switch to cloudflare turnstile

2025-11-30 15:23:50 -05:00 · 2024-07-22 17:53:35 -04:00
parent 00165a5871
commit 5fe420913e
7 changed files with 59 additions and 77 deletions
--- a/pages/api/contact.ts
+++ b/pages/api/contact.ts
@@ -1,10 +1,15 @@
 import nodemailer from "nodemailer";
-import queryString from "query-string";
 import fetcher from "../../lib/helpers/fetcher";
 import config from "../../lib/config";
 import type { NextApiHandler } from "next";

-const handler: NextApiHandler = async (req, res) => {
+const handler: NextApiHandler<
+  {
+    success?: boolean;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    error?: any;
+  } | null
+> = async (req, res) => {
  // only allow POST requests, otherwise return a 405 Method Not Allowed
  if (req.method !== "POST") {
    return res.status(405).send(null);
@@ -20,7 +25,13 @@ const handler: NextApiHandler = async (req, res) => {
      // all fields are required
      throw new Error("missing_data");
    }
-    if (!data["h-captcha-response"] || !(await validateCaptcha(data["h-captcha-response"]))) {
+    if (
+      !data["cf-turnstile-response"] ||
+      !(await validateCaptcha(
+        data["cf-turnstile-response"],
+        (req.headers["x-forwarded-for"] as string) || (req.headers["x-real-ip"] as string) || ""
+      ))
+    ) {
      // either the captcha is wrong or completely missing
      throw new Error("invalid_captcha");
    }
@@ -44,17 +55,17 @@ const handler: NextApiHandler = async (req, res) => {
  }
 };

-const validateCaptcha = async (formResponse: unknown): Promise<unknown> => {
-  const response = await fetcher("https://hcaptcha.com/siteverify", {
+const validateCaptcha = async (formResponse: unknown, ip: string): Promise<unknown> => {
+  const response = await fetcher("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
    method: "POST",
    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
+      "Content-Type": "application/json",
    },
-    body: queryString.stringify({
+    body: JSON.stringify({
+      // fallback to dummy secret for testing: https://developers.cloudflare.com/turnstile/troubleshooting/testing/
+      secret: process.env.TURNSTILE_SECRET_KEY || "1x0000000000000000000000000000000AA",
      response: formResponse,
-      // fallback to dummy secret for testing: https://docs.hcaptcha.com/#integration-testing-test-keys
-      sitekey: process.env.NEXT_PUBLIC_HCAPTCHA_SITE_KEY || "10000000-ffff-ffff-ffff-000000000001",
-      secret: process.env.HCAPTCHA_SECRET_KEY || "0x0000000000000000000000000000000000000000",
+      remoteip: ip,
    }),
  });

--- a/pages/privacy.tsx
+++ b/pages/privacy.tsx
@@ -106,34 +106,27 @@ const Privacy = () => {
          </ListItem>
        </UnorderedList>

-        <H2 id="hcaptcha">Fighting Spam</H2>
+        <H2 id="spam">Fighting Spam</H2>

        <p>
          Using{" "}
-          <Link href="https://www.hcaptcha.com/">
-            <strong>hCaptcha</strong>
+          <Link href="https://www.cloudflare.com/products/turnstile/">
+            <strong>Cloudflare Turnstile</strong>
          </Link>{" "}
          to fight bot spam on the <Link href="/contact/">contact form</Link> was an easy choice over seemingly
          unavoidable alternatives like <Link href="https://developers.google.com/recaptcha/">reCAPTCHA</Link>.
        </p>

        <p>
-          You can refer to hCaptcha's <Link href="https://www.hcaptcha.com/privacy">privacy policy</Link> and{" "}
-          <Link href="https://www.hcaptcha.com/terms">terms of service</Link> for more details. While some information
-          is sent to the hCaptcha API about your behavior <strong>(on the contact page only)</strong>, at least you
-          won't be helping a certain internet conglomerate{" "}
+          You can refer to Cloudflare's <Link href="https://www.cloudflare.com/privacypolicy/">privacy policy</Link> and{" "}
+          <Link href="https://www.cloudflare.com/website-terms/">terms of service</Link> for more details. While some
+          information is sent to the Turnstile API about your behavior <strong>(on the contact page only)</strong>, at
+          least you won't be helping a certain internet conglomerate{" "}
          <Link href="https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/">
            train their self-driving cars
          </Link>
          . 🚗
        </p>
-
-        <p>
-          I also enabled the setting to donate 100% of my{" "}
-          <Link href="https://humanprotocol.org/?lng=en-US">HMT token</Link> earnings to the{" "}
-          <Link href="https://wikimediafoundation.org/">Wikimedia Foundation</Link>, for what it's worth. (A few cents,
-          probably... 💰)
-        </p>
      </Content>
    </>
  );