Backoffice Auth Worker

Table of Contents

Overview
Source
Routes
- POST /oauth/token
Auth0 Configuration
Error Handling
Environment Variables
Local Development
See Also

Overview

The backoffice-auth Cloudflare Worker handles authentication for FloatMe’s internal admin console. It is a thin pass-through proxy deployed to auth.backoffice.floatme.io (prod) and auth.backoffice.test.floatme.io (test).

The worker exposes a single route — POST /oauth/token — and forwards the request to a dedicated Auth0 tenant (floatme-backoffice) using the Resource Owner Password (password-realm) grant. This keeps the Auth0 client_secret and realm details out of the admin client entirely; the client sends only a username and password.

The Auth0 connection used is Username-Password-Authentication (a standard database connection) on the floatme-backoffice tenant. The issued token audience is https://api.backoffice.floatme.io (prod) or https://api.backoffice.test.floatme.io (test).

Source

cloudflare/workers/backoffice-auth/

File Purpose

File	Purpose
`index.ts`	Entry point; route matching and `handleTokenRequest` implementation
`wrangler.toml`	Worker name, routes, and environment variables (non-secret)
`secrets.sh`	Uploads `DATADOG_API_KEY` and `AUTH0_CLIENT_SECRET` via `wrangler secret put`

index.ts

Entry point; route matching and handleTokenRequest implementation

wrangler.toml

Worker name, routes, and environment variables (non-secret)

secrets.sh

Uploads DATADOG_API_KEY and AUTH0_CLIENT_SECRET via wrangler secret put

Routes

Method Path Description

Method	Path	Description
`POST`	`/oauth/token`	Authenticate an admin user; returns Auth0 tokens on success
`*`	`*`	All other paths return `404 Not Found`

POST

/oauth/token

Authenticate an admin user; returns Auth0 tokens on success

*

All other paths return 404 Not Found

`POST /oauth/token`

Table 1. Request body (JSON)
Field	Type	Notes
`username`	string	Admin user’s email or username
`password`	string	Admin user’s password

Table 2. Auth0 grant forwarded
Parameter	Value
`grant_type`	`http://auth0.com/oauth/grant-type/password-realm`
`realm`	`Username-Password-Authentication`
`audience`	`https://api.backoffice.floatme.io` (prod)
`scope`	`openid email profile offline_access`
`client_id`	Injected from `AUTH0_CLIENT_ID` env var
`client_secret`	Injected from `AUTH0_CLIENT_SECRET` secret

The worker reads the client’s IP from CF-Connecting-IP (or x-real-ip) and forwards it to Auth0 via the auth0-forwarded-for header so that Auth0 anomaly detection can log the true origin IP.

On success, the Auth0 response (access token + refresh token + id token) is passed through to the caller unchanged.

Auth0 Configuration

Setting Prod value Test value

Setting	Prod value	Test value
Auth0 tenant domain	`floatme-backoffice.us.auth0.com`	`floatme-backoffice-test.us.auth0.com`
Auth0 connection	`Username-Password-Authentication`	`Username-Password-Authentication`
Token audience	`https://api.backoffice.floatme.io`	`https://api.backoffice.test.floatme.io`
Client ID	See `AUTH0_CLIENT_ID` in `cloudflare/workers/backoffice-auth/wrangler.toml`	See `AUTH0_CLIENT_ID` in `cloudflare/workers/backoffice-auth/wrangler.toml` (`[env.test]`)

Auth0 tenant domain

floatme-backoffice.us.auth0.com

floatme-backoffice-test.us.auth0.com

Auth0 connection

Username-Password-Authentication

Token audience

https://api.backoffice.floatme.io

https://api.backoffice.test.floatme.io

Client ID

See AUTH0_CLIENT_ID in cloudflare/workers/backoffice-auth/wrangler.toml

See AUTH0_CLIENT_ID in cloudflare/workers/backoffice-auth/wrangler.toml ([env.test])

The AUTH0_CLIENT_SECRET is stored in Cloudflare Secrets Manager and is never present in wrangler.toml. Upload it with make secrets.backoffice-auth.host (see cloudflare/workers/backoffice-auth/secrets.sh).

Error Handling

Condition Response

Condition	Response
Missing or non-JSON body	`400 Bad Request`
Missing `username` or `password` field	`400 Bad Request`
Wrong path or method	`404 Not Found`
Auth0 rejects credentials	Auth0 error response is passed through (e.g. `403`, `401`)

Missing or non-JSON body

400 Bad Request

Missing username or password field

400 Bad Request

Wrong path or method

404 Not Found

Auth0 rejects credentials

Auth0 error response is passed through (e.g. 403, 401)

Environment Variables

Variable Kind Description

Variable	Kind	Description
`WORKER_ENV`	var	`prod` or `test`; controls which Auth0 tenant is targeted
`AUTH0_BASE_URL`	var	Auth0 tenant base URL
`AUTH0_CLIENT_ID`	var	Auth0 application client ID
`AUTH0_AUTHENTICATION_AUDIENCE`	var	Token audience for issued JWTs
`AUTH0_CONNECTION`	var	Auth0 database connection name (`Username-Password-Authentication`)
`AUTH0_CLIENT_SECRET`	secret	Auth0 application client secret (Cloudflare secret, not in toml)
`DATADOG_API_KEY`	secret	Datadog ingest key for structured log shipping

WORKER_ENV

var

prod or test; controls which Auth0 tenant is targeted

AUTH0_BASE_URL

var

Auth0 tenant base URL

AUTH0_CLIENT_ID

var

Auth0 application client ID

AUTH0_AUTHENTICATION_AUDIENCE

var

Token audience for issued JWTs

AUTH0_CONNECTION

var

Auth0 database connection name (Username-Password-Authentication)

AUTH0_CLIENT_SECRET

secret

Auth0 application client secret (Cloudflare secret, not in toml)

DATADOG_API_KEY

secret

Datadog ingest key for structured log shipping

Local Development

make backoffice-auth.local

This invokes:

wrangler dev cloudflare/workers/backoffice-auth/index.ts \
  --env test \
  -c cloudflare/workers/backoffice-auth/wrangler.toml

Unlike the other workers, backoffice-auth.local uses --env test explicitly so that the test Auth0 tenant (floatme-backoffice-test.us.auth0.com) is used during local development. The secrets AUTH0_CLIENT_SECRET and DATADOG_API_KEY must be available in your shell environment or a .dev.vars file in the worker directory (wrangler’s conventional local secrets file).

Wrangler starts a local HTTP server (default port 8787). Send requests to http://localhost:8787/oauth/token with a JSON body containing username and password.