feat: add cloudflare turnstile

Author: tea-artist

apps/nestjs-backend/src/features/auth/auth.module.ts

@@ -18,6 +18,7 @@ import { SocialModule } from './social/social.module';
 import { AccessTokenStrategy } from './strategies/access-token.strategy';
 import { JwtStrategy } from './strategies/jwt.strategy';
 import { SessionStrategy } from './strategies/session.strategy';
+import { TurnstileModule } from './turnstile/turnstile.module';
 
 @Module({
   imports: [
@@ -30,6 +31,7 @@ import { SessionStrategy } from './strategies/session.strategy';
     }),
     SocialModule,
     PermissionModule,
+    TurnstileModule,
     JwtModule.registerAsync({
       useFactory: (config: IAuthConfig) => ({
         secret: config.jwt.secret,

apps/nestjs-backend/src/features/auth/local-auth/local-auth.controller.ts

@@ -51,7 +51,7 @@ export class LocalAuthController {
   @UseGuards(LocalAuthGuard)
   @HttpCode(200)
   @Post('signin')
-  async signin(@Req() req: Express.Request): Promise<IUserMeVo> {
+  async signin(@Req() req: Request): Promise<IUserMeVo> {
     return req.user as IUserMeVo;
   }
 
@@ -60,9 +60,11 @@ export class LocalAuthController {
   async signup(
     @Body(new ZodValidationPipe(signupSchema)) body: ISignup,
     @Res({ passthrough: true }) res: Response,
-    @Req() req: Express.Request
+    @Req() req: Request
   ): Promise<IUserMeVo> {
-    const user = pickUserMe(await this.authService.signup(body));
+    const remoteIp =
+      req.ip || req.connection.remoteAddress || (req.headers['x-forwarded-for'] as string);
+    const user = pickUserMe(await this.authService.signup(body, remoteIp));
     // set cookie, passport login
     await new Promise<void>((resolve, reject) => {
       req.login(user, (err) => (err ? reject(err) : resolve()));

apps/nestjs-backend/src/features/auth/local-auth/local-auth.module.ts

@@ -8,11 +8,13 @@ import { UserModule } from '../../user/user.module';
 import { SessionStoreService } from '../session/session-store.service';
 import { SessionModule } from '../session/session.module';
 import { LocalStrategy } from '../strategies/local.strategy';
+import { TurnstileModule } from '../turnstile/turnstile.module';
 import { LocalAuthController } from './local-auth.controller';
 import { LocalAuthService } from './local-auth.service';
 
 @Module({
   imports: [
+    TurnstileModule,
     SettingModule,
     UserModule,
     SessionModule,

apps/nestjs-backend/src/features/auth/local-auth/local-auth.service.ts

@@ -30,6 +30,7 @@ import { MailSenderService } from '../../mail-sender/mail-sender.service';
 import { SettingService } from '../../setting/setting.service';
 import { UserService } from '../../user/user.service';
 import { SessionStoreService } from '../session/session-store.service';
+import { TurnstileService } from '../turnstile/turnstile.service';
 
 @Injectable()
 export class LocalAuthService {
@@ -47,7 +48,8 @@ export class LocalAuthService {
     @MailConfig() private readonly mailConfig: IMailConfig,
     @BaseConfig() private readonly baseConfig: IBaseConfig,
     private readonly jwtService: JwtService,
-    private readonly settingService: SettingService
+    private readonly settingService: SettingService,
+    private readonly turnstileService: TurnstileService
   ) {}
 
   private async encodePassword(password: string) {
@@ -91,6 +93,22 @@ export class LocalAuthService {
     return (await this.comparePassword(pass, password, salt)) ? { ...result, password } : null;
   }
 
+  /**
+   * Validate user by email and password with Turnstile verification
+   */
+  async validateUserByEmailWithTurnstile(
+    email: string,
+    pass: string,
+    turnstileToken?: string,
+    remoteIp?: string
+  ) {
+    // Validate Turnstile token if enabled
+    await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+
+    // Proceed with normal user validation
+    return this.validateUserByEmail(email, pass);
+  }
+
   private jwtSignupCode(email: string, code: string) {
     return this.jwtService.signAsync(
       { email, code },
@@ -136,8 +154,67 @@ export class LocalAuthService {
     }
   }
 
-  async signup(body: ISignup) {
-    const { email, password, defaultSpaceName, refMeta, inviteCode } = body;
+  /**
+   * Validate Turnstile token if Turnstile is enabled
+   */
+  private async validateTurnstileIfEnabled(
+    turnstileToken?: string,
+    remoteIp?: string
+  ): Promise<void> {
+    if (!this.turnstileService.isTurnstileEnabled()) {
+      return; // Turnstile is not enabled, skip validation
+    }
+
+    if (!turnstileToken) {
+      throw new BadRequestException('Turnstile token is required');
+    }
+
+    const validation = await this.turnstileService.validateTurnstileTokenWithRetry(
+      turnstileToken,
+      remoteIp
+    );
+
+    if (!validation.valid) {
+      this.logger.warn('Turnstile validation failed', {
+        reason: validation.reason,
+        remoteIp,
+      });
+
+      let errorMessage = 'Verification failed. Please try again.';
+
+      switch (validation.reason) {
+        case 'turnstile_disabled':
+          errorMessage = 'Verification service is not available';
+          break;
+        case 'invalid_token_format':
+        case 'token_too_long':
+          errorMessage = 'Invalid verification token';
+          break;
+        case 'turnstile_failed':
+          errorMessage = 'Verification failed. Please refresh and try again.';
+          break;
+        case 'api_error':
+        case 'internal_error':
+        case 'max_retries_exceeded':
+          errorMessage = 'Verification service temporarily unavailable. Please try again.';
+          break;
+      }
+
+      throw new BadRequestException(errorMessage);
+    }
+
+    this.logger.debug('Turnstile validation successful', {
+      hostname: validation.data?.hostname,
+      action: validation.data?.action,
+    });
+  }
+
+  async signup(body: ISignup, remoteIp?: string) {
+    const { email, password, defaultSpaceName, refMeta, inviteCode, turnstileToken } = body;
+
+    // Validate Turnstile token if enabled
+    await this.validateTurnstileIfEnabled(turnstileToken, remoteIp);
+
     await this.verifySignup(body);
 
     const user = await this.userService.getUserByEmail(email);

apps/nestjs-backend/src/features/auth/strategies/local.strategy.spec.ts

@@ -1,6 +1,8 @@
+/* eslint-disable @typescript-eslint/naming-convention */
 /* eslint-disable sonarjs/no-duplicate-string */
 import type { TestingModule } from '@nestjs/testing';
 import { Test } from '@nestjs/testing';
+import type { Request } from 'express';
 import { mockDeep, mockReset } from 'vitest-mock-extended';
 import { CacheService } from '../../../cache/cache.service';
 import { GlobalModule } from '../../../global/global.module';
@@ -14,6 +16,15 @@ describe('LocalStrategy', () => {
   const cacheService = mockDeep<CacheService>();
   const testEmail = '[email protected]';
   const testPassword = '12345678a';
+  const mokeReq = {
+    ip: '127.0.0.1',
+    connection: {
+      remoteAddress: '127.0.0.1',
+    },
+    headers: {
+      'x-forwarded-for': '127.0.0.1',
+    },
+  } as unknown as Request;
 
   beforeEach(async () => {
     const module: TestingModule = await Test.createTestingModule({
@@ -41,7 +52,7 @@ describe('LocalStrategy', () => {
       maxLoginAttempts: 0,
       accountLockoutMinutes: 0,
     };
-    await expect(localStrategy.validate(testEmail, testPassword)).rejects.toThrow(
+    await expect(localStrategy.validate(mokeReq, testEmail, testPassword)).rejects.toThrow(
       'Email or password is incorrect'
     );
   });
@@ -57,7 +68,7 @@ describe('LocalStrategy', () => {
       return undefined;
     });
 
-    await expect(localStrategy.validate(testEmail, testPassword)).rejects.toThrow(
+    await expect(localStrategy.validate(mokeReq, testEmail, testPassword)).rejects.toThrow(
       'Your account has been locked out, please try again after 10 minutes'
     );
   });
@@ -74,7 +85,7 @@ describe('LocalStrategy', () => {
       return undefined;
     });
 
-    await expect(localStrategy.validate(testEmail, testPassword)).rejects.toMatchObject({
+    await expect(localStrategy.validate(mokeReq, testEmail, testPassword)).rejects.toMatchObject({
       response: 'Email or password is incorrect',
     });
     expect(cacheService.setDetail).toHaveBeenCalledWith(`signin:attempts:${testEmail}`, 3, 30);
@@ -92,7 +103,7 @@ describe('LocalStrategy', () => {
       return undefined;
     });
 
-    await expect(localStrategy.validate(testEmail, testPassword)).rejects.toMatchObject({
+    await expect(localStrategy.validate(mokeReq, testEmail, testPassword)).rejects.toMatchObject({
       response: 'Your account has been locked out, please try again after 10 minutes',
     });
     expect(cacheService.set).toHaveBeenCalledWith(`signin:lockout:${testEmail}`, true, 10);
@@ -106,7 +117,7 @@ describe('LocalStrategy', () => {
     };
     cacheService.get.mockImplementation(async () => undefined);
 
-    await expect(localStrategy.validate(testEmail, testPassword)).rejects.toMatchObject({
+    await expect(localStrategy.validate(mokeReq, testEmail, testPassword)).rejects.toMatchObject({
       response: 'Email or password is incorrect',
     });
     expect(cacheService.setDetail).toHaveBeenCalledWith(`signin:attempts:${testEmail}`, 1, 30);

apps/nestjs-backend/src/features/auth/strategies/local.strategy.ts

@@ -2,6 +2,7 @@
 import { BadRequestException, Injectable } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { HttpErrorCode } from '@teable/core';
+import type { Request } from 'express';
 import { Strategy } from 'passport-local';
 import { CacheService } from '../../../cache/cache.service';
 import { AuthConfig, IAuthConfig } from '../../../configs/auth.config';
@@ -21,12 +22,21 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
     super({
       usernameField: 'email',
       passwordField: 'password',
+      passReqToCallback: true,
     });
   }
 
-  async validate(email: string, password: string) {
+  async validate(req: Request, email: string, password: string) {
     try {
-      const user = await this.authService.validateUserByEmail(email, password);
+      const turnstileToken = req.body?.turnstileToken;
+      const remoteIp =
+        req.ip || req.connection.remoteAddress || (req.headers['x-forwarded-for'] as string);
+      const user = await this.authService.validateUserByEmailWithTurnstile(
+        email,
+        password,
+        turnstileToken,
+        remoteIp
+      );
       if (!user) {
         throw new CustomHttpException(
           'Email or password is incorrect',

apps/nestjs-backend/src/features/auth/turnstile/turnstile.module.ts

@@ -0,0 +1,8 @@
+import { Module } from '@nestjs/common';
+import { TurnstileService } from './turnstile.service';
+
+@Module({
+  providers: [TurnstileService],
+  exports: [TurnstileService],
+})
+export class TurnstileModule {}