Netlify-cms-oauth-cloudflare-worker

This repo mimics the netlify github oauth client using Cloudflare Workers to enable github logins to netlify-cms sites.

The code was drived from the plethora of other implementations in other languages: Netlify-CMS External OAuth Clients.

Create Oauth App

Information is available on the Github Developer Documentation, Fill out the fields however you like, except for authorization callback URL. This is where Github or Gitlab will send your callback after a user has authenticated, and should be https://netlify-cms-oauth-cloudflare-worker.[subdomain].workers.dev/callback for use with this repo.

Install Locally

1) Pre-Requisites

• git
• wrangler

2) Clone Repo Locally

git clone https://github.com/zmcandee/netlify-cms-oauth-cloudflare-worker
cd netlify-cms-oauth-cloudflare-worker

3) Config

• Set account_id in wrangler.toml
• Set CF_API_TOKEN in github secrets
• Set subdomain in Cloudflare using wrangler CLI:

wrangler subdomain [SUBDOMAIN]

• Set Cloudflare secrets in Cloudflare using wrangler CLI:

wrangler secret put [VAR]

4) Publish

Publish to Cloudflare from wrangler CLI:

wrangler publish

Install Remotely

1) Fork Repo

2) Set Secrets

• Set [secrets](#Cloudflare Secrets) in github secrets
• Add secrets to .github/workflows/deploy.yml:

jobs:
  deploy:
    steps:
      uses: cloudflare/[email protected]
      with:
        apiToken: ${{ secrets.CF_API_TOKEN }}
        secrets: |
            GH_CLIENT_ID
            GH_CLIENT_SECRET
            GH_SCOPE
            STATE_SECRET
            EXTRA_WRITABLE_JSON
            GH_REPO
      env:
        GH_CLIENT_ID: ${{ secrets.GH_CLIENT_ID }}
        GH_CLIENT_SECRET: ${{ secrets.GH_CLIENT_SECRET }}
        GH_SCOPE: ${{ secrets.GH_SCOPE }}
        STATE_SECRET: ${{ secrets.STATE_SECRET }}
        EXTRA_WRITABLE_JSON: ${{ secrets.EXTRA_WRITABLE_JSON }}
        GH_REPO: ${{ secrets.GH_REPO }}

• Setup subdomain at Cloudflare Workers

3) Publish Worker

• Run the deploy workflow from github to deploy to Cloudflare

Cloudflare Secrets

VAR	Description	Value (Example)
GH_CLIENT_ID	Github OAuth app client ID.	dabbaabbadeadbeef
GH_CLIENT_SECRET	Github OAuth app client Secret.	decafc0ffeebeeffeed
GH_SCOPE	Github client authorization scope.	public_repo,read:user
STATE_SECRET	[Optional]Random secret string used for hashing the state passed during authorization.	superrandomlongstringforsecretstate
EXTRA_WRITABLE_JSON	[Optional]Extra JSON to pass along when GH_REPO is writable by the user.	{"S3_TOKEN":"abbadabbadabbad00d00"}
GH_REPO	[Optional]Repo to verify writability of before passing EXTRA_WRITABLE_JSON	[user]/[repo]