cloudflare-ruby 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e840df4dc6ff74e2cb0fddaba160fc041c80472c52f7a583f9c23185d24b8765
-  data.tar.gz: 9a42b0db13ed3d842fb1bc1b9df86011de55223a6667a666e3431bd455d4e4fd
+  metadata.gz: 230de80c474a3f8441f60687160aba0f2cd53c5db2d9465498866994150cc60f
+  data.tar.gz: 470768dc30305293361258880a74be07ea42832449ec4a77cae0079d42ca3cbc
 SHA512:
-  metadata.gz: 71d24e6e2fbb63aee5c96e23e581f668207df71b7cc281cc02bfdb8c07e2e377e3a30e5a5888c90a5dd1acb0b0b4a4d734faf779bc9140b51a2400cad6029769
-  data.tar.gz: 9a73874dadf0b7847b5058a4ab40dec0acedb93765438d0c2b96632c376bddf1a9b23f04ee167206c7ee35a138ca8cfabca8c2e6eba66a20bd646050e13f5c7a
+  metadata.gz: 3416c0f5b271e376182525b183324d5ec7e0c11e5437f13194a75f35265c8463ac6d843414386e4fb1954966c340515f6eee2540e10b67bec1d6b50eae98574b
+  data.tar.gz: 7c2d7a9a594d06f674af34d26cf9a9570da463ac81e817aa56738d2a0332760c0116550c3adf68b1616cd019f33b2e9ccd24dbcf8ab7e414ef3e222d57e5e68d

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 0.3.0
+
+- **Per-product API tokens.** Set `Cloudflare::RealtimeKit.api_token` to
+  use a token scoped tightly to RealtimeKit (e.g., `Realtime: Edit` only).
+  Resolution chain when a request fires: per-call `api_token:` kwarg →
+  `Cloudflare::RealtimeKit.api_token` (per-product) → `Cloudflare.api_token`
+  (top-level fallback) → raise. Lets each product surface have its own
+  credentials so a leaked Realtime token can't touch R2/Workers/DNS.
+- `Connection#request` accepts a new `api_token:` kwarg; resolved token
+  flows through one place.
+- `Resource` gains a private `request(method, path, **opts)` helper
+  (class + instance) that wraps `Connection.instance.request` and injects
+  `configured_api_token` from the resource's product namespace. Subclasses
+  call `request(...)` instead of `Connection.instance.request(...)`.
+- Top-level `Cloudflare.api_token` still works as the fallback for
+  callers who don't want per-product separation. Backward-compatible.
+
 ## 0.2.0
 
 - **Default `app_id` per process.** Set `Cloudflare::RealtimeKit.app_id`

data/lib/cloudflare/connection.rb

@@ -8,11 +8,17 @@ module Cloudflare
       def reset!   = @instance = nil
     end
 
-    def request(method, path, body: nil, params: nil)
-      raise Error, "Cloudflare.api_token not configured" if Cloudflare.api_token.nil?
+    # Sends a Cloudflare API request. The +api_token+ kwarg is the resolved
+    # token chosen by the caller (typically +Resource.configured_api_token+ —
+    # per-product token if set, top-level +Cloudflare.api_token+ otherwise).
+    # It's a kwarg rather than a hardcoded read so admin tools can override
+    # per-call.
+    def request(method, path, body: nil, params: nil, api_token: nil)
+      token = api_token || Cloudflare.api_token
+      raise Error, "Cloudflare API token not configured" if token.nil?
 
       faraday.public_send(method, path.delete_prefix("/")) do |req|
-        req.headers["Authorization"] = "Bearer #{Cloudflare.api_token}"
+        req.headers["Authorization"] = "Bearer #{token}"
         req.headers["User-Agent"]    = Cloudflare.configuration.user_agent
         req.params = compact(params) if params
         req.body   = compact(body)   if body

data/lib/cloudflare/realtime_kit/README.md

@@ -8,19 +8,21 @@ Ruby bindings for [Cloudflare RealtimeKit](https://developers.cloudflare.com/rea
 require "cloudflare"
 
 Cloudflare.configure do |c|
-  c.api_token  = ENV.fetch("CLOUDFLARE_API_TOKEN")
   c.account_id = ENV.fetch("CLOUDFLARE_ACCOUNT_ID")
 end
 
-# Default app_id for every RealtimeKit call this process makes.
-# Pass `app_id:` per-call only to override (e.g., admin tools that hop
-# between apps).
-Cloudflare::RealtimeKit.app_id = ENV.fetch("REALTIMEKIT_APP_ID")
+# Per-product API token + default app_id for every RealtimeKit call this
+# process makes. Pass `api_token:` / `app_id:` per-call only to override
+# (e.g., admin tools that hop between accounts or apps).
+Cloudflare::RealtimeKit.api_token = ENV.fetch("REALTIMEKIT_API_TOKEN")
+Cloudflare::RealtimeKit.app_id    = ENV.fetch("REALTIMEKIT_APP_ID")
 
 RK = Cloudflare::RealtimeKit  # alias to taste
 ```
 
-After that, both `account_id:` and `app_id:` are implicit on every call — pass either per-call only to override.
+After that, `account_id:`, `api_token:`, and `app_id:` are all implicit on every call — pass any per-call to override.
+
+If you'd rather use a single token across every Cloudflare product (less scope-tight but simpler), set `Cloudflare.api_token` instead and skip the per-product line — every product surface falls back to it.
 
 ## Apps
 

data/lib/cloudflare/realtime_kit/active_session.rb

@@ -36,31 +36,31 @@ module Cloudflare
 
       # POST .../active-session/kick — remove specified participants.
       def kick(participant_ids:, custom_participant_ids:)
-        Connection.instance.request(:post, "#{member_path}/kick",
+        request(:post, "#{member_path}/kick",
           body: { participant_ids: participant_ids, custom_participant_ids: custom_participant_ids })
       end
 
       # POST .../active-session/kick-all — remove every participant.
       def kick_all
-        Connection.instance.request(:post, "#{member_path}/kick-all")
+        request(:post, "#{member_path}/kick-all")
       end
 
       # POST .../active-session/mute — mute specified participants.
       def mute(participant_ids:, custom_participant_ids:)
-        Connection.instance.request(:post, "#{member_path}/mute",
+        request(:post, "#{member_path}/mute",
           body: { participant_ids: participant_ids, custom_participant_ids: custom_participant_ids })
       end
 
       # POST .../active-session/mute-all — mute every participant.
       # +allow_unmute+ controls whether participants can re-enable their mic.
       def mute_all(allow_unmute:)
-        Connection.instance.request(:post, "#{member_path}/mute-all",
+        request(:post, "#{member_path}/mute-all",
           body: { allow_unmute: allow_unmute })
       end
 
       # POST .../active-session/poll — broadcast a poll to participants.
       def create_poll(question:, options:, anonymous: nil, hide_votes: nil)
-        Connection.instance.request(:post, "#{member_path}/poll",
+        request(:post, "#{member_path}/poll",
           body: { question: question, options: options, anonymous: anonymous, hide_votes: hide_votes })
       end
     end

data/lib/cloudflare/realtime_kit/analytics.rb

@@ -35,7 +35,8 @@ module Cloudflare
           def fetch(path_template, app_id:, account_id:, params:)
             scope    = build_scope(account_id: account_id, app_id: app_id)
             path     = interpolate(path_template, scope)
-            response = Connection.instance.request(:get, path, params: params)
+            response = Connection.instance.request(:get, path,
+              params: params, api_token: RealtimeKit.api_token || Cloudflare.api_token)
             Resource.unwrap_envelope(response)
           end
 

data/lib/cloudflare/realtime_kit/app.rb

@@ -34,14 +34,14 @@ module Cloudflare
         # +{ data: [...] }+ envelope and don't need this dance.
         def create(name:, account_id: nil)
           scope    = build_scope(account_id: account_id)
-          response = Connection.instance.request(:post, interpolate(_collection_path, scope), body: { "name" => name })
+          response = request(:post, interpolate(_collection_path, scope), body: { "name" => name })
           new(unwrap_create_payload(response), scope: scope)
         end
 
         # GET /accounts/{account_id}/realtime/kit/apps
         def all(account_id: nil)
           scope    = build_scope(account_id: account_id)
-          response = Connection.instance.request(:get, interpolate(_collection_path, scope))
+          response = request(:get, interpolate(_collection_path, scope))
           Array(unwrap_envelope(response)).map { new(_1, scope: scope) }
         end
 

data/lib/cloudflare/realtime_kit/meeting.rb

@@ -43,14 +43,14 @@ module Cloudflare
       # PUT /meetings/{id} — full replacement. Mirrors +update+ but uses PUT
       # semantics, so omitted fields revert to their defaults upstream.
       def replace(**attrs)
-        response = Connection.instance.request(:put, member_path, body: self.class.to_wire_keys(attrs))
+        response = request(:put, member_path, body: self.class.to_wire_keys(attrs))
         set_attrs_from_response(response)
         self
       end
 
       # POST /meetings/{id}/livestreams — begin broadcasting this meeting.
       def start_livestreaming(name: nil, video_config: nil)
-        Connection.instance.request(:post, "#{member_path}/livestreams", body: { name: name, video_config: video_config })
+        request(:post, "#{member_path}/livestreams", body: { name: name, video_config: video_config })
       end
 
       # GET /meetings/{id}/active-livestream — fetch the currently-running
@@ -58,13 +58,13 @@ module Cloudflare
       # the same app, so you can chain regular livestream operations on it
       # (e.g., +meeting.active_livestream.active_session+).
       def active_livestream
-        response = Connection.instance.request(:get, "#{member_path}/active-livestream")
+        response = request(:get, "#{member_path}/active-livestream")
         Livestream.new(response, scope: { account_id: @scope[:account_id], app_id: @scope[:app_id] })
       end
 
       # POST /meetings/{id}/active-livestream/stop
       def stop_livestream
-        Connection.instance.request(:post, "#{member_path}/active-livestream/stop")
+        request(:post, "#{member_path}/active-livestream/stop")
       end
 
       # GET /meetings/{id}/livestream — legacy "livestream-session-details"
@@ -73,7 +73,7 @@ module Cloudflare
       # Returned as a raw Hash because the response bundles two distinct
       # shapes; the typed +Livestream+ + per-session lookup live elsewhere.
       def livestream_details(page_no: nil, per_page: nil)
-        response = Connection.instance.request(:get, "#{member_path}/livestream",
+        response = request(:get, "#{member_path}/livestream",
           params: { page_no: page_no, per_page: per_page })
         self.class.unwrap_envelope(response)
       end

data/lib/cloudflare/realtime_kit/participant.rb

@@ -31,7 +31,7 @@ module Cloudflare
       # Mints a fresh token for an existing participant (e.g., when their
       # previous token expired or was leaked).
       def regenerate_token
-        response = Connection.instance.request(:post, "#{member_path}/token")
+        response = request(:post, "#{member_path}/token")
         set_attrs_from_response(response)
         self
       end

data/lib/cloudflare/realtime_kit/recording.rb

@@ -41,7 +41,7 @@ module Cloudflare
         def start_track(meeting_id:, layers:, app_id: nil, account_id: nil, max_seconds: nil)
           scope    = build_scope(account_id: account_id, app_id: app_id)
           path     = interpolate("/accounts/{account_id}/realtime/kit/{app_id}/recordings/track", scope)
-          response = Connection.instance.request(:post, path,
+          response = request(:post, path,
             body: { meeting_id: meeting_id, layers: layers, max_seconds: max_seconds })
           new(response, scope: scope)
         end
@@ -52,7 +52,7 @@ module Cloudflare
           scope    = build_scope(account_id: account_id, app_id: app_id)
           path     = interpolate("/accounts/{account_id}/realtime/kit/{app_id}/recordings/active-recording/{meeting_id}",
                                  scope.merge(meeting_id: meeting_id))
-          response = Connection.instance.request(:get, path)
+          response = request(:get, path)
           new(response, scope: scope)
         end
       end
@@ -69,7 +69,7 @@ module Cloudflare
         unless TRANSITIONS.include?(sym)
           raise ArgumentError, "action must be one of #{TRANSITIONS.inspect}, got #{action.inspect}"
         end
-        response = Connection.instance.request(:put, member_path, body: { action: sym.to_s })
+        response = request(:put, member_path, body: { action: sym.to_s })
         set_attrs_from_response(response)
         self
       end

data/lib/cloudflare/realtime_kit/session.rb

@@ -45,7 +45,7 @@ module Cloudflare
           scope = build_scope(account_id: account_id, app_id: app_id)
           path  = interpolate("/accounts/{account_id}/realtime/kit/{app_id}/sessions/peer-report/{peer_id}",
                               scope.merge(peer_id: peer_id))
-          response = Connection.instance.request(:get, path, params: { filters: filters })
+          response = request(:get, path, params: { filters: filters })
           SessionParticipant.new(response, scope: scope)
         end
       end
@@ -58,7 +58,7 @@ module Cloudflare
       # so the two endpoints don't share scope and Relation can't model them
       # together cleanly.
       def livestream_sessions(page_no: nil, per_page: nil)
-        response = Connection.instance.request(:get, "#{member_path}/livestream-sessions",
+        response = request(:get, "#{member_path}/livestream-sessions",
           params: { page_no: page_no, per_page: per_page })
         Array(self.class.unwrap_envelope(response)).map do |item|
           LivestreamSession.new(item, scope: { account_id: @scope[:account_id], app_id: @scope[:app_id] })

data/lib/cloudflare/realtime_kit/summary.rb

@@ -19,7 +19,7 @@ module Cloudflare
 
       # POST /sessions/{session_id}/summary — generate a summary on demand.
       def generate
-        response = Connection.instance.request(:post, member_path)
+        response = request(:post, member_path)
         set_attrs_from_response(response)
         self
       end

data/lib/cloudflare/realtime_kit/webhook.rb

@@ -27,7 +27,7 @@ module Cloudflare
 
       # PUT /webhooks/{id} — replace every field (vs PATCH +update+).
       def replace(**attrs)
-        response = Connection.instance.request(:put, member_path, body: self.class.to_wire_keys(attrs))
+        response = request(:put, member_path, body: self.class.to_wire_keys(attrs))
         set_attrs_from_response(response)
         self
       end

data/lib/cloudflare/realtime_kit.rb

@@ -3,21 +3,33 @@ module Cloudflare
   # for meetings, livestreams, recordings, sessions, and analytics. Each
   # resource maps to a hand-written class under this namespace.
   #
-  # == Default app_id
+  # == Defaults
   #
   # Most resources (Meeting, Participant, Recording, ...) live under an app.
   # Set +app_id+ once at process boot and every call defaults to it; pass
   # +app_id:+ per-call only to override.
   #
-  #   Cloudflare::RealtimeKit.app_id = ENV["REALTIMEKIT_APP_ID"]
+  # +api_token+ is the per-product token. Resolution chain when a request
+  # fires: per-call +api_token:+ kwarg → +Cloudflare::RealtimeKit.api_token+
+  # → +Cloudflare.api_token+ (top-level fallback) → raise.
   #
-  #   Cloudflare::RealtimeKit::Meeting.create(title: "Standup")          # uses default
+  # Per-product tokens let you scope each product's credentials tightly
+  # (e.g., a token with +Realtime: Edit+ only) and rotate them
+  # independently. Top-level +Cloudflare.api_token+ stays as a fallback
+  # for callers who don't want per-product separation.
+  #
+  #   Cloudflare::RealtimeKit.api_token = ENV["REALTIMEKIT_API_TOKEN"]
+  #   Cloudflare::RealtimeKit.app_id    = ENV["REALTIMEKIT_APP_ID"]
+  #
+  #   Cloudflare::RealtimeKit::Meeting.create(title: "Standup")          # uses defaults
   #   Cloudflare::RealtimeKit::Meeting.find(id, app_id: "other-app-id")  # override
   module RealtimeKit
     class << self
       # Default app_id used when a resource call doesn't pass one explicitly.
-      # Mirrors how +Cloudflare.account_id+ defaults the account scope.
       attr_accessor :app_id
+
+      # Per-product API token. Falls back to +Cloudflare.api_token+ when nil.
+      attr_accessor :api_token
     end
 
     autoload :App,                     "cloudflare/realtime_kit/app"

data/lib/cloudflare/resource.rb

@@ -160,25 +160,42 @@ module Cloudflare
       def create(**attrs)
         scope    = extract_scope!(attrs)
         path     = interpolate(_collection_path, scope)
-        response = Connection.instance.request(:post, path, body: to_wire_keys(attrs))
+        response = request(:post, path, body: to_wire_keys(attrs))
         new(response, scope: scope)
       end
 
       def find(id, **scope_attrs)
         scope    = build_scope(scope_attrs)
         path     = interpolate(_member_path, scope.merge(id: id))
-        response = Connection.instance.request(:get, path)
+        response = request(:get, path)
         new(response, scope: scope)
       end
 
       def all(**params)
         scope    = extract_scope!(params)
         path     = interpolate(_collection_path, scope)
-        response = Connection.instance.request(:get, path, params: to_wire_keys(params))
+        response = request(:get, path, params: to_wire_keys(params))
         items    = unwrap_envelope(response)
         Array(items).map { new(_1, scope: scope) }
       end
 
+      # Wraps +Connection.instance.request+ with the api_token resolved from
+      # the resource's product namespace. Subclasses (and instance methods,
+      # via the same-named instance helper) call this rather than
+      # +Connection.instance.request+ directly so the per-product token chain
+      # — per-call → product namespace token → top-level — is enforced
+      # uniformly.
+      def request(method, path, **opts)
+        Connection.instance.request(method, path, api_token: configured_api_token, **opts)
+      end
+
+      # Token resolution: per-product accessor (e.g., +Cloudflare::RealtimeKit.api_token+)
+      # if set, else +Cloudflare.api_token+. Connection raises when both are nil.
+      def configured_api_token
+        ns = product_namespace
+        (ns && ns.respond_to?(:api_token) && ns.api_token) || Cloudflare.api_token
+      end
+
       private
         # Pulls scope params out of the kwargs hash (mutating). Falls back
         # to product-level defaults (see +global_default_for+) when a key
@@ -250,18 +267,18 @@ module Cloudflare
     def attributes  = (ensure_loaded!; @attrs)
 
     def update(**changes)
-      response = Connection.instance.request(:patch, member_path, body: self.class.to_wire_keys(changes))
+      response = request(:patch, member_path, body: self.class.to_wire_keys(changes))
       set_attrs_from_response(response)
       self
     end
 
     def destroy
-      Connection.instance.request(:delete, member_path)
+      request(:delete, member_path)
       freeze
     end
 
     def reload
-      response = Connection.instance.request(:get, member_path)
+      response = request(:get, member_path)
       set_attrs_from_response(response)
       self
     end
@@ -292,6 +309,14 @@ module Cloudflare
         reload unless @loaded
       end
 
+      # Instance-side wrapper around the class-level +request+. Lets custom
+      # action methods (e.g., +active_session.kick+) call +request(:post, ...)+
+      # without threading the api_token themselves; the class helper resolves
+      # it from the product namespace.
+      def request(method, path, **opts)
+        self.class.send(:request, method, path, **opts)
+      end
+
       def member_path
         self.class.send(:interpolate, self.class._member_path, @scope.merge(id: id))
       end

data/lib/cloudflare/version.rb

@@ -1,3 +1,3 @@
 module Cloudflare
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cloudflare-ruby
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - tokimonki