Open Source contributions: Caddy
Background
Caddy is a Go web server that can provision TLS certificates automatically using the ACME DNS-01 challenge, which requires write access to DNS records. The caddy-dns/cloudflare plugin handles this for Cloudflare accounts, using the libdns/cloudflare library for the underlying API calls.
The Cloudflare API requires a globally-scoped token to call the /zones endpoint, which is used to resolve a domain name to its zone ID. In practice this meant that even when managing DNS records for just one zone, the API token stored in the Caddy config needed account-wide read access - broader than necessary for the task.
The change
The patch introduces an optional second API token specifically for the zone-lookup call. When configured, the zone token handles /zones requests with global read scope while the primary token is scoped only to the specific zone for DNS writes. When absent, the behaviour is identical to before - a single token handles everything.
The change was made at both layers of the stack:
- libdns/cloudflare - added the optional zone token to the
Providerstruct and passed it through togetZoneInfo() - caddy-dns/cloudflare - exposed the new field in Caddyfile configuration and bumped the libdns dependency
The maintainer, Matt Holt (author of Caddy), described the approach as "simple, elegant, and effective."