5b0269af34
- Add Cloudflare Turnstile integration for login and registration forms - Create turnstile verification utility with server-side token validation - Add turnstile_site_key and turnstile_secret_key fields to nodes table - Implement admin panel UI for configuring Turnstile keys in settings - Update login and register API routes to verify Turnstile tokens - Expose turnstile_site_key via GET /api/node endpoint for frontend - Add admin endpoint to save and update Turnstile configuration - Create remote_likes and remote_reposts tables for federated interaction tracking - Add swarm reply metadata fields (swarm_reply_to_id, swarm_reply_to_content, swarm_reply_to_author) to posts table - Add comprehensive TURNSTILE_SETUP.md documentation with setup instructions and security notes - Create database migration 0007 with schema updates and indexes - Protects against bot registrations and automated attacks on federated nodes
2.6 KiB
2.6 KiB
Cloudflare Turnstile Setup Guide
Cloudflare Turnstile has been fully integrated into your Synapsis node to protect against bot registrations and logins.
How It Works
- Admin Configuration: Admins can add their Cloudflare Turnstile keys in the Admin Settings panel
- Automatic Activation: Once both Site Key and Secret Key are configured, Turnstile is automatically enabled
- Frontend Integration: The Turnstile widget appears on login and registration forms
- Server Verification: All login/register requests are verified server-side with Cloudflare
Setup Steps
1. Get Turnstile Keys from Cloudflare
- Go to https://dash.cloudflare.com/?to=/:account/turnstile
- Create a new site
- Copy your Site Key (public) and Secret Key (private)
2. Configure in Admin Panel
- Log in as an admin
- Go to Admin → Settings tab
- Scroll to "Cloudflare Turnstile (Bot Protection)" section
- Paste your Site Key and Secret Key
- Click "Save Settings"
3. Test It
- Log out
- Go to the login page
- You should see the Turnstile widget appear
- Complete the challenge and try logging in
Features
- ✅ Automatic widget rendering when keys are configured
- ✅ Works on both login and registration forms
- ✅ Server-side token verification
- ✅ Automatic widget reset on form errors
- ✅ Graceful fallback if Turnstile is not configured
- ✅ Submit button disabled until challenge is completed
- ✅ IP address forwarding for better verification
Technical Details
Database Schema
nodes.turnstile_site_key- Public site key (exposed to frontend)nodes.turnstile_secret_key- Private secret key (server-side only)
API Endpoints Modified
POST /api/auth/login- Now accepts optionalturnstileTokenPOST /api/auth/register- Now accepts optionalturnstileTokenGET /api/node- ReturnsturnstileSiteKeyfor frontend
Files Modified
src/db/schema.ts- Added Turnstile fieldssrc/lib/turnstile.ts- Verification helper functionssrc/app/api/auth/login/route.ts- Token verificationsrc/app/api/auth/register/route.ts- Token verificationsrc/app/api/node/route.ts- Expose site keysrc/app/api/admin/node/route.ts- Save/update keyssrc/app/admin/page.tsx- Admin UI for configurationsrc/app/login/page.tsx- Frontend widget integration
Security Notes
- The Secret Key is NEVER exposed to the frontend
- Only the Site Key is public
- Verification happens server-side with Cloudflare's API
- Failed verifications reject the login/registration attempt
- IP addresses are forwarded for better bot detection