[DigitalPoint] App for Cloudflare® 1.8.2

• Changed wording of "API tokens & keys" to "API tokens" (no longer allowing global keys, only API tokens)
• Updated charting library (Chart.js) to 4.4.1
• Created workaround for addons being disabled during XenForo upgrades (we need to set the externalDataUrl so that the %ASSET:stylefolder% replacement var works as expected for R2 users when .less templates are compiled). Effectively we are firing our app_setup code event listener even when all addons are disabled during the upgrade process. See this thread.

• Presigned URLs forcibly set Content-Type and Content-Disposition HTTP response headers (fixes situation where something like rclone set incorrect content type for the object in the R2 bucket)
• Cloudflare statistics charts on admin dashboard dynamically resize properly when resizing window
• Added ability for individual API calls to ignore multiple error codes instead of just one
• Changed FsMounts::getFsAdapters method name to FsMounts::getDpFsAdapters to avoid naming collision with XFCloud addon (will need to update FileSystem addon as well if you are using it)

• The API calls necessary to build the Cloudflare settings page are now run in parallel (it's currently 10 API calls that were previously made sequentially). Viewing (and editing) settings is significantly faster now (it's as fast as the single slowest API call, rather than as slow as all 10 API calls added together).
• Added more sanity checks for unexpected Cloudflare API results
• Fixed issue where old public domains wouldn't get enabled when setting up R2 bucket for XenForo data (in a situation where it was an already existing bucket that already had public domain(s) assigned)

• Added link for info about why each Cloudflare token permission is needed
• Updated deep links into R2 buckets to use new URL endpoint
• Suppress Cloudflare rate limit error when purging URLs from cache when guest page caching is enabled (a very high traffic site could hit API rate limits if there's a zillion posts flowing in at once)
• Better handling of situation where Cloudflare API is down/unavailable
• Cloudflare Workers that are created for the image proxy and unfurl proxy have been rewritten to be ES Modules instead of Service Workers
• Removed "Security -> Privacy Pass Support" setting (it's been deprecated by Cloudflare and is no longer used)

• The Cloudflare Fonts option ID has changed. This addresses that (it's what I get for giving the ability to toggle options that Cloudflare has deemed "beta"... they are subject to change).
• Added a sanity check so if future option IDs change, it won't throw an error (along with not being able to change them). Instead, that option won't change until the ID is updated.

• Completely revamped how the bot management API is handled
• Added Super Bot Fight mode settings as controllable options (options enabled/available to be toggled will ultimately depend on what your Cloudflare plan allows):
  • Likely Automated
  • Definitely Automated
  • Verified Bots
  • Static Resource Protection
  • Optimize For WordPress
  • JavaScript Detections

Better handling of unexpected Cloudflare API changes.

Cloudflare changed API results for bot management, but only for paid plans. This addresses that.

• Added support for new Cloudflare setting: Speed -> Optimization -> Content Optimization -> Cloudflare Fonts
• When using "Easy config", set "Security level" to "Essentially off" (was set to "Medium" before)
• Easy config enables Cloudflare Fonts

IMPORTANT for existing users: New functionality requires 1 additional API permissions in order to use the new function. You can go to your Cloudflare API Tokens, edit the token you have and add the following permission:

• Account.Billing: Read

At this point, you should have a total of 19 permissions for your API token.

• Added sanity check to make sure attachment data exists when using presigned URLs for R2 attachments (helpful in certain cases when using XFMG).
• Added ability to use Token Authentication system for attachments stored in R2 (needs new permission... see above). This only works for zones that are not on the Free tier (which is why the billion permission is needed to check if the zone is on a paid plan or not).
• Update Chart.js to v4.4.0
• All JavaScript has been rewritten to be "native" (does not use jQuery) in preparation for removal of jQuery in XenForo 2.3.
• When using guest page caching, no longer try to fetch a new CSRF token for the user with a quick synchronous AJAX request (using Sec-Fetch-Site HTTP request header [a more modern replacement for CSRF tokens])

Made a fairly substantial internal change to the guest page caching system... it no longer needs to do a quick AJAX request to fetch a CSRF token for guests. Instead we are using the Sec-Fetch-Site HTTP request header which is more or less supported by all browsers now (CSRF tokens aren't really needed anymore).

Was going down the path of trying to do a synchronous AJAX request in native JavaScript (rewriting for XF 2.3) and then trying to handle a bunch of one-off situations where XenForo is injecting CSRF tokens into certain GET requests because they are using GET to mutate user state for some reason... just was getting too kludgey and cumbersome. And since CSRF isn't really needed anymroe these days, I decided to take the cleaner/simpler route (which will also make sites faster). Just use Sec-Fetch-Site instead of CSRF... problem solved.

Maybe it's worthwhile to check out the suggestion that XenForo does away with CSRF in it's core: https://xenforo.com/community/threa...ion-cloudflare-full-html-page-caching.202315/