fix: improve token diagnostics and error messages

sshrihar · sshrihar · commit eb9c10bf2625 · 2025-12-08T18:05:23.000+04:00
diff --git a/.github/workflows/test_cloudflare_purge.yml b/.github/workflows/test_cloudflare_purge.yml
@@ -23,10 +23,36 @@ jobs:
           ZONE_ID=$(echo "${{ secrets.CLOUDFLARE_ZONE }}" | tr -d '[:space:]')
           AUTH_TOKEN=$(echo "${{ secrets.CLOUDFLARE_AUTH_KEY }}" | tr -d '[:space:]')
           
+          echo "=== Token Diagnostics ==="
           echo "Zone ID length: ${#ZONE_ID}"
+          echo "Zone ID: ${ZONE_ID:0:8}...${ZONE_ID: -8}"
           echo "Token length: ${#AUTH_TOKEN}"
-          echo "Token preview: ${AUTH_TOKEN:0:10}...${AUTH_TOKEN: -5}"
           
+          # Show token preview more safely
+          if [ ${#AUTH_TOKEN} -ge 15 ]; then
+            TOKEN_START="${AUTH_TOKEN:0:8}"
+            TOKEN_END="${AUTH_TOKEN: -8}"
+            echo "Token preview: ${TOKEN_START}...${TOKEN_END}"
+          else
+            echo "⚠️  WARNING: Token seems too short (${#AUTH_TOKEN} chars). API tokens are typically 40+ characters."
+            echo "Token preview: ${AUTH_TOKEN:0:4}...${AUTH_TOKEN: -4}"
+          fi
+          
+          # Check token type hints
+          if [ ${#AUTH_TOKEN} -lt 45 ]; then
+            echo ""
+            echo "⚠️  Token length suggests it might be:"
+            echo "   - A Global API Key (~37 chars) - requires email + key authentication"
+            echo "   - An incomplete/truncated API Token"
+            echo ""
+            echo "For API Tokens:"
+            echo "   - Should be 40+ characters long"
+            echo "   - Created in: Cloudflare Dashboard → My Profile → API Tokens"
+            echo "   - Needs 'Zone.Cache Purge' permission"
+            echo "   - Used with: Authorization: Bearer <token>"
+          fi
+          
+          echo ""
           echo "Testing token by fetching zone info..."
           VERIFY_RESPONSE=$(curl -s -w "\n%{http_code}" -X GET \
             "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}" \
@@ -41,10 +67,31 @@ jobs:
             echo "❌ Token verification failed!"
             echo "$VERIFY_BODY" | jq '.' || echo "$VERIFY_BODY"
             echo ""
-            echo "Common issues:"
-            echo "1. Token may be invalid or expired"
-            echo "2. Token may not have 'Zone.Read' permission"
-            echo "3. Zone ID may be incorrect"
+            echo "=== Troubleshooting ==="
+            ERROR_CODE=$(echo "$VERIFY_BODY" | jq -r '.errors[0].code' 2>/dev/null || echo "")
+            if [ "$ERROR_CODE" = "9109" ]; then
+              echo "Error 9109: Invalid access token"
+              echo ""
+              echo "This usually means:"
+              echo "1. The token is not a valid API Token"
+              echo "2. The token might be a Global API Key (requires different auth method)"
+              echo "3. The token was incorrectly copied (check for extra spaces/newlines)"
+              echo "4. The token is expired or revoked"
+              echo ""
+              echo "To create a proper API Token:"
+              echo "1. Go to: https://dash.cloudflare.com/profile/api-tokens"
+              echo "2. Click 'Create Token'"
+              echo "3. Use 'Edit zone DNS' template or create custom token with:"
+              echo "   - Zone: Zone Settings:Read"
+              echo "   - Zone: Zone:Read"  
+              echo "   - Zone: Cache Purge:Edit"
+              echo "4. Copy the ENTIRE token (it's long!)"
+            else
+              echo "Common issues:"
+              echo "1. Token may be invalid or expired"
+              echo "2. Token may not have 'Zone.Read' permission"
+              echo "3. Zone ID may be incorrect"
+            fi
             exit 1
           else
             ZONE_NAME=$(echo "$VERIFY_BODY" | jq -r '.result.name' 2>/dev/null || echo "unknown")
