1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
import { z } from "zod";
import serverConfig from "@karakeep/shared/config";
import logger from "@karakeep/shared/logger";
const TurnstileVerifyResponseSchema = z.object({
success: z.boolean(),
challenge_ts: z.string().optional(),
hostname: z.string().optional(),
"error-codes": z.array(z.string()).optional(),
});
export async function verifyTurnstileToken(
token: string,
remoteIp?: string | null,
) {
if (!serverConfig.auth.turnstile.enabled) {
return { success: true };
}
if (!token) {
return { success: false, "error-codes": ["missing-input-response"] };
}
const body = new URLSearchParams();
body.append("secret", serverConfig.auth.turnstile.secretKey!);
body.append("response", token);
if (remoteIp) {
body.append("remoteip", remoteIp);
}
try {
const response = await fetch(
"https://challenges.cloudflare.com/turnstile/v0/siteverify",
{
method: "POST",
body,
},
);
if (!response.ok) {
logger.warn(
`[Turnstile] Verification request failed with status ${response.status}`,
);
return { success: false, "error-codes": ["request-not-ok"] };
}
const json = await response.json();
const parseResult = TurnstileVerifyResponseSchema.safeParse(json);
if (!parseResult.success) {
logger.warn("[Turnstile] Invalid response format", {
error: parseResult.error,
remoteIp,
});
return { success: false, "error-codes": ["invalid-response"] };
}
const parsed = parseResult.data;
if (!parsed.success) {
logger.warn("[Turnstile] Verification failed", {
errorCodes: parsed["error-codes"],
remoteIp,
});
}
return parsed;
} catch (error) {
logger.warn("[Turnstile] Verification threw", { error, remoteIp });
return { success: false, "error-codes": ["internal-error"] };
}
}
|
