another concern of mine is people dos attack from localhost or unknown origins. is it possible to on

AAlvee another concern of mine is people dos attack from localhost or unknown origins. ...

H

You can check the origin header, but that does not prevent someone from spoofing said header. Not too difficult to do if you are using curl

HHello, I’m Allie!You can check the origin header, but that does not prevent someone from spoofing...

A

AlveeOP•2/10/24, 7:18 AM

I mean checking inside worker mean request already made. no point in there

A

AlveeOP•2/10/24, 7:18 AM

in the domain zone level or something is I want

AAlvee in the domain zone level or something is I want

H

Hello, I’m Allie!•2/10/24, 7:18 AM

Yeah, I meant I think you can check it at the WAF level

HHello, I’m Allie!You can check the origin header, but that does not prevent someone from spoofing...

A

AlveeOP•2/10/24, 8:06 AM

you mean this one? people can bypass this with curl or not. I am thinking of only allow tenant domain in here

AAlvee you mean this one? people can bypass this with curl or not. I am thinking of onl...

H

Hello, I’m Allie!•2/10/24, 8:06 AM

Are you using CF for SaaS to allow tenants to use their own domains?

H

Hello, I’m Allie!•2/10/24, 8:07 AM

Or do all requests go through your domain?

HHello, I’m Allie!Are you using CF for SaaS to allow tenants to use their own domains?

A

AlveeOP•2/10/24, 8:08 AM

tenant will buy their own domains and host their frontend in that domain where ever they want and I will provide api / database full backend as saas with endposint for making their ecommerce stuff. I will just white list their domains so onl y from tenant domains I get traffic and all other are blocked. cuz or else people will spam my worker endpoints

AAlvee tenant will buy their own domains and host their frontend in that domain where e...

H

Hello, I’m Allie!•2/10/24, 8:09 AM

If it is on your own domain then you need to filter on the origin, rather than hostname

H

Hello, I’m Allie!•2/10/24, 8:09 AM

I mean

H

Hello, I’m Allie!•2/10/24, 8:09 AM

If I as a tenant needed to make a request to your Worker, would I hit your domain?

H

Hello, I’m Allie!•2/10/24, 8:09 AM

Or my own domain?

HHello, I’m Allie!If I as a tenant needed to make a request to your Worker, would I hit your domai...

A

AlveeOP•2/10/24, 8:10 AM

yes corrent

AAlvee yes corrent

H

Hello, I’m Allie!•2/10/24, 8:10 AM

Yeah, so then you need the origin value, rather than hostname

H

Hello, I’m Allie!•2/10/24, 8:11 AM

But that still doesn’t prevent a malicious actor from just setting the origin header to one of your tenant domains, bypassing the block

HHello, I’m Allie!But that still doesn’t prevent a malicious actor from just setting the origin he...

A

AlveeOP•2/10/24, 8:11 AM

hmm

HHello, I’m Allie!But that still doesn’t prevent a malicious actor from just setting the origin he...

A

AlveeOP•2/10/24, 8:13 AM

what about hostnames for example mystore.com is a frontend calling api.mysaasapi.com that's my worker domain (and in mysaasapi WAF I blocked all hostname not equal mystore.com) . what you think can people modify the hostname with api calling.

AAlvee what about hostnames for example mystore.com is a frontend calling api.mysaasapi...

H

Hello, I’m Allie!•2/10/24, 8:14 AM

That would block all requests, since a request to api.mysaasapi.com would always have a hostname value of api.mysaasapi.com

C

cfanclub•2/10/24, 8:20 AM

what is the use case of kv metadata ?

Ccfanclub what is the use case of kv metadata ?

H

Hello, I’m Allie!•2/10/24, 8:45 AM

Smaller amounts of data that are readable with a list

H

Hello, I’m Allie!•2/10/24, 8:45 AM

You could store your values in there if they are small enough

C

cfanclub•2/10/24, 8:56 AM

thats clever use. thanks

HHello, I’m Allie!I would probably go with a Durable Object per customer. With KV, you aren't guar...

A

AlveeOP•2/10/24, 11:47 AM

I am thinking about this. with durable object are writes very fast? I am worried about since all endpoints will write to durable object first using hono global middleware before reaching the endpoint code. if there is going to be delays.

AAlvee I am thinking about this. with durable object are writes very fast? I am worried...

H

Hello, I’m Allie!•2/10/24, 11:49 AM

Yes. The slow part is reaching the Durable Object, depending on where in the world it spawns.

HHello, I’m Allie!Yes. The slow part is reaching the Durable Object, depending on where in the wor...

A

AlveeOP•2/10/24, 11:51 AM

so only reading is slow that's not a problem. and writes speed how much fast is there any limits.

A

AlveeOP•2/10/24, 11:51 AM

for increment request_couter

AAlvee so only reading is slow that's not a problem. and writes speed how much fast is ...

H

Hello, I’m Allie!•2/10/24, 11:52 AM

No, both can be slow. If you are able to spawn a DO nearby, then they are pretty fast

HHello, I’m Allie!No, both **can** be slow. If you are able to spawn a DO nearby, then they are pr...

A

AlveeOP•2/10/24, 11:52 AM

can select regions no?

AAlvee can select regions no?

H

Hello, I’m Allie!•2/10/24, 11:53 AM

Yes, but you aren't guaranteed to actually spawn in said region. See https://where.durableobjects.live/region

Where Durable Objects Live

Regions | Where Durable Objects Live

Tracking where Durable Objects are created, wherever you are in the world.

HHello, I’m Allie!No, both **can** be slow. If you are able to spawn a DO nearby, then they are pr...

A

AlveeOP•2/10/24, 12:05 PM

but it's faster then traditionals databse right? like planetscale

A

AlveeOP•2/10/24, 12:06 PM

normal was going to use that to store but my db will be blown I feel like

A

AlveeOP•2/10/24, 12:08 PM

hmm in memory or transactional

AAlvee but it's faster then traditionals databse right? like planetscale

H

Hello, I’m Allie!•2/10/24, 12:11 PM

In terms of raw query speed(for key value stuff), probably. But again, speed from Worker to response is all about where it spawns

H

Hello, I’m Allie!•2/10/24, 12:12 PM

As for the state, I would recommend using the Transactional Storage API, as In-Memory state is not guaranteed to persist between requests

H

Hurby•2/12/24, 12:55 PM

export const createSession = async (user: any, databaseConfig: KVNamespace) => {
    let absoluteExpiration = 30 * 24 * 60 * 60;
    let expiration = new TimeSpan(10, 'd');
    const sid = generateRandomString(60, alphabet('a-z', '0-9'));

    const SessionBody = {
        email: user.email,
        email_verified: user.email_verified,
        expires_at: expiration,
    };
    try {
        await databaseConfig.put(sid, user.id, { metadata: SessionBody, expirationTtl: absoluteExpiration });
    } catch (error) {
        throw new Error('Error creating session');
    }

    return sid;
};

export const createSession = async (user: any, databaseConfig: KVNamespace) => {
    let absoluteExpiration = 30 * 24 * 60 * 60;
    let expiration = new TimeSpan(10, 'd');
    const sid = generateRandomString(60, alphabet('a-z', '0-9'));

    const SessionBody = {
        email: user.email,
        email_verified: user.email_verified,
        expires_at: expiration,
    };
    try {
        await databaseConfig.put(sid, user.id, { metadata: SessionBody, expirationTtl: absoluteExpiration });
    } catch (error) {
        throw new Error('Error creating session');
    }

    return sid;
};

export const createSession = async (user: any, databaseConfig: KVNamespace) => {
    let absoluteExpiration = 30 * 24 * 60 * 60;
    let expiration = new TimeSpan(10, 'd');
    const sid = generateRandomString(60, alphabet('a-z', '0-9'));

    const SessionBody = {
        email: user.email,
        email_verified: user.email_verified,
        expires_at: expiration,
    };
    try {
        await databaseConfig.put(sid, user.id, { metadata: SessionBody, expirationTtl: absoluteExpiration });
    } catch (error) {
        throw new Error('Error creating session');
    }

    return sid;
};

export const createSession = async (user: any, databaseConfig: KVNamespace) => {
    let absoluteExpiration = 30 * 24 * 60 * 60;
    let expiration = new TimeSpan(10, 'd');
    const sid = generateRandomString(60, alphabet('a-z', '0-9'));

    const SessionBody = {
        email: user.email,
        email_verified: user.email_verified,
        expires_at: expiration,
    };
    try {
        await databaseConfig.put(sid, user.id, { metadata: SessionBody, expirationTtl: absoluteExpiration });
    } catch (error) {
        throw new Error('Error creating session');
    }

    return sid;
};

Why does value appear as "undefined" in the kv? Also, when I try to get with metadata, it returns null for it.

HHurby ```ts export const createSession = async (user: any, databaseConfig: KVNamespace...

H

Hello, I’m Allie!•2/12/24, 1:02 PM

Can you log

user

user

user

user and see what it sows?

HHello, I’m Allie!Can you log `user` and see what it sows?

H

Hurby•2/12/24, 1:06 PM

HHurby Click to see attachment

H

Hello, I’m Allie!•2/12/24, 1:07 PM

That looks like the issue. The Value you are putting is

user.id

user.id

user.id

user.id, and

[ Object ].id

[ Object ].id

[ Object ].id

[ Object ].id is

undefined

undefined

undefined

undefined

HHello, I’m Allie!That looks like the issue. The Value you are putting is `user.id`, and `[ Object...

H

Hurby•2/12/24, 1:07 PM

it seems like yea, I will try to fix it

H

Hurby•2/12/24, 1:07 PM

ty

P

Paul Shriner•2/13/24, 1:48 PM

Unable to access KV value from a TypeScript.

I have been spinning my wheels on this for a couple of days. I have a Worker (Auth) running Typescript and I reference a linked module.

import { GetGuid, CheckAuth } from '../../util/Util';

import { GetGuid, CheckAuth } from '../../util/Util';

import { GetGuid, CheckAuth } from '../../util/Util';

import { GetGuid, CheckAuth } from '../../util/Util';

When I call CheckAuth (and pass in the "env" variable, I can see the KV Namespaces, but when I attempt to get a value from the namespace, it just fails silently and moves on.

export async function CheckAuth(env, walletID){
    console.log(walletID)
    console.log(env.SESSION.get)
    try{
        const sid = await env.SESSION.get(walletID)
        console.log(sid)
    }
    catch(ex){
        console.log(ex)
    }
    console.log("SID")
}

export async function CheckAuth(env, walletID){
    console.log(walletID)
    console.log(env.SESSION.get)
    try{
        const sid = await env.SESSION.get(walletID)
        console.log(sid)
    }
    catch(ex){
        console.log(ex)
    }
    console.log("SID")
}

export async function CheckAuth(env, walletID){
    console.log(walletID)
    console.log(env.SESSION.get)
    try{
        const sid = await env.SESSION.get(walletID)
        console.log(sid)
    }
    catch(ex){
        console.log(ex)
    }
    console.log("SID")
}

export async function CheckAuth(env, walletID){
    console.log(walletID)
    console.log(env.SESSION.get)
    try{
        const sid = await env.SESSION.get(walletID)
        console.log(sid)
    }
    catch(ex){
        console.log(ex)
    }
    console.log("SID")
}

What am I doing wrong?

PPaul Shriner Unable to access KV value from a TypeScript. I have been spinning my wheels on ...

M

Matt Silverlock•2/13/24, 9:23 PM

* Does

console.log(env)

console.log(env)

console.log(env)

console.log(env) output anything? It should be a map of your bindings.
* What type is

walletID

walletID

walletID

walletID - ?
* Are you doing this locally in dev? With a deployed Worker? Is it possible you're writing locally and trying to fetch a result from production?

MMatt Silverlock * Does `console.log(env)` output anything? It should be a map of your bindings. ...

P

Paul Shriner•2/14/24, 2:28 PM

*

console.log(env)

console.log(env)

console.log(env)

console.log(env)

outputs exactly what you woudl think, a map of the bindings.
* walletID is any, but in fact a string.
* This is in a deployed worker, I don't do anything local on the project to keep it simple.

PPaul Shriner * ```console.log(env)``` outputs exactly what you woudl think, a map of the bind...

M

Matt Silverlock•2/14/24, 3:33 PM

Got it. Are you positive the keys are the same? Can you write a minimal example — in a

fetch

fetch

fetch

fetch handler without any wrapper functions.

It's likely

.get

.get

.get

.get is "failing" silently because it's just returning

null

null

null

null.

MMatt Silverlock Got it. Are you positive the keys are the same? Can you write a minimal example ...

P

Paul Shriner•2/14/24, 3:35 PM

When I make the exact same call from the worker itself, i can get the value from key. I am using the the itty-router-openapi as well, that is probably also important information.

PPaul Shriner When I make the exact same call from the worker itself, i can get the value from...

M

Matt Silverlock•2/14/24, 3:38 PM

Yeah, I can't speak to

itty-router-openapi

itty-router-openapi

itty-router-openapi

itty-router-openapi and what's happening there. If

env

env

env

env is logging the bindings within that function then

get

get

get

get should work, as it's a method on the binding type.

MMatt Silverlock Yeah, I can't speak to `itty-router-openapi` and what's happening there. If `env...

P

Paul Shriner•2/14/24, 3:45 PM

Yeah, that is the confusing part. Thanks for your help.

B

Befus•2/15/24, 9:33 PM

Hey, I was wondering we have a good amount of KV's with a lot of data inside of them on a specific account, would it be possible to move this to a different account with the data? By contact support, etc?
It would be a tedious process of making a scraper that fetches all the data and then makes it again on the new account

BBefus Hey, I was wondering we have a good amount of KV's with a lot of data inside of ...

M

Matt Silverlock•2/16/24, 11:23 AM

If you are an enterprise customer open a ticket (this doesn’t mean we can do it, this just isn’t the forum to do it). Otherwise we don’t move data across accounts as a policy as it is non-trivial and likely to break things downstream.

MMatt Silverlock If you are an enterprise customer open a ticket (this doesn’t mean we can do it,...

B

Befus•2/16/24, 12:12 PM

Currently not an enterprise customer, would you still recommend opening a ticket?

another concern of mine is people dos attack from localhost or unknown origins. is it possible to on

Similar Threads

Similar Threads

Similar Threads