How to deal with certificates?

[bebraw]

I am currently developing small API to get data from GitHub to consume on my website (this will be cached etc.). I have the code at https://github.com/jsterlibs/jster-cf-api .

Since I'm using a GitHub app, it's relying on a pem file for authentication.

Effectively I followed the approach from https://github.com/gr2m/cloudflare-worker-github-app-example and I was able to get this to work by first generating a certificate and then splitting it into three chunks to load through the env.

The question is, do you know a better way of doing this? Does Cloudflare have a better way of dealing with pem files or is this the best that can be done? I wonder if it's something you could build into Denoflare although I expect it's bit of a niche use case.

[johnspurlock-skymethod]

Cloudflare has excellent Web Crypto support, as do the most recents versions of Deno, so you should be able to do this just fine in a worker and in Denoflare. Use importKey to load the pem etc, I've done it in another project of mine called Minipub, feel free to steal the code.

A few things to note:

• The Cloudflare environment variable limit size is now 5kb, so you might not need to split up the value into pieces
• For a private key, you should use a secret worker variable binding, not plain text. ("secret" instead of "value" in denoflare config)
• You should definitely not send the pem contents in the Authorization header! They should never leave the worker. It looks like GH uses the pem to generate a JWT used in the Authorization header.

[bebraw]

Thanks for the great reply! I'll definitely adapt from that.

[bebraw]

It turns out @octokit/auth-app can handle the JWT complexity as long as you pass app id, secret, and pem (needs to be converted to PKCS#8 due to some WebCrypto limitation).

Is there some ground rule when to use secret over value? I wonder if secret would be a good default anyhow unless you want to log something so maybe I default to that for this reason. Maybe there's a bit of overhead as I imagine it's a heavier construct than string but that probably doesn't matter a lot.

[johnspurlock-skymethod]

Secret bindings are available inside the worker, so you could still log them yourself if you wanted.

Mainly they ensure the values will never be visible to tools using the CF api, or in the Cloudflare dashboard

Use secret bindings for auth key info, certainly your private key would qualify here.