While exploring the codebase I found two security issues worth discussing:
1. JWT tokens never expire
create_token in worker.py encodes no exp or iat claim.
verify_token never checks expiry. A stolen token is valid forever.
2. Admin page bypasses Basic Auth
wrangler.toml sets run_worker_first = ["/api/*"] only.
Requests to /admin are served directly by Cloudflare Assets,
bypassing the Basic Auth check in _dispatch entirely.
Happy to work on fixes for both if the team confirms these are
in scope. Tagging for discussion before writing any code.
While exploring the codebase I found two security issues worth discussing:
1. JWT tokens never expire
create_tokeninworker.pyencodes noexporiatclaim.verify_tokennever checks expiry. A stolen token is valid forever.2. Admin page bypasses Basic Auth
wrangler.tomlsetsrun_worker_first = ["/api/*"]only.Requests to
/adminare served directly by Cloudflare Assets,bypassing the Basic Auth check in
_dispatchentirely.Happy to work on fixes for both if the team confirms these are
in scope. Tagging for discussion before writing any code.