cloudflare_turnstile 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fb659b4d66930ea57524ea7e5df02a9fefb6ae2bfd859164f4f1bdf353352cc0
+  data.tar.gz: cad3dcc29ea1ed8a86e809470b13a5f8413e00331b44d357d1b24ad53ed9ad9e
+SHA512:
+  metadata.gz: d81d5f55d7af434903a86b11fb3866bd7e44430481ef68381efc55b1bc586d64ba77595677d57a95f372fcc422e726e4f4729be94f27547266e9311f72fef557
+  data.tar.gz: a5c05fb46bd9e524fa39ab10fbe34fd9510f3cb83210a87d1bbb23e43626dfb7e217884735636ca9ad0a816e341fbe655b796f6d54258604f342d177e3fbb42f

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/testdouble/standard
+ruby_version: 2.6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2022-10-10
+
+- Initial release

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in cloudflare_turnstile.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"
+
+gem "rspec-rails"
+
+gem "standard", "~> 1.3"

data/Gemfile.lock

@@ -0,0 +1,206 @@
+PATH
+  remote: .
+  specs:
+    cloudflare_turnstile (0.1.0)
+      rails (>= 5.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (7.0.4)
+      actionpack (= 7.0.4)
+      activesupport (= 7.0.4)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (7.0.4)
+      actionpack (= 7.0.4)
+      activejob (= 7.0.4)
+      activerecord (= 7.0.4)
+      activestorage (= 7.0.4)
+      activesupport (= 7.0.4)
+      mail (>= 2.7.1)
+      net-imap
+      net-pop
+      net-smtp
+    actionmailer (7.0.4)
+      actionpack (= 7.0.4)
+      actionview (= 7.0.4)
+      activejob (= 7.0.4)
+      activesupport (= 7.0.4)
+      mail (~> 2.5, >= 2.5.4)
+      net-imap
+      net-pop
+      net-smtp
+      rails-dom-testing (~> 2.0)
+    actionpack (7.0.4)
+      actionview (= 7.0.4)
+      activesupport (= 7.0.4)
+      rack (~> 2.0, >= 2.2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (7.0.4)
+      actionpack (= 7.0.4)
+      activerecord (= 7.0.4)
+      activestorage (= 7.0.4)
+      activesupport (= 7.0.4)
+      globalid (>= 0.6.0)
+      nokogiri (>= 1.8.5)
+    actionview (7.0.4)
+      activesupport (= 7.0.4)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (7.0.4)
+      activesupport (= 7.0.4)
+      globalid (>= 0.3.6)
+    activemodel (7.0.4)
+      activesupport (= 7.0.4)
+    activerecord (7.0.4)
+      activemodel (= 7.0.4)
+      activesupport (= 7.0.4)
+    activestorage (7.0.4)
+      actionpack (= 7.0.4)
+      activejob (= 7.0.4)
+      activerecord (= 7.0.4)
+      activesupport (= 7.0.4)
+      marcel (~> 1.0)
+      mini_mime (>= 1.1.0)
+    activesupport (7.0.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    ast (2.4.2)
+    builder (3.2.4)
+    concurrent-ruby (1.1.10)
+    crass (1.0.6)
+    diff-lcs (1.5.0)
+    erubi (1.11.0)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
+    i18n (1.12.0)
+      concurrent-ruby (~> 1.0)
+    json (2.6.2)
+    loofah (2.19.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (1.0.2)
+    method_source (1.0.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
+    minitest (5.16.3)
+    net-imap (0.3.1)
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.1.3)
+      timeout
+    net-smtp (0.3.2)
+      net-protocol
+    nio4r (2.5.8)
+    nokogiri (1.13.8)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    parallel (1.22.1)
+    parser (3.1.2.1)
+      ast (~> 2.4.1)
+    racc (1.6.0)
+    rack (2.2.4)
+    rack-test (2.0.2)
+      rack (>= 1.3)
+    rails (7.0.4)
+      actioncable (= 7.0.4)
+      actionmailbox (= 7.0.4)
+      actionmailer (= 7.0.4)
+      actionpack (= 7.0.4)
+      actiontext (= 7.0.4)
+      actionview (= 7.0.4)
+      activejob (= 7.0.4)
+      activemodel (= 7.0.4)
+      activerecord (= 7.0.4)
+      activestorage (= 7.0.4)
+      activesupport (= 7.0.4)
+      bundler (>= 1.15.0)
+      railties (= 7.0.4)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.4.3)
+      loofah (~> 2.3)
+    railties (7.0.4)
+      actionpack (= 7.0.4)
+      activesupport (= 7.0.4)
+      method_source
+      rake (>= 12.2)
+      thor (~> 1.0)
+      zeitwerk (~> 2.5)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.6.0)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-rails (6.0.0)
+      actionpack (>= 6.1)
+      activesupport (>= 6.1)
+      railties (>= 6.1)
+      rspec-core (~> 3.11)
+      rspec-expectations (~> 3.11)
+      rspec-mocks (~> 3.11)
+      rspec-support (~> 3.11)
+    rspec-support (3.11.1)
+    rubocop (1.35.1)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.1.2.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.20.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.21.0)
+      parser (>= 3.1.1.0)
+    rubocop-performance (1.14.3)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    ruby-progressbar (1.11.0)
+    standard (1.16.1)
+      rubocop (= 1.35.1)
+      rubocop-performance (= 1.14.3)
+    thor (1.2.1)
+    timeout (0.3.0)
+    tzinfo (2.0.5)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.3.0)
+    websocket-driver (0.7.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.5)
+    zeitwerk (2.6.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  cloudflare_turnstile!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rspec-rails
+  standard (~> 1.3)
+
+BUNDLED WITH
+   2.3.22

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Scott Motte
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,60 @@
+# cloudflare_turnstile
+
+Add [Cloudflare Turnstile](https://blog.cloudflare.com/turnstile-private-captcha-alternative/) to your Rails app in seconds.
+
+[![Gem](https://img.shields.io/gem/v/cloudflare_turnstile.svg?style=flat-square)](https://rubygems.org/gems/cloudflare_turnstile)
+
+## Installation
+
+Add this line to your Gemfile and then execute bundle install:
+
+```ruby
+gem "cloudflare_turnstile"
+```
+
+## Usage
+
+Add the view helper to your form - just before the submit button is usually a good spot.
+
+```erb
+<%= form_for(@user) do |f| %>
+  ..
+  <%= cloudflare_turnstile %>
+  <%= f.submit "Log In" %>
+<% end %>
+```
+
+Then enable it for the controller actions you wish. It works just like a `before_action`. Pass `only:` with the action names.
+
+```ruby
+class UsersController < ApplicationController
+  cloudflare_turnstile only: [:create, :login_submit]
+
+  def new
+    # new user view
+  end
+
+  def create
+    # Turnstile verification will automatically take place prior to here.
+
+    @user = User.create!(params)
+    ..
+  end
+
+  def login
+    # login form view
+  end
+
+  def login_submit
+    # Turnstile verification will automatically take place prior to here.
+
+    ..
+  end
+end
+```
+
+By default, it responds with no content (only headers: `head(200)`). This way the spam bot thinks they have been successful and will spend less time making requests to your website.
+
+## Credits
+
+Inspiration [invisible_captcha](https://github.com/markets/invisible_captcha)

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "standard/rake"
+
+task default: %i[spec standard]

data/cloudflare_turnstile.gemspec

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require_relative "lib/cloudflare_turnstile/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "cloudflare_turnstile"
+  spec.version = CloudflareTurnstile::VERSION
+  spec.authors = ["motdotla"]
+  spec.email = ["mot@mot.la"]
+
+  spec.summary = "Spam protection for your Rails apps using Cloudflare Turnstile"
+  spec.description = "Spam protection for your Rails apps using Cloudflare Turnstile"
+  spec.homepage = "https://github.com/dotenv-org/cloudflare_turnstile"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/dotenv-org/cloudflare_turnstile"
+  spec.metadata["changelog_uri"] = "https://github.com/dotenv-org/cloudflare_turnstile"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rails", ">= 5.0"
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/lib/cloudflare_turnstile/controller_ext.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module CloudflareTurnstile
+  module ControllerExt
+    module ClassMethods
+      # Enables Turnstile on a controller action
+      #
+      #
+      def cloudflare_turnstile(options = {})
+        before_action(options) do
+          cloudflare_turnstile_verify(options)
+        end
+      end
+    end
+
+    private
+
+    def cloudflare_turnstile_verified?(options = {})
+      url = URI(cloudflare_turnstile_verify_url)
+      secret = cloudflare_turnstile_secret_key
+      response = params["cf-turnstile-response"]
+
+      res = Net::HTTP.post_form(url, secret: secret, response: response)
+      json = JSON.parse(res.body)
+
+      success = json["success"]
+
+      return true if success
+
+      error = json["error-codes"][0]
+
+      cloudflare_turnstile_warn_spam(error)
+
+      false
+    end
+
+    def cloudflare_turnstile_verify(options = {})
+      if cloudflare_turnstile_verified?(options)
+        true
+      else
+        head(200) # respond with no content and 200 since the bot will think it has submitted properly
+      end
+    end
+
+    def cloudflare_turnstile_verify_url
+      "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+    end
+
+    def cloudflare_turnstile_warn_spam(message)
+      logger.warn("Spam detected for IP #{request.remote_ip}. #{message}")
+
+      ActiveSupport::Notifications.instrument(
+        "cloudflare_turnstile.spam_detected",
+        message: message,
+        remote_ip: request.remote_ip,
+        user_agent: request.user_agent,
+        controller: params[:controller],
+        action: params[:action],
+        url: request.url,
+        params: request.filtered_parameters
+      )
+    end
+
+    def cloudflare_turnstile_secret_key
+      ENV["CLOUDFLARE_TURNSTILE_SECRET_KEY"]
+    end
+  end
+end

data/lib/cloudflare_turnstile/railtie.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module CloudflareTurnstile
+  class Railtie < Rails::Railtie
+    initializer "cloudflare_turnstile.rails_integration" do
+      ActiveSupport.on_load(:action_controller) do
+        include CloudflareTurnstile::ControllerExt
+        extend CloudflareTurnstile::ControllerExt::ClassMethods
+      end
+
+      ActiveSupport.on_load(:action_view) do
+        include CloudflareTurnstile::ViewHelpers
+      end
+    end
+  end
+end

data/lib/cloudflare_turnstile/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module CloudflareTurnstile
+  VERSION = "0.1.0"
+end

data/lib/cloudflare_turnstile/view_helpers.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CloudflareTurnstile
+  module ViewHelpers
+    # Builds the Turnstile html
+    #
+    # @return [String] the generated html
+    def cloudflare_turnstile
+      content_tag(:div, class: css_class) do
+        concat script_tag
+        concat turnstile_div
+      end
+    end
+
+    private
+
+    def script_tag
+      content_tag(:script, :src => js_src, "async" => true, "defer" => true) do
+        ""
+      end
+    end
+
+    def turnstile_div
+      content_tag(:div, :class => "cf-turnstile", "data-sitekey" => site_key) do
+        ""
+      end
+    end
+
+    def site_key
+      ENV["CLOUDFLARE_TURNSTILE_SITE_KEY"]
+    end
+
+    def js_src
+      "https://challenges.cloudflare.com/turnstile/v0/api.js"
+    end
+
+    def css_class
+      "cloudflare-turnstile"
+    end
+  end
+end

data/lib/cloudflare_turnstile.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative "cloudflare_turnstile/version"
+require_relative "cloudflare_turnstile/controller_ext"
+require_relative "cloudflare_turnstile/view_helpers"
+require_relative "cloudflare_turnstile/railtie"
+
+module CloudflareTurnstile
+  class << self
+  end
+end

data/sig/cloudflare_turnstile.rbs

@@ -0,0 +1,4 @@
+module CloudflareTurnstile
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,75 @@
+--- !ruby/object:Gem::Specification
+name: cloudflare_turnstile
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- motdotla
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-10-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+description: Spam protection for your Rails apps using Cloudflare Turnstile
+email:
+- mot@mot.la
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".standard.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- cloudflare_turnstile.gemspec
+- lib/cloudflare_turnstile.rb
+- lib/cloudflare_turnstile/controller_ext.rb
+- lib/cloudflare_turnstile/railtie.rb
+- lib/cloudflare_turnstile/version.rb
+- lib/cloudflare_turnstile/view_helpers.rb
+- sig/cloudflare_turnstile.rbs
+homepage: https://github.com/dotenv-org/cloudflare_turnstile
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/dotenv-org/cloudflare_turnstile
+  source_code_uri: https://github.com/dotenv-org/cloudflare_turnstile
+  changelog_uri: https://github.com/dotenv-org/cloudflare_turnstile
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Spam protection for your Rails apps using Cloudflare Turnstile
+test_files: []