Cloudflare Workers Access

Authenticate with Cloudflare Access from within a Cloudflare Worker.

Installation

npm install --save @matthewgall/cfaccess-jwt

Usage

import { CFAccess } from "@matthewgall/cfaccess-jwt";

const AUTHENTICATION_DOMAIN = "matthewgall.cloudflareaccess.com";
const POLICY_AUD = "9607121bab7ceeed691bc06782b5030c7e054a27e3f98467b79f97a5f3708112";

async handleRequest(request) {
    // We are going to enforce Cloudflare Access
    let access = new CFAccess(AUTHENTICATION_DOMAIN, POLICY_AUD)
    access = await access.validate(request)

    if (access['valid']) {
        output = {
            "success": true,
        }
    }
    else {
        output = {
            "success": false,
        } 
    }

    return new Response(JSON.stringify(output, null, 2), {
        status: 403,
        headers: Headers
    })
}

addEventListener("fetch", (event) => {
  event.respondWith(handleRequest(event.request));
});

CFAccess takes two parameters:

1. The team domain, provided when you signed up for Cloudflare Teams: https://developers.cloudflare.com/cloudflare-one/setup#set-up-cloudflare-access

2. Optionally, two further parameters

   • aud: The "Audience Tag" of your Access Policy.
   • tolerance: Number of seconds of leeway for validating exp and nbf claims. Defaults to 0.

When you're ready to check, call the validate() function with either a request object or a JWT string. This will return a Promise and eventually an object:

• Promise.valid will contain the status of the JWT
• Promise.message will contain any reasons for failure to validate