CloudFlare Worker verify access token

MeloHenrique · May 2, 2022, 2:46pm

Hi everyone,

I am using auth0 for the first time. I am developing the front end with Blazor, and for the APIs, I am using Cloudflare Workers with Javascript.

I was able to configure RBAC on the front end. However, I can’t make it work on the API.

I am getting the access token from the front end, but every library that I tried to use to verify the token didn’t work.

Sorry if it’s very easy but every tutorial and documentation that I saw was using javascript express.

This is the code that I have:

index.ts

const PROXY_ENDPOINT = '/api/something/';

addEventListener('fetch', (event) => {

  const request = event.request;
  const url = new URL(request.url);
  const path = url.pathname.replace(/[/]$/, '');
    if (request.method === 'OPTIONS') {
      event.respondWith(handleOptions(request));
    } else if (request.method === 'GET' || request.method === 'PATCH' || request.method === 'POST' || request.method === 'DELETE') {
      event.respondWith(handleRequest(request));
    } else {
      event.respondWith(
          new Response(null, {
            status: 405,
            statusText: 'Method Not Allowed',
          })
      );
    }
});

handlerOptions.ts

export async function handleOptions(request: Request): Promise<Response> {
    let headers = request.headers;
    if (
        headers.get('Origin') !== null &&
        headers.get('Access-Control-Request-Method') !== null &&
        headers.get('Access-Control-Request-Headers') !== null
    ) {
        return new Response(null, {
            headers: {
                'Access-Control-Allow-Origin': '*',
                'Access-Control-Allow-Methods': 'GET, POST, PATCH, DELETE, OPTIONS',
                'Access-Control-Max-Age': '86400',
                'Access-Control-Allow-Headers': request.headers.get('Access-Control-Request-Headers') ?? "",
            },
        });
    } else {
        // Handle standard OPTIONS request.
        // If you want to allow other HTTP Methods, you can do that here.
        return new Response(null, {
            headers: {
                Allow: 'GET, POST, PATCH, DELETE, OPTIONS',
            },
        });
    }
}

handler.ts

export async function handleRequest(request: Request): Promise<Response> {
  const url = new URL(request.url);
  const method = request.method;

  const token = request.headers.get('authorization');
  if (!token) return new Response('Unauthorized', { status: 401 })


  // Verify the access token and get the user permissions to validate 
  // if the user can make the action

  const collection = "collection";

  try{
    if(method === "PATCH"){
      // Do something
    }
    if(method === "POST"){
      // Do something
    }
    if(method === "DELETE"){
      // Do something
    }
    if(method === "GET"){
      // Do something
    }
    return  new Response('Not Allowed', { status: 405 });

  } catch (error) {
    return new Response(error.message, { status: 500 });
  }
}

dan.woda · May 4, 2022, 5:58pm

Hi @MeloHenrique,

I would recommend using this library to validate tokens:

This section of the readme has plenty of code snippets for different scenarios:

Let me know if you have specific questions.