cloudflare: use new api token auth scheme.

Use Cloudflare's new API token authentication method to talk to
Cloudflare. This lets us use API tokens with minimal privileges set.

https://blog.cloudflare.com/api-tokens-general-availability/

app/logical/cloudflare_service.rb

@@ -1,12 +1,12 @@
 # donmai.us specific
 
 class CloudflareService
-  def key
+  def enabled?
-    Danbooru.config.cloudflare_key
+    api_token.present? && zone.present?
   end
 
-  def email
+  def api_token
-    Danbooru.config.cloudflare_email
+    Danbooru.config.cloudflare_api_token
   end
 
   def zone
@@ -15,8 +15,7 @@ class CloudflareService
 
   def options
     Danbooru.config.httparty_options.deep_merge(headers: {
-      "X-Auth-Email" => email,
+      "Authorization" => "Bearer #{api_token}",
-      "X-Auth-Key" => key,
       "Content-Type" => "application/json",
       "User-Agent" => "#{Danbooru.config.app_name}/#{Rails.application.config.x.git_hash}"
     })
@@ -32,6 +31,8 @@ class CloudflareService
   end
 
   def delete(md5, ext)
+    return unless enabled?
+
     url = "https://api.cloudflare.com/client/v4/zones/#{zone}/purge_cache"
     files = ["#{md5}.#{ext}", "preview/#{md5}.jpg", "sample/sample-#{md5}.jpg"].map do |name|
       ["danbooru", "safebooru", "raikou1", "raikou2", "raikou3", "raikou4"].map do |subdomain|

config/danbooru_default_config.rb

@@ -630,16 +630,16 @@ module Danbooru
       "https://#{hostname}"
     end
 
-    # Cloudflare data
+    # Cloudflare API token. Used to purge URLs from Cloudflare's cache when a
-    def cloudflare_email
+    # post is replaced. The token must have 'zone.cache_purge' permissions.
+    # https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys
+    def cloudflare_api_token
     end
 
+    # The Cloudflare zone ID. This is the domain that cached URLs will be purged from.
     def cloudflare_zone
     end
 
-    def cloudflare_key
-    end
-
     def recommender_server
     end