Stupid question, but do I need a wrangler.toml file for a function to be deployed? Build process says it deploys, but then I can’t find it again. Project is an Astro site and the function is saved in /functions/api/submit.js

You do not, no. I'd recommend testing locally with

wrangler pages dev

The function should also be listed in the functions tab on the deploy once deployed

Yeah that unfortunately doesn’t happen. It all works locally, when I explicitly tell wrangle to compile the function, but it doesn’t do it as part of the Astro deployment

I’m guessing I have to add Wrangler to the build process somehow

Figured it out: In Astro.config.mjs, if nothing else is specified, the Cloudflare loads functions in “Advanced mode.” If set explicitly to “Directory mode,” it works.

Aha, glad you figured it out!

Is the wrangler.toml file used for pages functions?

It is not, no

I’m trying to call encrypted environment variables in functions like so: export async function onRequestGet(context) { const variable = context.env.VARIABLE; return new Response (variable); } But it returns undefined. Am I missing something?

That looks fine assuming VARIABLE is set in your prod/preview env. Are you running locally or in prod?

I'm having the same problem as @sjnsnsjxne with secrets. I have a pages project (react) and a function using typescript. It works fine locally using wrangler pages dev build. I can also see the secret keys in the console, but when logging the context, they are not set. console.log(context) has "env": { "ASSETS": {}, "CF_PAGES": "1"..

Locally in dev I set the secrets in

.dev.vars.

and the secrets for prod is set via

wrangler secret put KEY

Pages doesn’t use secrets from wrangler secret put, or wrangler.toml. You will need to configure these in the pages project dashboard, or via the API

Oh, that is a super-confusing difference.

I completely agree - the DX around this all is… extremely unintuitive

Thanks James, do you have a link on how to set secrets for pages functions with an API?

Check out Pages Project -> Update Project at https://developers.cloudflare.com/api/

The dash is generally easier today

The confusing part, is that the worker displays the secret variable, so I honestly thought this was the way. I have used workers before, but first time using functions. Is this the same for mTLS as well?

Everything in Functions needs to be manually configured via dash or api yes. I do not believe Functions has support for mTLS bindings though

Ah :/ Ok. reverting back to workers - Thank you for your answers James, appreciate it. I think some of these differences should be clarified in the documentation, since one can use wrangler to push the project.

Happy to help, sorry Functions don’t work out as the best option for you today. I completely agree - the DX around this all is confusing and unintuitive

It’s all in prod and configured via the web UI. Didn’t want to complicate it with local setup as well. The D1 DB env value returns an object, which is promising, but accessing an encrypted env variable somehow produces undefined. If it looks right, it’s probably something stupid Ive missed… 😄

Looks fine to me - are you certain you've set the var in the right env?

Does anyone have any recommendations . For a library or sample code to do oauth1.0a signing. I have tried a few different things as well as old pre es6 code and I’m not able to get anything to work.

What do you mean by "encrypted"?

In the WebUI you can store an environment variable and optionally encrypt the value of it. Useful for API keys.

Thanks for helping out. I’ll have to get back to it when I have time, but I’m sure there’s an easy fix if the code principle looks ok

Hi, I finally found a decent implementation that meets my goals for oAuth enabled 3p logins on my app. All the oAuth magic happens in functions, my SPA works because of an httpOnly cookie that is implicitly set for all XHR that hit my functions after login/auth. If anyone cares to see or try it in action: Assemble auth url: https://github.com/readysetawesome/timely-tasker/blob/main/functions/greet.ts#L29 Handle callback: https://github.com/readysetawesome/timely-tasker/pull/92/files#diff-8d9eb198439d049f85fac1356029dfffb2fbc2fd51335a8b6620f878db1143aaR14 * Goal: only to establish identity/ownership of data, no google APIs will be authorized via oAuth scopes. For this we can target just the id_token info. * Uses oAuth only, not OIDC, only supports google accounts. * authorization code flow, server->server code exchange results in a crypto-safe unique session ID cookie (generated by my app) that is not visible to JS (i.e. marked 'httpOnly' to bust XSRF) * this cookie comes with all future XHRs to CRUD my app's cloud data, that's how I associate it with end users * the direct server->server call to google over TLS for token exchange means I don't validate the JWT separately, the identity returned is always valid within this context. I don't pass any oAuth tokens to the client ever. I really want this made into kind of a boilerplate integration so I can easily spin up new apps with an "identity" that I can associate with things I want to let my users create. Coming soon... what you see here is a bit brittle due to lack of error handlings. Unexpected challenges: * couldn't use any of google's api libraries, unfriendly to edge computing envs! I pretty much had to roll my own authorization url builder and the code exchange server->server integration.