https://discord.cloudflare.com logo
Join Discord
Powered by
# workers-discussions
  • r
    On Miniflare this is working but not on Wokers
  • r
    export default { async fetch(request, env, ctx) { // Fetch from origin server. let response = await fetch(request); // Create an identity TransformStream (a.k.a. a pipe). // The readable side will become our new response body. let { readable, writable } = new TransformStream(); // Start pumping the body. NOTE: No await! response.body.pipeTo(writable); // ... and deliver our Response while that’s running. return new Response(readable, response); } }
  • r
    This code works fine but if instead of response.body readable I have custom Readable then its not working
  • a
    I'm trying to send a multipart/form-data to a worker and it's working fine... but the field which has a blob doesn't appear.
  • a
    The compatibility date of the worker is recent and I have checked the blob is there before sending it
  • d
  • d
  • e
    or #1104040620948992090
  • d
    Any tips on how I can avoid timing attacks when I'm accessing a remote DB from a Worker, and returning the result to the user?
  • k
    Depends what the timing attack is
  • k
    Are they providing an authentication token that you're checking?
  • d
    yep. I'm doing: 1. Generating a JWT to login to supabase in my Worker 2. Doing an SQL query to see if they have an API key, and using that key for a HMAC check. The issue is I'm worried the SQL query will return faster if there's no real user.
  • j
    i'm having problems with this error:
    Copy code
    RESPONSE: {
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 10021,
      "message": "Error: Script startup exceeded CPU time limit.\n"
    }
  ],
  "messages": []
}
  • j
    i've narrowed it down to one my depedencies but i'm not sure how i can get the startup time down
  • j
  • j
  • j
    does anyone have tips on how to profile or analyze what is causing a slow startup time?
  • s
    what exactly are you HMAC checking?
  • j
    ok i resolved this using 
    await import(...)
    inside a function, maybe that will help someone else
  • d
    still thinking everything though on how to handle API keys.. but the issue is that the timing attack shows up before I even do the check.
  • s
    hmm I don't really understand the problem
  • d
    so you use our API by providing 
    sathoro@testing.email.ai.moda
    as your AWS access ID, and 
    randomvaluethatweprovidedyouawhileago
    as your AWS secret key. If an attacker gives 
    sathoro@testing.email.ai.moda
    but with an invalid AWS secret key, they would still know that you're a customer of ours.
  • s
    can't they check that by just trying to register an account with you?
  • d
    nope! We instantly return as soon as you register
  • s
    but what happens if I have an account and somebody else tries to register 
    sathoro@testing.email.ai.moda
    ?
  • d
    nothing 🙂
  • s
    what do you do if there is no account?
  • d
    we create the account.
  • d
    Copy code
    typescript
export const registerEndpoint: Handler<
  AuthApiContext,
  string,
  { out: { json: SendOtpType } }
> = (c) => {
  const { email: input_email } = c.req.valid('json');
  const decoded_email = decodeURIComponent(input_email);
  console.debug(`decoded_email: ${decoded_email}`);

  if(!validateEmail(decoded_email)) {
    return c.json({ success: false, message: 'Invalid email' });
  }

  const created_prom = getBillingId(decoded_email).then(async (billing_id) => {
    const supabase_client_admin = c.get('supabase_client_admin')

    return supabase_client_admin.auth.admin.createUser({
      email: decoded_email,
      user_metadata: {
        billing_id: billing_id
      }
    })
  })

  c.executionCtx.waitUntil(created_prom);

  created_prom.then((res) => {
    console.debug(`res: ${JSON.stringify(res)}`);
  }).catch((err) => {
    console.error(`err: ${JSON.stringify(err)}`);
  })

  return c.json({ success: true, message: 'Email has been registered.' }, 202);
}
  • d
    that is basically the code we use
1...244424452446...2509Latest