What about the crypto stuff? https://www.reddit.com/r/nextjs/comments/1ck32et/comment/l2p404o/?utm_s

Kkian Local development will read from `.dev.vars`

B

ok so i set up a .dev.vars file with my env variables and then deployed the worker but i still don't see it showing up on the cloudflare dashboard, nor is my worker using it. Am i misunderstanding how it's meant to be used?

export interface Env {
    BUCKET_URL_AUTH_GENERATION_KEY: string;
    BUCKET_URL_SYMMETRIC_KEY: string;
}

export default {
    async fetch(request: Request, env: Env,): Promise<Response> {
        if (!env.BUCKET_URL_AUTH_GENERATION_KEY || !env.BUCKET_URL_SYMMETRIC_KEY) {
            return new Response("Missing required environment variables", { status: 500 });
        }

export interface Env {
    BUCKET_URL_AUTH_GENERATION_KEY: string;
    BUCKET_URL_SYMMETRIC_KEY: string;
}

export default {
    async fetch(request: Request, env: Env,): Promise<Response> {
        if (!env.BUCKET_URL_AUTH_GENERATION_KEY || !env.BUCKET_URL_SYMMETRIC_KEY) {
            return new Response("Missing required environment variables", { status: 500 });
        }

export interface Env {
    BUCKET_URL_AUTH_GENERATION_KEY: string;
    BUCKET_URL_SYMMETRIC_KEY: string;
}

export default {
    async fetch(request: Request, env: Env,): Promise<Response> {
        if (!env.BUCKET_URL_AUTH_GENERATION_KEY || !env.BUCKET_URL_SYMMETRIC_KEY) {
            return new Response("Missing required environment variables", { status: 500 });
        }

export interface Env {
    BUCKET_URL_AUTH_GENERATION_KEY: string;
    BUCKET_URL_SYMMETRIC_KEY: string;
}

export default {
    async fetch(request: Request, env: Env,): Promise<Response> {
        if (!env.BUCKET_URL_AUTH_GENERATION_KEY || !env.BUCKET_URL_SYMMETRIC_KEY) {
            return new Response("Missing required environment variables", { status: 500 });
        }

am i supposed to somehow use them here? how? do i change the param name or something?

K

kian•5/9/24, 3:24 PM

.dev.vars is just for local development

Kkian You define variables in Wrangler.toml as `[vars]` and you upload secrets with `w...

K

kian•5/9/24, 3:24 PM

You do this for deployed Workers

B

Barry_Based_Benson•5/9/24, 3:25 PM

so is it not possible for me to use my own .env file for production? have to do it through cli or dashboard or [vars]?

K

kian•5/9/24, 3:26 PM

Yes

B

Barry_Based_Benson•5/9/24, 3:27 PM

Thank you for you help, appreciate it

Uuserzach What about the crypto stuff? https://www.reddit.com/r/nextjs/comments/1ck32et/co...

H

Hello, I’m Allie!•5/9/24, 3:32 PM

Workers/Pages do have support for some of

node:crypto

node:crypto

node:crypto

node:crypto. Which modules do you need?

HHello, I’m Allie!Workers/Pages do have support for some of `node:crypto`. Which modules do you ne...

U

userzachOP•5/9/24, 3:43 PM

Thank you. I'm aware. The trouble is getting them to work with all the typical dependencies of a blockchain app which rely on node's crypto.
Case in point:
https://github.com/LIT-Protocol/Issues-and-Reports/issues/14#issue-2248885628

JJames After their platform got hit with security issues. I would recommend avoiding Ma...

J

jason•5/9/24, 4:35 PM

Is anything still problematic with Mailchannels (as of May 2024) given that Mailchannels has lockdown mode now? It didn't exist when the defcon presentation was made

HHello, I’m Allie!AFAIK, never. Some APIs don’t make sense in a serverless context, or the way Wor...

K

kelbs•5/9/24, 4:39 PM

where can I find more information about this?

Jjason Is anything still problematic with Mailchannels (as of May 2024) given that Mail...

J

James•5/9/24, 4:47 PM

I would still strongly recommend you avoid it. If you enable Domain Lockdown, you're protected from all known issues they had, but their responses to the situation have still been awful. They've still yet to inform all of their customers who remain unprotected because they don't do basic stuff like Sender Verification, and their platform is still vulnerable in a similar way if you sign up with any number of hosting providers that use them.

JJames I would still strongly recommend you avoid it. If you enable Domain Lockdown, yo...

I

IEatBeans•5/9/24, 4:59 PM

Yikes, do you know of any better free alternatives? I was just reading about security issues with resend, so looks like lots of them have issues

IIEatBeans Yikes, do you know of any better free alternatives? I was just reading about se...

J

James•5/9/24, 5:00 PM

"Free" and secure/reliable email sending often doesn't go together, sadly. SendGrid has a reasonable free tier at 100/day, and then Postmark is great too, but only 100 free per month.

JJames I would still strongly recommend you avoid it. If you enable Domain Lockdown, yo...

I

IEatBeans•5/9/24, 5:02 PM

Does this mean that currently this issue is still exploitable even with domain lockdown? Or do you mean that users that sign up from other providers are vulnerable, and not that that makes us (CF users) vulnerable?

IIEatBeans Does this mean that currently this issue is still exploitable even with domain l...

J

James•5/9/24, 5:03 PM

If you turn on Domain Lockdown, then it's not exploitable with your domain. But many of their customers don't have this enabled, and if you sign up with another hosting provider that uses MailChannels, you can still send emails from many of their customers that'll pass security checks, yes.

J

James•5/9/24, 5:03 PM

They used to allow self-service for just $80 where you could do this. But they quietly removed that from their site. So now you have to signup via a third-party.

J

James•5/9/24, 5:04 PM

It all just reinforces their terrible communication throughout the process, and is a partnership that I think is irresponsible for Cloudflare to upkeep, personally.

B

Barry_Based_Benson•5/10/24, 2:41 AM

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

const newRequest = new Request(request);

            const contentType = url.searchParams.get("content-type");
            if (contentType) {
                newRequest.headers.set("Content-Type", contentType);
            }
            
            const contentDisposition = url.searchParams.get("content-disposition");
            if (contentDisposition) {
                newRequest.headers.set("Content-Disposition", contentDisposition);
            }

            return fetch(new URL(url.pathname, `https://${requiredHostname}`), newRequest);

How do i get content-disposition: attachment to cause my custom domain r2 to force a download instead of treating it as inline? Am i doing it wrong? it's appearing correctly in the param as attachment and i'm trying to send it as a header in the fetch request but the file is still being displayed in-browser instead of starting a download

BBarry_Based_Benson ``` const newRequest = new Request(request); const cont...

I

Isaac McFadyen•5/10/24, 4:28 AM

So content-disposition is a response header, not a request header.

I

Isaac McFadyen•5/10/24, 4:28 AM

Your need to reply with the

content-disposition

content-disposition

content-disposition

content-disposition header (it looks like you're making the request with the header, which is different)

I

Isaac McFadyen•5/10/24, 4:29 AM

You probably need to do a (untested but should work):

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

const res = fetch(new URL(url.pathname, `https://${requiredHostname}`));

// Clone the response because it's immutable by default.
const clonedRes = new Response(res.body, res);
clonedRes.headers.set("Content-Disposition", contentDisposition);
clonedRes.headers.set("Content-Type", contentType);

return clonedRes

I

Isaac McFadyen•5/10/24, 4:30 AM

Just as a side-note, you should probably not be deciding what content-type to return based on what the client asks you to - the content-type is usually decided by what the actual content is, not what the browser wants.

I

Isaac McFadyen•5/10/24, 4:31 AM

So for example, text files should usually be returned as

text/plain

text/plain

text/plain

text/plain, in your example I could do a

contentType

contentType

contentType

contentType query param of

video/webm

video/webm

video/webm

video/webm and the browser would think my text file is a video

B

Barry_Based_Benson•5/10/24, 4:31 AM

The client is the backend which uses the file metadata stored on the database to make sure the content type is correct in the header that's sent

I

Isaac McFadyen•5/10/24, 4:31 AM

Ah I see - ok then, probably fine.

B

Barry_Based_Benson•5/10/24, 4:31 AM

I'll try out your solution though, thanks for your help

B

Barry_Based_Benson•5/10/24, 5:03 AM

This fixed the issue, been spending ages on this. Thank you!

S

Sheng•5/10/24, 12:20 PM

Mailchannels + CF Workers, anyone facing status 500 error, EOF when sending email sometimes? like 1 out of 10 times will hit this error while remaining 9 no issue, can send email

J

johtso•5/10/24, 12:24 PM

what happens when you hit the subrequest limit, does fetch throw an error?

S

Sheng•5/10/24, 12:26 PM

I don't think I hit any limit, because this error usually is the first request of the day / first request after deploy new version to CF worker, and the status 500 is coming from mailchannels api

SSheng I don't think I hit any limit, because this error usually is the first request o...

J

johtso•5/10/24, 12:28 PM

sorry, that wasn't in response to you, was an unrelated question

Jjohtso what happens when you hit the subrequest limit, does fetch throw an error?

K

kian•5/10/24, 12:40 PM

Yes

K

kian•5/10/24, 12:41 PM

So subrequests work in two ways - there are in-house subrequests, and everything else.

K

kian•5/10/24, 12:41 PM

They have separate counters, separate 'buckets'

K

kian•5/10/24, 12:41 PM

You can (on a paid plan) make 1000 subrequests with something like

fetch(url)

fetch(url)

fetch(url)

fetch(url), and another 1000 to in-house things (KV, R2, DO, D1, you get the idea)

K

kian•5/10/24, 12:41 PM

Once you hit that limit, they throw a "subrequest limit exceeded" exception

J

johtso•5/10/24, 12:55 PM

@kian thanks for clarifying!

J

johtso•5/10/24, 12:56 PM

still not entirely sure how to deal with these limits when I'm doing work that requires making a lot of requests

J

johtso•5/10/24, 1:10 PM

My instinct is to catch that error at a high level, and then schedule an immediate alarm

J

johtso•5/10/24, 1:11 PM

Scheduling an alarm doesn't count as a request does it?

J

johtso•5/10/24, 1:13 PM

Ah yes, they're transactional storage API operations, that's good

J

johtso•5/10/24, 1:21 PM

@kian is there anywhere I can see exactly how to catch that exception?

K

kian•5/10/24, 1:23 PM

Just a normal

try/catch

try/catch

try/catch

try/catch around the subrequest

Kkian Just a normal `try/catch` around the subrequest

J

johtso•5/10/24, 1:54 PM

but how to I check if an error is a "subrequest limit exceeded" exception? is that the exact name of the exception?

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"

e.name === "subrequest limit exceeded"?

SSheng Mailchannels + CF Workers, anyone facing status 500 error, EOF when sending emai...

J

James•5/10/24, 1:57 PM

Sadly not a direct solution to your problem, but I would recommend you avoid MailChannels. Cloudflare's continued partnership with them is very disappointing after their security issues and terrible response. See https://canary.discord.com/channels/595317990191398933/779390076219686943/1226529017763463219 for more details.

Jjohtso but how to I check if an error is a "subrequest limit exceeded" exception? is th...

K

kian•5/10/24, 1:58 PM

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

export default {
  async fetch() {
    try {
      while (true) { await fetch("https://cloudflare.com/cdn-cgi/trace") }
    } catch (e) {
      return new Response(JSON.stringify(e, Object.getOwnPropertyNames(e)))
    }
  },
};

K

kian•5/10/24, 1:58 PM

You can test it with that and see what the error is

Kkian ```js export default { async fetch() { try { while (true) { await fe...

J

johtso•5/10/24, 1:59 PM

I'm guessing it's along the lines of this? https://github.com/cloudflare/miniflare/blob/c2ed3afdc1fed9f78d5cb6c50edc793a9a43a850/packages/shared/src/context.ts#L149

What about the crypto stuff? https://www.reddit.com/r/nextjs/comments/1ck32et/comment/l2p404o/?utm_s

Similar Threads

Similar Threads

Similar Threads