Files
Synapsis/TURNSTILE_SETUP.md
T
Christomatt 5b0269af34 feat(auth): Integrate Cloudflare Turnstile bot protection and enhance swarm tracking
- Add Cloudflare Turnstile integration for login and registration forms
- Create turnstile verification utility with server-side token validation
- Add turnstile_site_key and turnstile_secret_key fields to nodes table
- Implement admin panel UI for configuring Turnstile keys in settings
- Update login and register API routes to verify Turnstile tokens
- Expose turnstile_site_key via GET /api/node endpoint for frontend
- Add admin endpoint to save and update Turnstile configuration
- Create remote_likes and remote_reposts tables for federated interaction tracking
- Add swarm reply metadata fields (swarm_reply_to_id, swarm_reply_to_content, swarm_reply_to_author) to posts table
- Add comprehensive TURNSTILE_SETUP.md documentation with setup instructions and security notes
- Create database migration 0007 with schema updates and indexes
- Protects against bot registrations and automated attacks on federated nodes
2026-01-26 18:10:48 +01:00

2.6 KiB

Cloudflare Turnstile Setup Guide

Cloudflare Turnstile has been fully integrated into your Synapsis node to protect against bot registrations and logins.

How It Works

  1. Admin Configuration: Admins can add their Cloudflare Turnstile keys in the Admin Settings panel
  2. Automatic Activation: Once both Site Key and Secret Key are configured, Turnstile is automatically enabled
  3. Frontend Integration: The Turnstile widget appears on login and registration forms
  4. Server Verification: All login/register requests are verified server-side with Cloudflare

Setup Steps

1. Get Turnstile Keys from Cloudflare

  1. Go to https://dash.cloudflare.com/?to=/:account/turnstile
  2. Create a new site
  3. Copy your Site Key (public) and Secret Key (private)

2. Configure in Admin Panel

  1. Log in as an admin
  2. Go to Admin → Settings tab
  3. Scroll to "Cloudflare Turnstile (Bot Protection)" section
  4. Paste your Site Key and Secret Key
  5. Click "Save Settings"

3. Test It

  1. Log out
  2. Go to the login page
  3. You should see the Turnstile widget appear
  4. Complete the challenge and try logging in

Features

  • Automatic widget rendering when keys are configured
  • Works on both login and registration forms
  • Server-side token verification
  • Automatic widget reset on form errors
  • Graceful fallback if Turnstile is not configured
  • Submit button disabled until challenge is completed
  • IP address forwarding for better verification

Technical Details

Database Schema

  • nodes.turnstile_site_key - Public site key (exposed to frontend)
  • nodes.turnstile_secret_key - Private secret key (server-side only)

API Endpoints Modified

  • POST /api/auth/login - Now accepts optional turnstileToken
  • POST /api/auth/register - Now accepts optional turnstileToken
  • GET /api/node - Returns turnstileSiteKey for frontend

Files Modified

  • src/db/schema.ts - Added Turnstile fields
  • src/lib/turnstile.ts - Verification helper functions
  • src/app/api/auth/login/route.ts - Token verification
  • src/app/api/auth/register/route.ts - Token verification
  • src/app/api/node/route.ts - Expose site key
  • src/app/api/admin/node/route.ts - Save/update keys
  • src/app/admin/page.tsx - Admin UI for configuration
  • src/app/login/page.tsx - Frontend widget integration

Security Notes

  • The Secret Key is NEVER exposed to the frontend
  • Only the Site Key is public
  • Verification happens server-side with Cloudflare's API
  • Failed verifications reject the login/registration attempt
  • IP addresses are forwarded for better bot detection