Cloudflare Access prevents using Drizzle Studio in dash

[RihanArfan]

Describe the bug
When using Cloudflare Access to protect the site, it's not possible to use the database viewer/integrated Drizzle Studio, as it accesses using a proxied request, so any authenticated Cloudflare Access session for the user in the browser doesn't apply.

Steps to reproduce
Enable Cloudflare Access for the Cloudflare Pages site.

Workarounds
Adding a bypass for everyone which applies to /api/_hub

Ideal fix

1. Either having requests go from the user (guessing CORS issues)
2. Allow adding custom headers so a Cloudflare Access service token can be included. https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/#connect-your-service-to-access
3. Fully integrate support for Access into NuxtHub (complex/long term?)
   NuxtHub could automatically create the service token and add the bypass rule to any Access application linked with the Pages site (Pages can determine if an Access application exists for it so I guess it's able to get applications by domain).
   

• Zero Trust is an additional subscription (free for 50 users) the same way R2 is a separate subscription from Workers.
• Requires API key to have new perms to manage Zero Trust

[atinux]

Should it be something that we document instead?

[RihanArfan]

The issue with my workaround is that if anyone knows the hostname of the application, they can bypass Access as the rule allows everyone to access /api/_hub endpoints. If the secret or user token is compromised, an attacker could then read/write the production database. Cloudflare Access would prohibit this as they haven't authenticated with corporate SSO.

Even if the rule limited to NuxtHub IPs, I believe NuxtHub runs on Cloudflare so a malicious user can just use a Worker to make requests from Cloudflare IPs too. I'm happy to PR documention for this workaround in August once I finish uni. However if option 1 or 2 could be considered it's be amazing so Access can fully protect the application 100% from any unauthenticated/public request without breaking NuxtHub dashboard features.

Cloudflare Access also affects npm run dev --remote too, as requests won't be through the authenticated Access browser session. I think adding headers to proxyHubX()'s ofetch from a hook/environment variables/runtime config would be pretty simple (and something I can PR later possibly if you'd like).

[atinux]

Looking forward to see your PRs :)