Add support for using an cloudflare turnstile widget during signup

tomhughes · Oct 24, 2023 · e303772 · e303772
1 parent dd905b5
commit e303772
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -62,7 +62,9 @@ def new
                end
 
     append_content_security_policy_directives(
-      :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
+      :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org],
+      :frame_src => %w[challenges.cloudflare.com],
+      :script_src => %w[challenges.cloudflare.com]
     )
 
     if current_user
@@ -102,6 +104,10 @@ def create
       if current_user.invalid?
         # Something is wrong with a new user, so rerender the form
         render :action => "new"
+      elsif Settings.turnstile_site_key && invalid_turnstile_response?(params["cf-turnstile-response"])
+        # Invalid turnstile response, so rerender the form
+        flash.now[:error] = t ".not_human"
+        render :action => "new"
       elsif current_user.auth_provider.present?
         # Verify external authenticator before moving on
         session[:new_user] = current_user
@@ -362,4 +368,18 @@ def check_signup_allowed(email = nil)
 
     !blocked
   end
+
+  def invalid_turnstile_response?(turnstile_response)
+    response = OSM.http_client.post("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
+                                      :secret => Settings.turnstile_secret_key,
+                                      :response => turnstile_response,
+                                      :remoteip => request.remote_ip
+                                    })
+
+    return true unless response.success?
+
+    parsed_response = JSON.parse(response.body)
+
+    !parsed_response["success"]
+  end
 end
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
@@ -1,5 +1,8 @@
 <% content_for :head do %>
   <%= javascript_include_tag "user" %>
+  <% if Settings.turnstile_site_key -%>
+    <%= javascript_include_tag "https://challenges.cloudflare.com/turnstile/v0/api.js", :async => true, :defer => true %>
+  <% end -%>
 <% end %>
 
 <% content_for :heading_class, "pb-0" %>
@@ -42,6 +45,13 @@
       <%= f.password_field :pass_crypt, :tabindex => 6 %>
       <%= f.password_field :pass_crypt_confirmation, :tabindex => 7 %>
 
+      <% if Settings.turnstile_site_key -%>
+        <div class="mb-3">
+          <label class="form_label"><%= t ".verify_human" %></label>
+          <div class="pt-2 cf-turnstile" data-sitekey="<%= Settings.turnstile_site_key %>"></div>
+        </div>
+      <% end %>
+
       <div id="auth_prompt">
         <p><%= link_to t(".use external auth"), "#", :id => "auth_enable" %></p>
       </div>

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -2666,6 +2666,9 @@ en:
       privacy_policy: privacy policy
       privacy_policy_url: https://wiki.osmfoundation.org/wiki/Privacy_Policy
       privacy_policy_title: OSMF privacy policy including section on email addresses
+      verify_human: Verify you're a human
+    create:
+      not_human: Human verification failed
     terms:
       title: "Terms"
       heading: "Terms"

diff --git a/config/settings.yml b/config/settings.yml
@@ -159,3 +159,6 @@ smtp_password: null
 #  -----BEGIN PRIVATE KEY-----
 #  ...
 #  -----END PRIVATE KEY-----
+# Credentials for optional cloudflare turnstile widget
+#turnstile_site_key:
+#turnstile_secret_key: