From 86a09a322f3994bc396b163753d25be6ed5f6410 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 2 Dec 2019 16:45:32 -0600
Subject: [PATCH] cloudflare: use new api token auth scheme.

Use Cloudflare's new API token authentication method to talk to
Cloudflare. This lets us use API tokens with minimal privileges set.

https://blog.cloudflare.com/api-tokens-general-availability/
---
 app/logical/cloudflare_service.rb | 13 +++++++------
 config/danbooru_default_config.rb | 10 +++++-----
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/app/logical/cloudflare_service.rb b/app/logical/cloudflare_service.rb
index 48dffcc9f..e73552ee8 100644
--- a/app/logical/cloudflare_service.rb
+++ b/app/logical/cloudflare_service.rb
@@ -1,12 +1,12 @@
 # donmai.us specific
 
 class CloudflareService
-  def key
-    Danbooru.config.cloudflare_key
+  def enabled?
+    api_token.present? && zone.present?
   end
 
-  def email
-    Danbooru.config.cloudflare_email
+  def api_token
+    Danbooru.config.cloudflare_api_token
   end
 
   def zone
@@ -15,8 +15,7 @@ class CloudflareService
 
   def options
     Danbooru.config.httparty_options.deep_merge(headers: {
-      "X-Auth-Email" => email,
-      "X-Auth-Key" => key,
+      "Authorization" => "Bearer #{api_token}",
       "Content-Type" => "application/json",
       "User-Agent" => "#{Danbooru.config.app_name}/#{Rails.application.config.x.git_hash}"
     })
@@ -32,6 +31,8 @@ class CloudflareService
   end
 
   def delete(md5, ext)
+    return unless enabled?
+
     url = "https://api.cloudflare.com/client/v4/zones/#{zone}/purge_cache"
     files = ["#{md5}.#{ext}", "preview/#{md5}.jpg", "sample/sample-#{md5}.jpg"].map do |name|
       ["danbooru", "safebooru", "raikou1", "raikou2", "raikou3", "raikou4"].map do |subdomain|
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index b5fa78b14..1ae56e338 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -630,16 +630,16 @@ module Danbooru
       "https://#{hostname}"
     end
 
-    # Cloudflare data
-    def cloudflare_email
+    # Cloudflare API token. Used to purge URLs from Cloudflare's cache when a
+    # post is replaced. The token must have 'zone.cache_purge' permissions.
+    # https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys
+    def cloudflare_api_token
     end
 
+    # The Cloudflare zone ID. This is the domain that cached URLs will be purged from.
     def cloudflare_zone
     end
 
-    def cloudflare_key
-    end
-
     def recommender_server
     end