cloudflare · Oxyjun · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
@@ -24,15 +24,20 @@ This example demonstrates:
 ```ts
 import { DurableObject } from 'cloudflare:workers';
 
+interface Env {
+MY_DURABLE_OBJECT: DurableObjectNamespace<MyDurableObject>;
+}
+
 // Send incremented counter value every second
 async function* dataSource(signal: AbortSignal) {
-    let counter = 0;
-    while (!signal.aborted) {
-        yield counter++;
-        await new Promise((resolve) => setTimeout(resolve, 1_000));
-    }
+let counter = 0;
+while (!signal.aborted) {
+yield counter++;
+await new Promise((resolve) => setTimeout(resolve, 1_000));
+}
 
     console.log('Data source cancelled');
+
 }
 
 export class MyDurableObject extends DurableObject<Env> {
@@ -105,6 +110,19 @@ export default {
 ```
 </TypeScriptExample>
 
+<WranglerConfig>
+```toml
+[[durable_objects.bindings]]
+name = "MY_DURABLE_OBJECT"
+class_name = "MyDurableObject"
+
+[[migrations]]
+tag = "v1"
+new_classes = ["MyDurableObject"]
+```
+
+</WranglerConfig>
+
 :::note
 
 In a setup where a Durable Object returns a readable stream to a Worker, if the Worker cancels the Durable Object's readable stream, the cancellation propagates to the Durable Object.

@@ -1,5 +1,4 @@
 ---
-
 summary: Shows how to restrict access using the HTTP Basic schema.
 tags:
   - Security
@@ -182,7 +181,7 @@ interface Env {
 	PASSWORD: string;
 }
 export default {
-	async fetch(request, env): Promise<Response> {
+	async fetch(request: Request, env: Env): Promise<Response> {
 		const BASIC_USER = "admin";
 
 		// You will need an admin password. This should be
@@ -285,7 +284,7 @@ async fn fetch(req: Request, env: Env, _ctx: Context) -> Result<Response> {
         "/admin" => {
             // The "Authorization" header is sent when authenticated.
             let authorization = req.headers().get("Authorization")?;
-            if authorization == None {
+            if authorization.is_none() {
                 let mut headers = Headers::new();
                 // Prompts the user for credentials.
                 headers.set(
@@ -296,22 +295,37 @@ async fn fetch(req: Request, env: Env, _ctx: Context) -> Result<Response> {
             }
             let authorization = authorization.unwrap();
             let auth: Vec<&str> = authorization.split(" ").collect();
+
+            // The Authorization header must start with Basic, followed by a space.
+            if auth.len() < 2 {
+                return Response::error("Malformed authorization header.", 400);
+            }
+
             let scheme = auth[0];
             let encoded = auth[1];
 
-            // The Authorization header must start with Basic, followed by a space.
-            if encoded == "" || scheme != "Basic" {
+            if encoded.is_empty() || scheme != "Basic" {
                 return Response::error("Malformed authorization header.", 400);
             }
 
-            let buff = BASE64_STANDARD.decode(encoded).unwrap();
+            let buff = match BASE64_STANDARD.decode(encoded) {
+                Ok(b) => b,
+                Err(_) => return Response::error("Malformed authorization header.", 400),
+            };
             let credentials = String::from_utf8_lossy(&buff);
             // The username & password are split by the first colon.
             //=> example: "username:password"
-            let credentials: Vec<&str> = credentials.split(':').collect();
+            let credentials: Vec<&str> = credentials.splitn(2, ':').collect();
+
+            if credentials.len() < 2 {
+                return Response::error("Malformed authorization header.", 400);
+            }
+
             let user = credentials[0];
             let pass = credentials[1];
 
+            // Note: This comparison is not timing-safe. For production use,
+            // consider using a constant-time comparison to prevent timing attacks.
             if user != basic_user || pass != basic_pass {
                 let mut headers = Headers::new();
                 // Prompts the user for credentials.