Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API tokens do not work in config/default.toml #526

Closed
Electroid opened this issue Feb 24, 2022 · 4 comments · Fixed by #645 or #562
Closed

API tokens do not work in config/default.toml #526

Electroid opened this issue Feb 24, 2022 · 4 comments · Fixed by #645 or #562
Assignees
@petebacondarwin

Comments

@Electroid
Copy link
Contributor

When an API token (not OAuth token) is added to ~/.wrangler/config/default.toml, it is rejected and the user is prompted to login. We should accept the API token.
@Electroid Electroid added the bug label Feb 24, 2022
@Electroid Electroid added this to the 2.0 milestone Feb 24, 2022
@Electroid Electroid moved this to Must-have in workers-sdk Feb 24, 2022
@threepointone
Copy link
Contributor

This was a conscious decision iirc, since API tokens can be compromised and have a much longer life. You can use CF_API_TOKEN=token wrangler ... to use api tokens, ofc. Want to revisit this decision?

@petebacondarwin petebacondarwin self-assigned this Mar 7, 2022
@petebacondarwin
Copy link
Contributor

petebacondarwin commented Mar 14, 2022
edited
Loading

From looking at the logic in the code, this should already work.

The way to do it is to set the oauth_token to be the API token but then also to provide a long expiration_time such as "3021-12-31T23:59:59+00:00", which is basically all we are doing when we get the API token from the CLOUDFLARE_API_TOKEN environment variable.

For example:

oauth_token = "<API TOKEN>"
expiration_time = "3021-12-31T23:59:59+00:00"

@petebacondarwin
Copy link
Contributor

But as @threepointone said, we don't really want to encourage people to edit the ~/.wrangler/config/default.toml file, since that is internal...

@petebacondarwin
Copy link
Contributor

petebacondarwin commented Mar 14, 2022
edited
Loading

So we are going to implement wrangler login --api-token=<API_TOKEN> which will authenticate them in this way without having to touch that file.

Scratch that. After further discussions, for 2.0 we are not going to implement support for "logging in" via an API token.
The CLOUDFLARE_API_TOKEN environment variable is going to be the only way to use such a token for authentication.
This is the recommended approach for CI environments.

We are discussing with the wider Workers/IAM teams at Cloudflare as to whether we can make the OAuth login more fine grained to control what accounts/roles a particular user login is granted. But this will not be available for Wrangler 2.0 release.

The immediate change to be implemented is to give a better error message when a user has used Wrangler 1's config command to store an API token, instead of logging in via OAuth, and then tries to use the same configuration to authenticate in Wrangler 2.

@petebacondarwin petebacondarwin moved this from Must-have to In Progress in workers-sdk Mar 14, 2022
petebacondarwin added a commit to petebacondarwin/wrangler2 that referenced this issue Mar 19, 2022
@petebacondarwin
fix: improve authentication logging and warnings
22f6e40 
- If a user has previously logged in via Wrangler 1 with an API token, we now display a helpful warning.
- When logging in and out, we no longer display the path to the internal user auh config file.
- When logging in, we now display an initial message to indicate the authentication flow is starting.

Fixes [cloudflare#526](cloudflare#526)
@petebacondarwin petebacondarwin mentioned this issue Mar 19, 2022
Merged
@petebacondarwin petebacondarwin moved this from In Progress to In Review in workers-sdk Mar 19, 2022
petebacondarwin added a commit to petebacondarwin/wrangler2 that referenced this issue Mar 19, 2022
@petebacondarwin
fix: improve authentication logging and warnings
0708070 
- If a user has previously logged in via Wrangler 1 with an API token, we now display a helpful warning.
- When logging in and out, we no longer display the path to the internal user auh config file.
- When logging in, we now display an initial message to indicate the authentication flow is starting.

Fixes [cloudflare#526](cloudflare#526)
petebacondarwin added a commit to petebacondarwin/wrangler2 that referenced this issue Mar 19, 2022
@petebacondarwin
fix: improve authentication logging and warnings
26a709b 
- If a user has previously logged in via Wrangler 1 with an API token, we now display a helpful warning.
- When logging in and out, we no longer display the path to the internal user auh config file.
- When logging in, we now display an initial message to indicate the authentication flow is starting.

Fixes [cloudflare#526](cloudflare#526)
petebacondarwin added a commit that referenced this issue Mar 19, 2022
@petebacondarwin
fix: improve authentication logging and warnings
61aea30 
- If a user has previously logged in via Wrangler 1 with an API token, we now display a helpful warning.
- When logging in and out, we no longer display the path to the internal user auh config file.
- When logging in, we now display an initial message to indicate the authentication flow is starting.

Fixes [#526](#526)
Repository owner moved this from In Review to Done in workers-sdk Mar 19, 2022
@github-actions github-actions bot mentioned this issue Mar 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petebacondarwin petebacondarwin

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@petebacondarwin @threepointone @Electroid