Skip to main content

Cloudflare Workers

Repo: platform-api-gateway
Location: workers/admin-gateway/, workers/public-gateway/

Two Workers, one per audience domain:

WorkerExternal domainInternal origin
admin-gatewayapi-dev.eigenoid.servicesapi-admin-internal-dev.eigenoid.services
public-gatewayapi-dev.eigenoid.comapi-public-internal-dev.eigenoid.services

Each Worker:

  1. Strips client-injectable headers before forwarding — prevents spoofing of internal headers.
    Stripped: cf-access-jwt-assertion, cf-access-client-id, cf-access-client-secret, x-internal-auth-token, x-forwarded-*, x-real-ip, hop-by-hop headers.

  2. Resolves INTERNAL_AUTH_TOKEN from the CF Secrets Store (eigenoid store, ID e30a2aceebe34a80a10da2cc6bb208c4) via a SecretBinding. This is an async .get() call — not a plain string env var.

  3. Injects X-Internal-Auth-Token header into the proxied request.

  4. Proxies to a fixed origin (ORIGIN_URL var, e.g. https://api-admin-internal-dev.eigenoid.services). Fixed origin = SSRF-safe by construction.

  5. CORS: strict Allowed-Origin match from the ALLOWED_ORIGIN var.

wrangler.toml pattern for a Worker binding the internal auth token:

[env.dev.vars]
ALLOWED_ORIGIN = "https://access-dev.eigenoid.services"
ORIGIN_URL     = "https://api-admin-internal-dev.eigenoid.services"

[[env.dev.secrets_store_secrets]]
binding     = "INTERNAL_AUTH_TOKEN"
store_id    = "e30a2aceebe34a80a10da2cc6bb208c4"
secret_name = "gateway-dev-internal-auth-token"
toml

Runtime secret access (env.ts):

// INTERNAL_AUTH_TOKEN is a SecretsStoreSecret, not a plain string.
// Always call .get() to resolve the value — never read it as a string directly.
export type SecretBinding = string | { get(): Promise<string> };

export async function resolveSecret(binding: SecretBinding): Promise<string> {
  if (typeof binding === "string") return binding;
  return binding.get();
}
typescript

Deploy: push to the dev branch triggers Workers Builds CI. No manual wrangler deploy needed for normal changes.