move away from google recaptcha to cloudflare turnstile

Author: fredrik0x

.env.example

@@ -3,5 +3,5 @@ AWS_ACCESS_KEY_ID=''
 AWS_SECRET_ACCESS_KEY=''
 AWS_REGION='us-east-1'
 SES_FROM_EMAIL=''
-RECAPTCHASITEKEY=''
-RECAPTCHASECRETKEY=''
+TURNSTILE_SITE_KEY=''
+TURNSTILE_SECRET_KEY=''

server.py

@@ -111,27 +111,25 @@ def create_email(to_email, identifier, text, all_attachments, reference=''):
 
     return msg
 
-def validate_recaptcha(recaptcha_response):
+def validate_turnstile(turnstile_response):
     """
-    Validates the ReCaptcha response using Google's API.
+    Validates the Turnstile response using Cloudflare's API.
     """
-    secret_key = os.getenv('RECAPTCHASECRETKEY')
+    secret_key = os.getenv('TURNSTILE_SECRET_KEY')
     payload = {
         'secret': secret_key,
-        'response': recaptcha_response
+        'response': turnstile_response
     }
-    response = requests.post('https://www.google.com/recaptcha/api/siteverify', data=payload)
+    response = requests.post('https://challenges.cloudflare.com/turnstile/v0/siteverify', data=payload)
     result = response.json()
 
     # Log the validation result
-    logging.info(f"ReCaptcha validation response: {result}")
+    logging.info(f"Turnstile validation response: {result}")
 
     if not result.get('success'):
-        raise ValueError('ReCaptcha verification failed.')
-
-    # Check action and score thresholds for additional security
-    if result.get('score', 1.0) < 0.5:
-        raise ValueError('ReCaptcha score is too low, indicating potential abuse.')
+        error_codes = result.get('error-codes', [])
+        logging.error(f"Turnstile verification failed with error codes: {error_codes}")
+        raise ValueError('Turnstile verification failed.')
 
 def send_email(message):
     """
@@ -187,11 +185,11 @@ def get_forwarded_address():
     return get_remote_address()
 
 # Validate required environment variables
-required_env_vars = ['RECAPTCHASITEKEY', 'RECAPTCHASECRETKEY', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_REGION', 'SES_FROM_EMAIL']
+required_env_vars = ['TURNSTILE_SITE_KEY', 'TURNSTILE_SECRET_KEY', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_REGION', 'SES_FROM_EMAIL']
 validate_env_vars(required_env_vars)
 
-RECAPTCHASITEKEY = os.environ['RECAPTCHASITEKEY']
-RECAPTCHASECRETKEY = os.environ['RECAPTCHASECRETKEY']
+TURNSTILE_SITE_KEY = os.environ['TURNSTILE_SITE_KEY']
+TURNSTILE_SECRET_KEY = os.environ['TURNSTILE_SECRET_KEY']
 AWS_ACCESS_KEY_ID = os.environ['AWS_ACCESS_KEY_ID']
 AWS_SECRET_ACCESS_KEY = os.environ['AWS_SECRET_ACCESS_KEY']
 AWS_REGION = os.environ['AWS_REGION']
@@ -222,7 +220,7 @@ def get_forwarded_address():
 
 @app.route('/', methods=['GET'])
 def index():
-    return render_template('index.html', notice='', hascaptcha=True, attachments_number=Config.NUMBER_OF_ATTACHMENTS, recaptcha_sitekey=RECAPTCHASITEKEY)
+    return render_template('index.html', notice='', hascaptcha=True, attachments_number=Config.NUMBER_OF_ATTACHMENTS, turnstile_sitekey=TURNSTILE_SITE_KEY)
 
 @app.route('/submit-encrypted-data', methods=['POST'])
 @limiter.limit("3 per minute")
@@ -231,14 +229,14 @@ def submit():
         # Parse JSON data from request
         data = request.get_json()
 
-        # Validate ReCaptcha
-        recaptcha_response = data.get('g-recaptcha-response', '')
-        if not recaptcha_response:
-            logging.warning(f"Missing ReCaptcha response. Potential bypass attempt detected from IP: {request.remote_addr}")
-            return jsonify({'status': 'failure', 'message': 'Missing ReCaptcha token'}), 400
+        # Validate Turnstile
+        turnstile_response = data.get('cf-turnstile-response', '')
+        if not turnstile_response:
+            logging.warning(f"Missing Turnstile response. Potential bypass attempt detected from IP: {request.remote_addr}")
+            return jsonify({'status': 'failure', 'message': 'Missing Turnstile token'}), 400
 
         try:
-            validate_recaptcha(recaptcha_response)
+            validate_turnstile(turnstile_response)
         except ValueError as e:
             return jsonify({'status': 'failure', 'message': str(e)}), 400
 

static/css/style.css

@@ -80,3 +80,14 @@ textarea#text { width: 760px; height: 200px; }
     width: 100%;
     min-width: 300px;
 }
+
+/* Cloudflare Turnstile widget styling */
+.cf-turnstile {
+    margin: 10px 0;
+}
+
+/* Ensure Turnstile iframe has proper styling */
+.cf-turnstile iframe {
+    border-radius: 4px;
+    box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1);
+}

static/js/app.js

@@ -157,11 +157,11 @@ function acceptEncryptedData(data) {
 
 	if (dataArray.receivedChunks == dataArray.requiredChunks) {
 		console.log('all chunks received, submitting form');
-		const gRecaptchaBlock = document.getElementById('gRecaptcha');
+		const cfTurnstileBlock = document.getElementById('cfTurnstile');
 		const recipient = document.getElementById("recipientSelect");
 		const reference = document.getElementById("reference");
 
-		dataArray['g-recaptcha-response'] = gRecaptchaBlock ? grecaptcha.getResponse() : null;
+		dataArray['cf-turnstile-response'] = cfTurnstileBlock ? turnstile.getResponse() : null;
 		dataArray['recipient'] = recipient.value;
 		dataArray['reference'] = reference.value;
 
@@ -316,14 +316,12 @@ async function encryptFile(filename, file) {
 	return { name: filename, data: encrypted };
 }
 
-// var gRecaptchaResponse = null;
-function captchaSolved(recaptchaResponse) {
-	// gRecaptchaResponse = recaptchaResponse;
+// Turnstile callback functions
+function captchaSolved(turnstileResponse) {
 	document.getElementById("button").disabled = false;
 }
 
 function captchaExpired() {
-	// gRecaptchaResponse = null;
 	document.getElementById("button").disabled = true;
 }
 

templates/index.html

@@ -5,7 +5,7 @@
 <script src="static/js/public-keys.js" type="text/javascript"></script>
 <script src="static/js/dropzone.min.js"></script>
 <link href="static/css/dropzone.min.css" rel="stylesheet" type="text/css" />
-<script src="https://www.google.com/recaptcha/api.js" async defer></script>
+<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
 <script src="static/js/app.js" type="text/javascript"></script>
 {% endblock %}
 {% block body %}
@@ -41,7 +41,7 @@
 
 			{% if hascaptcha %}
 			<br />
-			<div class="g-recaptcha" id="gRecaptcha" data-sitekey="{{ recaptcha_sitekey }}" data-callback="captchaSolved" data-expired-callback="captchaExpired"></div>
+			<div class="cf-turnstile" id="cfTurnstile" data-sitekey="{{ turnstile_sitekey }}" data-theme="light" data-callback="captchaSolved" data-expired-callback="captchaExpired"></div>
 			{% endif %}
 			<br />
 			<br />