fix: expand token regex to support cfut_ prefix tokens (53+ chars)

[EgorYolkin]

Problem

Description

The token is validated using the regex pattern ^[A-Za-z0-9_-]{35,50}$ in the validCloudflareToken() function (defined in cloudflare.go).

Cloudflare has started issuing API tokens in a new format with the prefix cfut_ (Cloudflare User Token). These tokens are longer than the previous format — my token is 53 characters long, which exceeds the current regex maximum of 50.

The token is fully valid and works correctly with the Cloudflare API (verified via curl and other services that use the same token for DNS record management), but Caddy rejects it at the provisioning stage before making any API request.

---

Steps to reproduce

1. Create a new API Token in Cloudflare Dashboard (My Profile → API Tokens) with Zone:Read + DNS:Edit permissions.
2. Receive a token in the new cfut_ format (e.g. 53 characters long).
3. Configure Caddy with caddy-dns/cloudflare module:

tls {
    dns cloudflare {env.CF_API_TOKEN}
}

4. Start Caddy.

---

Actual behavior

Caddy fails to start with the following error:

Error: loading initial config: ... provision dns.providers.cloudflare:
API token 'cfut_...' appears invalid;
ensure it's correctly entered and not wrapped in braces nor quotes

The error is produced by the validCloudflareToken() function during Provision(), before any actual API call to Cloudflare is made. The token never reaches the Cloudflare API for real validation.

---

Expected behavior

Caddy should accept the token and allow the Cloudflare API itself to determine whether it is valid or not. Alternatively, the regex should be updated to accommodate the new token format.

---

Root cause

The regex pattern ^[A-Za-z0-9_-]{35,50}$ defined in cloudflare.go enforces Cloudflare's token format requirements.

This regex was written when Cloudflare tokens were 40 characters of [A-Za-z0-9_-]. The new cfut_-prefixed tokens are 53 characters, which exceeds the {35,50} upper bound.

---

Suggested fix

Option A (minimal)

Increase the upper bound of the regex to accommodate new token formats:

var validToken = regexp.MustCompile(`^[A-Za-z0-9_-]{35,70}$`)

Option B (forward-compatible)

Remove the upper length bound entirely, keeping only a sane minimum and character class check:

var validToken = regexp.MustCompile(`^[A-Za-z0-9_-]{35,}$`)

Option C (most robust)

Remove client-side regex validation entirely and let the Cloudflare API itself validate the token.

This function exists only as a sanity check — if the token is malformed, Cloudflare will return HTTP 400/403 with a clear error message anyway. Client-side validation creates a maintenance burden because Cloudflare can change token formats at any time.

---

Environment

• caddy-dns/cloudflare: latest (master)
• Caddy: built via xcaddy with caddy:builder image
• Token format: cfut_ prefix, 53 characters total
• Token verified working:

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify"

returns "status": "active"

---

Workaround

Currently there is no clean workaround other than using a legacy-format token (if still possible to generate) or forking the module to patch the regex.