crossmate

A collaborative crossword app for iOS
Log | Files | Refs | LICENSE
commit 115fa633ce404189fe70c3034ddf57d731d28eab
parent e61aa56e05f2da8cb3af1665a7834e78c8783afe
Author: Michael Camilleri <[email protected]>
Date:   Fri, 12 Jun 2026 07:55:17 +0900

Remove bearer token support from Cloudflare Worker

Diffstat:

MWorkers/push-worker.js | 23++++-------------------


MWorkers/wrangler.push.toml | 1-


2 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/Workers/push-worker.js b/Workers/push-worker.js
@@ -45,26 +45,11 @@ export class PushRegistry {
   }
 
   async authenticate(request, bodyText) {
-    let appAttest;
     try {
-      appAttest = await this.authenticateAppAttest(request, bodyText);
+      return await this.authenticateAppAttest(request, bodyText);
     } catch (error) {
-      appAttest = { ok: false, status: 401, message: `Bad App Attest auth: ${error.message}` };
+      return { ok: false, status: 401, message: `Bad App Attest auth: ${error.message}` };
     }
-    if (appAttest.ok) return appAttest;
-    if (appAttest.status !== 401 || this.env.ALLOW_LEGACY_PUSH_BEARER !== "1") {
-      return appAttest;
-    }
-
-    const header = request.headers.get("Authorization") || "";
-    const expected = `Bearer ${this.env.PUSH_BEARER || ""}`;
-    if (!this.env.PUSH_BEARER) {
-      return { ok: false, status: 500, message: "Worker missing PUSH_BEARER" };
-    }
-    if (!timingSafeEqual(header, expected)) {
-      return { ok: false, status: 401, message: "Bad bearer" };
-    }
-    return { ok: true, deviceID: "legacy-bearer" };
   }
 
   async authenticateAppAttest(request, bodyText) {
@@ -344,7 +329,7 @@ export class PushRegistry {
     if (!deviceID || !token || !Array.isArray(addresses)) {
       return badRequest("deviceID, token, addresses required");
     }
-    if (auth.deviceID !== "legacy-bearer" && auth.deviceID !== deviceID) {
+    if (auth.deviceID !== deviceID) {
       return new Response("Authenticated device mismatch", { status: 403 });
     }
     if (environment !== "sandbox" && environment !== "production") {
@@ -371,7 +356,7 @@ export class PushRegistry {
     if (!deviceID || !Array.isArray(addresses)) {
       return badRequest("deviceID and addresses required");
     }
-    if (auth.deviceID !== "legacy-bearer" && auth.deviceID !== deviceID) {
+    if (auth.deviceID !== deviceID) {
       return new Response("Authenticated device mismatch", { status: 403 });
     }
     for (const address of addresses) {
diff --git a/Workers/wrangler.push.toml b/Workers/wrangler.push.toml
@@ -10,7 +10,6 @@ APP_TEAM_ID = "7TD7PZBNXP"
 APP_BUNDLE_ID = "net.inqk.crossmate"
 APP_ATTEST_ENVIRONMENT = "production"
 # Set APP_ATTEST_ROOT_CERT_PEM as a Worker secret or dashboard variable.
-# Set ALLOW_LEGACY_PUSH_BEARER = "1" only for a temporary rollback window.
 
 [[durable_objects.bindings]]
 name = "PUSH_REGISTRY"