers is just a tiny fraction of workers. cf access would have to address more of the need for an external end user authentication vs mostly for internal company employee users
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
sure but thats a completely different usecase, just because other origins need headers is not an argument to force worker users to do the same work again that was just done by cf access a few ms ago. it should be definitely on the roadmap
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
i will at least cache validation results per signature for the lifetime of a worker
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
thanks! this makes me wonder why the access data was not exposed via context argument instead of headers which would make this whole class of vulnerabilities obsolete and reduce implementation effort and latency quite a bit.
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
also i have trouble finding the attack vector. even if a route is misconfigured, cloudflare removes external cf-jwt assertion headers coming in from outside orange cloud for exactly this reason AFAIK
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
in addition, if jwt s should be validated, why is cloudflare exposing Cf-Access-Authenticated-User-Email to be used directly? this would communiciate to me as developer that i can trust this information
10 replies
CDCloudflare Developers
•Created by janj on 2/24/2025 in #workers-help
workers and cf access jwt validation
thanks for the answer! just to play devils advocate to see if i am understanding the situation: if i cannot trust my entrypoint functions to be configured correctly why would that not apply to any other function in my workers setup? if you take this to the conclusion i would have to assume any worker function is misconfigured and reachable from the internet and thus id have to sign any function argument in any worker.
10 replies
CDCloudflare Developers
•Created by jack on 2/10/2024 in #workerd-runtime
At this stage - not looking for anything
this is an example for using sveltekit with adapter cloudflare pages to run in workerd
https://gist.github.com/lucidNTR/64f316e6ddb147c5fb17cdcc8b46f537
1 replies