mirror of
https://github.com/ksyasuda/dotfiles.git
synced 2026-03-20 18:11:27 -07:00
update skills
This commit is contained in:
141
.agents/skills/cloudflare-deploy/references/api-shield/api.md
Normal file
141
.agents/skills/cloudflare-deploy/references/api-shield/api.md
Normal file
@@ -0,0 +1,141 @@
|
||||
# API Reference
|
||||
|
||||
Base: `/zones/{zone_id}/api_gateway`
|
||||
|
||||
## Endpoints
|
||||
|
||||
```bash
|
||||
GET /operations # List
|
||||
GET /operations/{op_id} # Get single
|
||||
POST /operations/item # Create: {endpoint,host,method}
|
||||
POST /operations # Bulk: {operations:[{endpoint,host,method}]}
|
||||
DELETE /operations/{op_id} # Delete
|
||||
DELETE /operations # Bulk delete: {operation_ids:[...]}
|
||||
```
|
||||
|
||||
## Discovery
|
||||
|
||||
```bash
|
||||
GET /discovery/operations # List discovered
|
||||
PATCH /discovery/operations/{op_id} # Update: {state:"saved"|"ignored"}
|
||||
PATCH /discovery/operations # Bulk: {operation_ids:{id:{state}}}
|
||||
GET /discovery # OpenAPI export
|
||||
```
|
||||
|
||||
## Config
|
||||
|
||||
```bash
|
||||
GET /configuration # Get session ID config
|
||||
PUT /configuration # Update: {auth_id_characteristics:[{name,type:"header"|"cookie"}]}
|
||||
```
|
||||
|
||||
## Token Validation
|
||||
|
||||
```bash
|
||||
GET /token_validation # List
|
||||
POST /token_validation # Create: {name,location:{header:"..."},jwks:"..."}
|
||||
POST /jwt_validation_rules # Rule: {name,hostname,token_validation_id,action:"block"}
|
||||
```
|
||||
|
||||
## Workers Integration
|
||||
|
||||
### Access JWT Claims
|
||||
```js
|
||||
export default {
|
||||
async fetch(req, env) {
|
||||
// Access validated JWT payload
|
||||
const jwt = req.cf?.jwt?.payload?.[env.JWT_CONFIG_ID]?.[0];
|
||||
if (jwt) {
|
||||
const userId = jwt.sub;
|
||||
const role = jwt.role;
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Access mTLS Info
|
||||
```js
|
||||
export default {
|
||||
async fetch(req, env) {
|
||||
const tls = req.cf?.tlsClientAuth;
|
||||
if (tls?.certVerified === 'SUCCESS') {
|
||||
const fingerprint = tls.certFingerprintSHA256;
|
||||
// Authenticated client
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Dynamic JWKS Update
|
||||
```js
|
||||
export default {
|
||||
async scheduled(event, env) {
|
||||
const jwks = await (await fetch('https://auth.example.com/.well-known/jwks.json')).json();
|
||||
await fetch(`https://api.cloudflare.com/client/v4/zones/${env.ZONE_ID}/api_gateway/token_validation/${env.CONFIG_ID}`, {
|
||||
method: 'PATCH',
|
||||
headers: {'Authorization': `Bearer ${env.CF_API_TOKEN}`, 'Content-Type': 'application/json'},
|
||||
body: JSON.stringify({jwks: JSON.stringify(jwks)})
|
||||
});
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Firewall Fields
|
||||
|
||||
### Core Fields
|
||||
```js
|
||||
cf.api_gateway.auth_id_present // Session ID present
|
||||
cf.api_gateway.request_violates_schema // Schema violation
|
||||
cf.api_gateway.fallthrough_triggered // No endpoint match
|
||||
cf.tls_client_auth.cert_verified // mTLS cert valid
|
||||
cf.tls_client_auth.cert_fingerprint_sha256
|
||||
```
|
||||
|
||||
### JWT Validation (2026)
|
||||
```js
|
||||
// Modern validation syntax
|
||||
is_jwt_valid(http.request.jwt.payload["{config_id}"][0])
|
||||
|
||||
// Legacy (still supported)
|
||||
cf.api_gateway.jwt_claims_valid
|
||||
|
||||
// Extract claims
|
||||
lookup_json_string(http.request.jwt.payload["{config_id}"][0], "claim_name")
|
||||
```
|
||||
|
||||
### Risk Labels (2026)
|
||||
```js
|
||||
// BOLA detection
|
||||
cf.api_gateway.cf-risk-bola-enumeration // Sequential resource access detected
|
||||
cf.api_gateway.cf-risk-bola-pollution // Parameter pollution detected
|
||||
|
||||
// Authentication posture
|
||||
cf.api_gateway.cf-risk-missing-auth // Endpoint lacks authentication
|
||||
cf.api_gateway.cf-risk-mixed-auth // Inconsistent auth patterns
|
||||
```
|
||||
|
||||
## BOLA Detection
|
||||
|
||||
```bash
|
||||
GET /user_schemas/{schema_id}/bola # Get BOLA config
|
||||
PATCH /user_schemas/{schema_id}/bola # Update: {enabled:true}
|
||||
```
|
||||
|
||||
## Auth Posture
|
||||
|
||||
```bash
|
||||
GET /discovery/authentication_posture # List unprotected endpoints
|
||||
```
|
||||
|
||||
## GraphQL Protection
|
||||
|
||||
```bash
|
||||
GET /settings/graphql_protection # Get limits
|
||||
PUT /settings/graphql_protection # Set: {max_depth,max_size}
|
||||
```
|
||||
|
||||
## See Also
|
||||
|
||||
- [configuration.md](configuration.md) - Setup guides for all features
|
||||
- [patterns.md](patterns.md) - Firewall rules and common patterns
|
||||
- [API Gateway API Docs](https://developers.cloudflare.com/api/resources/api_gateway/)
|
||||
Reference in New Issue
Block a user