π§ Overview
- Edge-first authentication using Cloudflare Access for admin routes
- Token-based access for calendar feeds and voting
- Magic-link verification for calendar subscriptions
- Rate limiting and bot protection at strategic endpoints
𧩠Auth Boundaries (by Service)
Landing
- Analytics and dataset APIs under
/api/statsand/api/csv-* - Protection typically handled at the edge (Cloudflare Access)
Sources: ihnyc-rc-landing/functions/api/stats.ts, ihnyc-rc-landing/functions/api/csv-upload.ts, ihnyc-rc-landing/README.md
Calendar
- Programs flow uses magic-link verification and token-gated ICS
- Internal feed proxies to n8n
- Admin endpoints under
/api/admin/*
Sources: ihnyc-rc-cal-landing/functions/api/subs/new.ts, ihnyc-rc-cal-landing/functions/api/subs/verify.ts, ihnyc-rc-cal-landing/functions/cal/programs.ics.ts, ihnyc-rc-cal-landing/functions/cal/internal.ics.ts, ihnyc-rc-cal-landing/functions/api/admin/stats.ts
Gallery
- Admin routes under
/adminand/api/admin - README recommends Cloudflare Access at the edge
Sources: ihnyc-rc-gallery/src/index.ts, ihnyc-rc-gallery/README.md
Vote
- Admin routes require Cloudflare Access headers or
ADMIN_API_KEY - Local dev bypass available
Sources: ihnyc-rc-vote/src/middleware/auth.ts
π Token and Magic-Link Patterns
Calendar Programs Flow
- User submits verify request
- Token minted after verification
/cal/programs.icsrequires token- Token hashes stored in D1
Sources: ihnyc-rc-cal-landing/functions/api/subs/verify.ts, ihnyc-rc-cal-landing/functions/cal/programs.ics.ts, ihnyc-rc-cal-landing/schema.sql
Vote Flow
- Vote submissions validate tokens via TokenManager Durable Object
- Ballots stored after validation
Sources: ihnyc-rc-vote/src/routes/vote.ts, ihnyc-rc-vote/wrangler.jsonc
π‘οΈ Rate Limiting and Bot Protection
| Service | Protection | Implementation |
|---|---|---|
| Calendar | Turnstile verification | Used in programs subscription flow when TURNSTILE_SECRET is set |
| Vote | IP-based rate limiting | Applied to vote submissions |
Sources: ihnyc-rc-cal-landing/functions/api/subs/new.ts, ihnyc-rc-cal-landing/functions/api/turnstile-site-key.ts, ihnyc-rc-vote/src/middleware/rate-limit.ts, ihnyc-rc-vote/src/routes/vote.ts
π Secrets Handling
| Service | Storage Method | Notes |
|---|---|---|
| Vote | .dev.vars (local), Wrangler secrets (production) | See .dev.vars.example |
| Calendar | wrangler.toml vars, Pages Secrets (production) | Recommended for prod |
| Gallery | PUBLIC_MEDIA_BASE_URL, RC_LOGO_URL via wrangler.toml | Public vars |
| Landing | Env vars for GitHub and analytics-store | Read in functions |
Sources: ihnyc-rc-vote/.dev.vars.example, ihnyc-rc-vote/README.md, ihnyc-rc-cal-landing/wrangler.toml, ihnyc-rc-cal-landing/README.md, ihnyc-rc-gallery/wrangler.toml, ihnyc-rc-landing/functions/api/changelog.ts, ihnyc-rc-landing/functions/api/publish.ts
πΊοΈ Auth Flow Example (Calendar Programs)
Complete calendar subscription flow with magic-link verification
sequenceDiagram participant U as USER: Resident participant S as SVC: ihnyc-rc-cal-landing participant EXT_T as EXT: Cloudflare Turnstile participant EXT_R as EXT: Resend participant STORE_D1 as STORE: D1 participant STORE_R2 as STORE: R2 participant C as USER: Calendar Client U->>S: submit form + Turnstile S->>EXT_T: verify bot check S->>STORE_D1: write request S->>EXT_R: send magic link U->>S: click link S->>STORE_D1: mint token C->>S: fetch ICS + token S->>STORE_R2: read ICS S-->>C: return ICS
Sources: ihnyc-rc-cal-landing/functions/api/subs/new.ts, ihnyc-rc-cal-landing/functions/api/subs/verify.ts, ihnyc-rc-cal-landing/functions/cal/programs.ics.ts, ihnyc-rc-cal-landing/schema.sql
β Open Questions
Production Configuration
- Which landing and gallery routes are protected by Cloudflare Access in production?
- Are
/admin*and/subscribe-internal*protected for calendar service?
Sources: ihnyc-rc-landing/README.md, ihnyc-rc-gallery/README.md, ihnyc-rc-cal-landing/README.md