+4 -2

appview/config/config.go

reviewed

··· 72 72 } 73 73 74 74 type Cloudflare struct { 75 75 - ApiToken string `env:"API_TOKEN"` 76 76 - ZoneId string `env:"ZONE_ID"` 75 75 + ApiToken string `env:"API_TOKEN"` 76 76 + ZoneId string `env:"ZONE_ID"` 77 77 + TurnstileSiteKey string `env:"TURNSTILE_SITE_KEY"` 78 78 + TurnstileSecretKey string `env:"TURNSTILE_SECRET_KEY"` 77 79 } 78 80 79 81 func (cfg RedisConfig) ToURL() string {

+6 -2

appview/pages/pages.go

reviewed

··· 226 226 return p.executePlain("user/login", w, params) 227 227 } 228 228 229 229 - func (p *Pages) Signup(w io.Writer) error { 230 230 - return p.executePlain("user/signup", w, nil) 229 229 + type SignupParams struct { 230 230 + CloudflareSiteKey string 231 231 + } 232 232 + 233 233 + func (p *Pages) Signup(w io.Writer, params SignupParams) error { 234 234 + return p.executePlain("user/signup", w, params) 231 235 } 232 236 233 237 func (p *Pages) CompleteSignup(w io.Writer) error {

+1 -1

appview/pages/templates/user/login.html

reviewed

··· 36 36 placeholder="akshay.tngl.sh" 37 37 /> 38 38 <span class="text-sm text-gray-500 mt-1"> 39 39 - Use your <a href="https://atproto.com">ATProto</a> 39 39 + Use your <a href="https://atproto.com">AT Protocol</a> 40 40 handle to log in. If you're unsure, this is likely 41 41 your Tangled (<code>.tngl.sh</code>) or <a href="https://bsky.app">Bluesky</a> (<code>.bsky.social</code>) account. 42 42 </span>

+6 -1

appview/pages/templates/user/signup.html

reviewed

··· 10 10 <script src="/static/htmx.min.js"></script> 11 11 <link rel="stylesheet" href="/static/tw.css?{{ cssContentHash }}" type="text/css" /> 12 12 <title>sign up &middot; tangled</title> 13 13 + 14 14 + <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script> 13 15 </head> 14 16 <body class="flex items-center justify-center min-h-screen"> 15 17 <main class="max-w-md px-6 -mt-4"> ··· 41 39 invite code, desired username, and password in the next 42 40 page to complete your registration. 43 41 </span> 42 42 + <div class="w-full mt-4"> 43 43 + <div class="cf-turnstile" data-sitekey="{{ .CloudflareSiteKey }}"></div> 44 44 + </div> 44 45 <button class="btn text-base w-full my-2 mt-6" type="submit" id="signup-button" tabindex="7" > 45 46 <span>join now</span> 46 47 </button> 47 48 </form> 48 49 <p class="text-sm text-gray-500"> 49 49 - Already have an ATProto account? <a href="/login" class="underline">Login to Tangled</a>. 50 50 + Already have an AT Protocol account? <a href="/login" class="underline">Login to Tangled</a>. 50 51 </p> 51 52 52 53 <p id="signup-msg" class="error w-full"></p>

+65 -1

appview/signup/signup.go

reviewed

··· 2 2 3 3 import ( 4 4 "bufio" 5 5 + "encoding/json" 6 6 + "errors" 5 7 "fmt" 6 8 "log/slog" 7 9 "net/http" 10 10 + "net/url" 8 11 "os" 9 12 "strings" 10 13 ··· 119 116 func (s *Signup) signup(w http.ResponseWriter, r *http.Request) { 120 117 switch r.Method { 121 118 case http.MethodGet: 122 122 - s.pages.Signup(w) 119 119 + s.pages.Signup(w, pages.SignupParams{ 120 120 + CloudflareSiteKey: s.config.Cloudflare.TurnstileSiteKey, 121 121 + }) 123 122 case http.MethodPost: 124 123 if s.cf == nil { 125 124 http.Error(w, "signup is disabled", http.StatusFailedDependency) 125 125 + return 126 126 } 127 127 emailId := r.FormValue("email") 128 128 + cfToken := r.FormValue("cf-turnstile-response") 128 129 129 130 noticeId := "signup-msg" 131 131 + 132 132 + if err := s.validateCaptcha(cfToken, r); err != nil { 133 133 + s.l.Warn("turnstile validation failed", "error", err) 134 134 + s.pages.Notice(w, noticeId, "Captcha validation failed.") 135 135 + return 136 136 + } 137 137 + 130 138 if !email.IsValidEmail(emailId) { 131 139 s.pages.Notice(w, noticeId, "Invalid email address.") 132 140 return ··· 268 254 }() 269 255 return 270 256 } 257 257 + } 258 258 + 259 259 + type turnstileResponse struct { 260 260 + Success bool `json:"success"` 261 261 + ErrorCodes []string `json:"error-codes,omitempty"` 262 262 + ChallengeTs string `json:"challenge_ts,omitempty"` 263 263 + Hostname string `json:"hostname,omitempty"` 264 264 + } 265 265 + 266 266 + func (s *Signup) validateCaptcha(cfToken string, r *http.Request) error { 267 267 + if cfToken == "" { 268 268 + return errors.New("captcha token is empty") 269 269 + } 270 270 + 271 271 + if s.config.Cloudflare.TurnstileSecretKey == "" { 272 272 + return errors.New("turnstile secret key not configured") 273 273 + } 274 274 + 275 275 + data := url.Values{} 276 276 + data.Set("secret", s.config.Cloudflare.TurnstileSecretKey) 277 277 + data.Set("response", cfToken) 278 278 + 279 279 + // include the client IP if we have it 280 280 + if remoteIP := r.Header.Get("CF-Connecting-IP"); remoteIP != "" { 281 281 + data.Set("remoteip", remoteIP) 282 282 + } else if remoteIP := r.Header.Get("X-Forwarded-For"); remoteIP != "" { 283 283 + if ips := strings.Split(remoteIP, ","); len(ips) > 0 { 284 284 + data.Set("remoteip", strings.TrimSpace(ips[0])) 285 285 + } 286 286 + } else { 287 287 + data.Set("remoteip", r.RemoteAddr) 288 288 + } 289 289 + 290 290 + resp, err := http.PostForm("https://challenges.cloudflare.com/turnstile/v0/siteverify", data) 291 291 + if err != nil { 292 292 + return fmt.Errorf("failed to verify turnstile token: %w", err) 293 293 + } 294 294 + defer resp.Body.Close() 295 295 + 296 296 + var turnstileResp turnstileResponse 297 297 + if err := json.NewDecoder(resp.Body).Decode(&turnstileResp); err != nil { 298 298 + return fmt.Errorf("failed to decode turnstile response: %w", err) 299 299 + } 300 300 + 301 301 + if !turnstileResp.Success { 302 302 + s.l.Warn("turnstile validation failed", "error_codes", turnstileResp.ErrorCodes) 303 303 + return errors.New("turnstile validation failed") 304 304 + } 305 305 + 306 306 + return nil 271 307 }