Add support for using an cloudflare turnstile widget during signup

app/controllers/users_controller.rb

@@ -21,6 +21,13 @@ class UsersController < ApplicationController
   allow_thirdparty_images :only => :show
   allow_social_login :only => :new
 
+  content_security_policy(:only => :new) do |policy|
+    if Settings.turnstile_site_key
+      policy.frame_src(*policy.frame_src, "challenges.cloudflare.com")
+      policy.script_src(*policy.script_src, "challenges.cloudflare.com")
+    end
+  end
+
   ##
   # display a list of users matching specified criteria
   def index
@@ -98,6 +105,10 @@ def create
       if current_user.invalid?
         # Something is wrong with a new user, so rerender the form
         render :action => "new"
+      elsif Settings.turnstile_site_key && !valid_turnstile_response?(params["cf-turnstile-response"])
+        # Invalid turnstile response, so rerender the form
+        flash.now[:error] = t ".not_human"
+        render :action => "new"
       else
         # Save the user record
         save_new_user params[:email_hmac], params[:referer]
@@ -362,4 +373,20 @@ def check_signup_allowed(email = nil)
 
     !blocked
   end
+
+  ##
+  # check if a turnstile response is valid
+  def valid_turnstile_response?(turnstile_response)
+    response = OSM.http_client.post("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
+                                      :secret => Settings.turnstile_secret_key,
+                                      :response => turnstile_response,
+                                      :remoteip => request.remote_ip
+                                    })
+
+    return false unless response.success?
+
+    parsed_response = JSON.parse(response.body)
+
+    parsed_response["success"]
+  end
 end

app/views/users/new.html.erb

@@ -1,6 +1,9 @@
 <% content_for :head do %>
   <%= javascript_include_tag "user" %>
   <%= javascript_include_tag "auth_providers" %>
+  <% if Settings.turnstile_site_key -%>
+    <%= javascript_include_tag "https://challenges.cloudflare.com/turnstile/v0/api.js", :async => true, :defer => true %>
+  <% end -%>
 <% end %>
 
 <% content_for :heading_class, "p-0 mw-100" %>
@@ -72,6 +75,13 @@
       </div>
     <% end %>
 
+    <% if Settings.turnstile_site_key -%>
+      <div class="mb-3">
+        <label class="form_label"><%= t ".verify_human" %></label>
+        <div class="pt-2 cf-turnstile" data-sitekey="<%= Settings.turnstile_site_key %>"></div>
+      </div>
+    <% end %>
+
     <p class="mb-3 text-body-secondary fs-6"><%= t(".by_signing_up_html",
                                                    :tou_link => link_to(t("layouts.tou"),
                                                                         "https://wiki.osmfoundation.org/wiki/Terms_of_Use",

config/environments/test.rb

@@ -38,7 +38,7 @@
   config.active_storage.service = :test
 
   # Disable logging in tests, for speed increases. Set to :info to bring back logging
-  config.log_level = :warn
+  config.log_level = :info
 
   config.action_mailer.perform_caching = false
 

config/locales/en.yml

@@ -2769,6 +2769,9 @@ en:
       consider_pd_url: https://wiki.osmfoundation.org/wiki/Licence_and_Legal_FAQ/Why_would_I_want_my_contributions_to_be_public_domain
       or: "or"
       use external auth: "or sign up with a third party"
+      verify_human: Verify you're a human
+    create:
+      not_human: Human verification failed
     terms:
       title: "Terms"
       heading: "Terms"

config/settings.yml

@@ -174,3 +174,6 @@ smtp_password: null
 #  -----BEGIN PRIVATE KEY-----
 #  ...
 #  -----END PRIVATE KEY-----
+# Credentials for optional cloudflare turnstile widget
+#turnstile_site_key:
+#turnstile_secret_key: