feat(turnstile): adds turnstile to login and verifies key on server

maevsi · Feb 8, 2023 · adc76e2 · adc76e2
1 parent 2bb343e
commit adc76e2
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 37 deletions.
diff --git a/nuxt/components/form/account/FormAccountSignIn.vue b/nuxt/components/form/account/FormAccountSignIn.vue
@@ -39,7 +39,6 @@
       <div class="flex justify-center">
         <Turnstile v-model="store.turnstileKey" />
       </div>
-      <p>{{ t('verificationKey') }}: {{ store.turnstileKey }}</p>
 
       <template
         v-if="
@@ -124,6 +123,7 @@ async function submit() {
     })
     .then(async (result) => {
       if (result.error) return
+      store.turnstileKey = undefined
 
       try {
         await jwtStore(result.data?.authenticate?.jwt)
@@ -136,7 +136,6 @@ async function submit() {
         })
         return
       }
-
       navigateTo(localePath(`/dashboard`))
     })
 }

diff --git a/nuxt/nuxt.config.ts b/nuxt/nuxt.config.ts
@@ -188,6 +188,7 @@ export default defineNuxtConfig({
   },
   turnstile: {
     siteKey: '0x4AAAAAAAB-4n2PVIbNv24s',
+    addValidateEndpoint: true,
   },
   typescript: {
     shim: false,

diff --git a/nuxt/plugins/urql.ts b/nuxt/plugins/urql.ts
@@ -128,21 +128,20 @@ export default defineNuxtPlugin(async (nuxtApp) => {
       const jwt = store.jwt
       const turnstileKey = store.turnstileKey
 
-      var headers = {}
-
+      let headers = {} as Record<string, any>
       if (jwt) {
         consola.trace('GraphQL request authenticated with: ' + jwt)
         headers = { ...headers, authorization: `Bearer ${jwt}` }
       } else {
         consola.trace('GraphQL request without authentication.')
       }
       if (turnstileKey) {
-        consola.trace('Turnstile session key: ' + turnstileKey)
-        headers = { ...headers,  'x-authenticate': turnstileKey }
+        consola.info('Turnstile session key: ' + turnstileKey)
+        headers[TURNSTILE_HEADER_KEY] = turnstileKey
       } else {
-        consola.trace('No Turnstile key is given')
+        consola.info('No Turnstile key is given')
       }
-      return headers
+      return { headers }
     },
 
     url: config.public.stagingHost

diff --git a/nuxt/server/api/auth-proxy.ts b/nuxt/server/api/auth-proxy.ts
@@ -1,35 +1,32 @@
-import { H3Event, NodeIncomingMessage } from 'h3'
+import { H3Event } from 'h3'
 import consola from 'consola'
-
-const SECRET_KEY = '1x0000000000000000000000000000000AA'
+import { TURNSTILE_HEADER_KEY } from '~/utils/constants'
 
 export default defineEventHandler(async function (event: H3Event) {
+  consola.trace('Inside auth-proxy.ts')
   const { req, res } = event.node
-  const postResponse = handlePost(req)
-  consola.trace(req)
-})
-
-async function handlePost(request: NodeIncomingMessage) {
-  const body = await request.formData()
-  // Turnstile injects a token in "cf-turnstile-response".
-  const token = body.get('cf-turnstile-response')
-  const ip = request.headers.get('CF-Connecting-IP')
-
-  // Validate the token by calling the
-  // "/siteverify" API endpoint.
-  let formData = new FormData()
-  formData.append('secret', SECRET_KEY)
-  formData.append('response', token)
-  formData.append('remoteip', ip)
+  const turnstileKey = req.headers[TURNSTILE_HEADER_KEY.toLowerCase()]
+  consola.trace('Turnstile Key: ' + turnstileKey)
 
-  const url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'
-  const result = await fetch(url, {
-    body: formData,
-    method: 'POST',
-  })
-
-  const outcome = await result.json()
-  if (outcome.success) {
-    // ...
+  if (!turnstileKey) {
+    throw createError({
+      statusCode: 422,
+      statusMessage: 'TurnstileKey not provided.',
+    })
+  }
+  const result = await verifyTurnstileToken(turnstileKey)
+  consola.trace(result)
+  if (!result.success) {
+    consola.error('Turnstile verification unsuccessful!')
+    createError({
+      statusCode: 403,
+      statusMessage: result['error-codes'].join(', '),
+    })
+    res.statusCode = 403
+    res.statusMessage = 'Verification failed'
+    res.end()
+    return
   }
-}
+  consola.trace('Turnstile verification succeeded')
+  res.end()
+})
diff --git a/nuxt/utils/constants.ts b/nuxt/utils/constants.ts
@@ -27,3 +27,4 @@ export const REGEX_UUID =
   /^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}$/
 export const TIMEZONE_COOKIE_NAME = 'maevsi_timezone'
 export const TIMEZONE_HEADER_KEY = 'X-Timezone'
+export const TURNSTILE_HEADER_KEY = 'X-Authenticate'