Cloudflare Troubleshooting

Cloudflare's security features can sometimes interfere with Google OAuth authentication. This guide covers common issues and their solutions.

Common Cloudflare Issues

Overview

Issue	Cloudflare Feature	Solution
CSRF token mismatch	Caching	Bypass rules
403 on callback	WAF/Security Level	Allow rules
Bot fight blocking	Bot Fight Mode	Exception
Challenge loops	Security settings	Page rules
Slow authentication	Rocket Loader	Disable for GSI

CSRF Token Mismatch

Symptoms

• "Invalid security token" error
• Authentication fails after Google consent
• Works without Cloudflare

Cause

Cloudflare caches the page including WordPress nonces, which then become invalid.

Solution

Option 1: Cache Bypass Rule

1. Go to Cloudflare Dashboard > Rules > Page Rules
2. Create new rule:

   URL: yourdomain.com/wp-json/onetap/*
   Setting: Cache Level
   Value: Bypass

3. Save and Deploy

Option 2: Cache Rules (newer)

1. Go to Rules > Cache Rules
2. Create rule:

   Expression: (starts_with(http.request.uri.path, "/wp-json/onetap"))
   Cache status: Bypass cache

Additional URLs to Bypass

yourdomain.com/wp-json/*
yourdomain.com/wp-admin/admin-ajax.php
yourdomain.com/my-account/*

---

403 Forbidden on Callback

Symptoms

• Error 403 when Google redirects back
• "Access Denied" page
• Works fine without Cloudflare proxy

Cause

Cloudflare WAF or Security Level blocking the OAuth callback.

Solution

Option 1: WAF Exception

1. Go to Security > WAF
2. Click Tools
3. Under IP Access Rules or custom rules
4. Create exception for callback:

   Expression: (http.request.uri.path eq "/wp-json/onetap/v1/callback")
   Action: Skip all remaining custom rules

Option 2: Firewall Rule

1. Go to Security > WAF > Custom Rules
2. Create new rule:

   Name: Allow OneTap Callback
   Expression: (http.request.uri.path contains "/wp-json/onetap")
   Action: Skip (select which features to skip)

Option 3: Lower Security for Path

Create a Page Rule:

URL: yourdomain.com/wp-json/onetap/*
Setting: Security Level
Value: Essentially Off

---

Bot Fight Mode Blocking

Symptoms

• One Tap or button doesn't work
• "Checking your browser" challenge appears
• Works in incognito or different browser

Cause

Cloudflare's Bot Fight Mode may flag Google's OAuth requests.

Solution

Option 1: Disable for OAuth paths

1. Go to Security > Bots
2. Find "Bot Fight Mode"
3. Create exception rule:

   Skip: (http.request.uri.path contains "onetap")

Option 2: Super Bot Fight Mode settings

If using Super Bot Fight Mode:

1. Go to Security > Bots > Configure
2. Under "Definitely automated":
   • Consider "Managed Challenge" instead of "Block"
3. Under "Verified bots":
   • Ensure "Google" is allowed

---

Challenge Page Loops

Symptoms

• Stuck on "Checking your browser" page
• Page keeps reloading
• Never completes OAuth flow

Cause

Security challenge interrupts OAuth flow, preventing completion.

Solution

1. Create Page Rule for entire OAuth flow:

   URL: yourdomain.com/wp-json/onetap/*
   Security Level: Essentially Off

2. Also consider for My Account page:

   URL: yourdomain.com/my-account/*
   Security Level: Low

---

Rocket Loader Issues

Symptoms

• Google button doesn't render
• "Cannot read properties of undefined" errors
• Button appears then disappears

Cause

Cloudflare Rocket Loader defers JavaScript, breaking Google Identity Services script initialization order.

Solution

Option 1: Disable Rocket Loader globally (simplest)

1. Go to Speed > Optimization > Content Optimization
2. Find "Rocket Loader"
3. Toggle Off

Option 2: Exclude Google scripts

Add to your site's HTML or via plugin:

<script src="https://accounts.google.com/gsi/client" data-cfasync="false"></script>

Option 3: Worker to exclude

If using Cloudflare Workers, exclude GSI scripts from optimization.

---

Orange Cloud (Proxy) Issues

Symptoms

• Works with grey cloud (DNS only)
• Breaks with orange cloud (proxied)

Cause

Cloudflare proxy changes how requests are processed.

Diagnosis

1. In Cloudflare DNS, toggle your domain from proxied (orange) to DNS only (grey)
2. Wait 5 minutes
3. Test Google sign-in
4. If it works, issue is Cloudflare proxy-related

Solution

Rather than disabling proxy entirely:

1. Keep proxy enabled for security
2. Create exceptions for OAuth paths (see above)
3. Ensure SSL mode is "Full (strict)"

---

SSL/TLS Configuration

Symptoms

• "Insecure connection" warnings
• Mixed content errors
• Redirect loops

Recommended Settings

1. Go to SSL/TLS
2. Set mode to Full (strict)
3. Enable Always Use HTTPS
4. Enable Automatic HTTPS Rewrites

Edge Certificates

Ensure you have:

• Valid edge certificate (Cloudflare provides free)
• Valid origin certificate (from your host or Let's Encrypt)

---

Complete Recommended Configuration

Page Rules (in order)

Rule 1: Bypass cache for WP JSON

URL: yourdomain.com/wp-json/*
Cache Level: Bypass
Security Level: Essentially Off

Rule 2: Bypass cache for My Account

URL: yourdomain.com/my-account/*
Cache Level: Bypass

Rule 3: Bypass cache for WP Admin

URL: yourdomain.com/wp-admin/*
Cache Level: Bypass

Cache Rules

Expression: (starts_with(http.request.uri.path, "/wp-json/"))
Action: Bypass cache

WAF Custom Rules

Name: Allow OneTap OAuth
Expression: (http.request.uri.path contains "onetap") or
            (http.request.uri.path contains "wp-json/onetap")
Action: Skip (Super Bot Fight Mode, Security Level)

Speed Settings

• Rocket Loader: Off (or exclude GSI scripts)
• Auto Minify JS: Off for WordPress (or test carefully)

---

Debugging Cloudflare Issues

1. Check Ray ID

When you see an error:

1. Note the Cloudflare Ray ID at bottom of error page
2. Go to Security > Events
3. Search by Ray ID
4. See what rule triggered

2. Disable Features One by One

Test by temporarily disabling:

1. Rocket Loader
2. Bot Fight Mode
3. Security Level (set to "Off" for testing)
4. WAF Managed Rules

3. Development Mode

For temporary debugging:

1. Go to Overview > Quick Actions
2. Enable "Development Mode" (3 hours)
3. This disables caching
4. Test Google sign-in

4. Check Headers

Using browser dev tools:

1. Network tab > select callback request
2. Look for cf-cache-status header
3. Should be BYPASS or DYNAMIC for OAuth endpoints

---

Cloudflare Workers

If using Cloudflare Workers:

Don't Modify OAuth Requests

// In your worker, passthrough OAuth
addEventListener('fetch', event => {
    const url = new URL(event.request.url);

    // Don't modify OAuth endpoints
    if (url.pathname.startsWith('/wp-json/onetap')) {
        return event.respondWith(fetch(event.request));
    }

    // Your other worker logic...
});

---

APO (Automatic Platform Optimization)

If using Cloudflare APO for WordPress:

Symptoms with APO

• Cached nonces
• Stale authentication state
• Works for some users, not others

Solution

APO should automatically exclude:

• Logged-in users
• Dynamic URLs

But verify:

1. Check APO settings include proper bypass rules
2. Test as logged-out user in incognito
3. May need custom cache bypass rules

---

Testing Your Configuration

Checklist

After configuration:

• Clear Cloudflare cache (Purge Everything)
• Clear browser cache
• Wait 5 minutes for propagation
• Test in incognito window
• Test on mobile device
• Check browser console for errors
• Verify callback URL works directly

Quick Test

# Test callback endpoint is reachable
curl -I "https://yourdomain.com/wp-json/onetap/v1/test"

# Should return 200, not 403

Getting Help

If issues persist:

1. Cloudflare Support: For proxy/WAF issues
2. OneTap Support: For plugin configuration
3. Include:
   • Ray ID from errors
   • Screenshot of security events
   • Current Cloudflare settings

Next Steps

• Security Plugins - Plugin-specific issues
• Common Issues - General troubleshooting
• Debug Mode - Enable logging