Skip to content
/ cloudflare-jwt-verifier Public

Cloudflare worker that verifies incoming requests have a valid JWT (token)

License

MIT license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

scoffable/cloudflare-jwt-verifier

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
jwt-verifier.js
jwt-verifier.js
 
 
package.json
package.json
 
 
serverless.yml
serverless.yml
 
 
webpack.config.js
webpack.config.js
 
 

Repository files navigation

cloudflare-jwt-verifier

Cloudflare worker that verifies incoming requests have a valid JSON Web Token (JWT) before the request is forwarded on to your infrastructure

This use case is in conjunction with the Approov service, although it could be modified to verify any JWT.

Why?

There are a couple of reasons for wanting to do this:

  1. Prevent abuse of your unauthenticated APIs (scraping, malicious activity etc)
  2. DDoS prevention

The Approov service attests that a device is running a legitimate version of your mobile application and hasn't been tampered with:

  1. If the application looks ok, Approov return a token to your mobile application which is then sent over with any request, is validated server side, and the request is processed
  2. If the application doesn't look ok, Approov return a legitimate looking token that will fail the server side validation, and the request won't be processed

This means that only your mobile app can talk to your mobile API.

Setup

Prerequisites

Before you begin, you need to install the Serverless Framework.

Configuration

In serverless.yml:

  1. Insert your Cloudflare Account ID and Zone ID in the provider.config section
  2. Add the URL pattern you want to secure in the functions.jwt-verifier.events.http section

Get Approov Secret from approov admin console

In jwt-verifier.js:

  1. Replace 'SECRET HERE' with your Base64 Encoded Approov Secret (although this could work with any JWT secret). Note to self ... use Cloudflare KV Store to hold this in future ... it didn't work at the time of writing hence the hardcoding

Deployment

Add environment variables:

  1. export ACCOUNT_ID=CLOUDFLARE_ACCOUNT_ID
  2. export CLOUDFLARE_AUTH_EMAIL=EMAIL_ADDRESS_YOU_USE_TO_LOG_INTO_CLOUDFLARE
  3. export CLOUDFLARE_AUTH_KEY=<GET FROM CLOUDFLARE CONSOLE> - Get this in "My Profile" -> "Global API Key" in CF Console

Deploy project to Cloudflare

  • sls deploy

You should now be able to see the worker in the "Workers" tab of the Cloudflare console.

Usage

Clients send over Json Web Tokens in a field called Device-Token (this can be changed in jwt-verifier.js).

The Cloudflare worker ensures the JWT supplied in the Device-Token header is present and valid (using a shared secret).

  • If the JWT is valid, it's passed on using whatever Cloudflare rules you have
  • If the JWT is invalid, a HTTP 403 Forbidden is returned

You can choose to log JWT verification failures, but that typically has to go to another provider as Cloudflare doesn't have worker logging (yet)

About

Cloudflare worker that verifies incoming requests have a valid JWT (token)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages