Fix Cloudflare token verification (#917)

saeedvaziry · web-flow · commit bb24726c4496 · 2025-11-08T20:46:55.000Z
diff --git a/app/DNSProviders/Cloudflare.php b/app/DNSProviders/Cloudflare.php
@@ -48,13 +48,16 @@ public function credentialData(array $input): array
     public function connect(array $credentials): bool
     {
         try {
+            // Use /zones endpoint to verify token works for both user-scoped and account-scoped tokens
+            // This also verifies the token has Zone:Read permissions which we need
             $response = Http::withHeaders([
                 'Authorization' => 'Bearer '.$credentials['token'],
                 'Content-Type' => 'application/json',
-            ])->baseUrl(self::API_BASE_URL)
-                ->get('user/tokens/verify');
+            ])
+                ->baseUrl(self::API_BASE_URL)
+                ->get('zones', ['per_page' => 1]);
 
-            if ($response->successful() && $response->json('success')) {
+            if ($response->successful() && $response->json('success') !== false) {
                 return true;
             }
 
diff --git a/tests/Unit/DNSProviders/CloudflareTest.php b/tests/Unit/DNSProviders/CloudflareTest.php
@@ -59,12 +59,9 @@ public function test_credential_data(): void
     public function test_connect_success(): void
     {
         Http::fake([
-            'api.cloudflare.com/client/v4/user/tokens/verify' => Http::response([
+            'api.cloudflare.com/client/v4/zones*' => Http::response([
                 'success' => true,
-                'result' => [
-                    'id' => 'test-id',
-                    'status' => 'active',
-                ],
+                'result' => [],
             ], 200),
         ]);
 
@@ -75,7 +72,8 @@ public function test_connect_success(): void
         $this->assertTrue($result);
 
         Http::assertSent(function (Request $request) {
-            return str_contains($request->url(), 'api.cloudflare.com/client/v4/user/tokens/verify')
+            return str_contains($request->url(), 'api.cloudflare.com/client/v4/zones')
+                && str_contains($request->url(), 'per_page=1')
                 && $request->header('Authorization')[0] === 'Bearer test-token-123'
                 && $request->header('Content-Type')[0] === 'application/json';
         });
@@ -84,7 +82,7 @@ public function test_connect_success(): void
     public function test_connect_failure_invalid_response(): void
     {
         Http::fake([
-            'api.cloudflare.com/client/v4/user/tokens/verify' => Http::response([
+            'api.cloudflare.com/client/v4/zones*' => Http::response([
                 'success' => false,
                 'errors' => [
                     ['message' => 'Invalid token'],
@@ -102,7 +100,7 @@ public function test_connect_failure_invalid_response(): void
     public function test_connect_failure_http_error(): void
     {
         Http::fake([
-            'api.cloudflare.com/client/v4/user/tokens/verify' => Http::response([], 401),
+            'api.cloudflare.com/client/v4/zones*' => Http::response([], 401),
         ]);
 
         $credentials = ['token' => 'invalid-token'];
