sveltekit-auth-example 5.6.1 → 5.8.3

package/.env.example

@@ -2,6 +2,8 @@ DATABASE_URL=postgres://REPLACE_WITH_USER:REPLACE_WITH_PASSWORD@localhost:5432/a
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
-PUBLIC_GOOGLE_CLIENT_ID=REPLACE_WITH_YOUR_OWN
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
+PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own

package/CHANGELOG.md

@@ -2,6 +2,39 @@
 
 - Add password complexity checking on /register and /profile pages (only checks for length currently despite what the pages say)
 
+# 5.8.3
+
+- Add unit tests for all auth route handlers: `/auth/[slug]`, `/auth/forgot`, `/auth/google`, `/auth/login`, `/auth/logout`, `/auth/mfa`, `/auth/register`, `/auth/reset`, `/auth/verify/[token]`
+- Switch all server-side env imports from `$env/static/private` to `$env/dynamic/private` so secrets are read at runtime rather than baked into the build
+
+# 5.8.2
+
+- Add Chrome DevTools
+
+# 5.8.1
+
+- Fix MFA verification code always showing "6-digit verification code required" for valid codes: replaced `form.checkValidity()` and `codeInput.checkValidity()` (which picked up Cloudflare Turnstile's injected form elements) with a direct JS regex test against the bound `mfaCode` value
+- Move `<Turnstile>` outside the MFA `<form>` so its injected inputs are never part of the form's element collection
+- Fix `google is not defined` crash on hard reload of `/login`: Google GSI script is loaded `async defer` and may not be ready when `onMount` fires; added `whenGoogleReady()` helper in `src/lib/google.ts` that polls until `google` is available (up to 10 s) before calling `initializeGoogleAccounts()` and `renderGoogleButton()`
+
+# 5.8.0
+
+- Replace SendGrid with Brevo for all transactional email (password reset, email verification, MFA code)
+- New `src/lib/server/brevo.ts` sends email via the Brevo API with exponential-backoff retry logic (up to 4 attempts), 30-second per-request timeout, and `Retry-After` header support
+- Email templates (`password-reset.ts`, `mfa-code.ts`, `verify-email.ts`) updated to use Brevo message format (`sender`, `to[]`, `htmlContent`, `tags`)
+- Env vars changed: `SENDGRID_KEY` → `BREVO_KEY`, `SENDGRID_SENDER` → `EMAIL`
+- `app.d.ts` `PrivateEnv` updated to reflect new env vars
+- README updated with Brevo setup instructions and new env var names
+
+# 5.7.0
+
+- Add Cloudflare Turnstile CAPTCHA to login, register, forgot password, MFA, and password reset forms
+- New `src/lib/Turnstile.svelte` reusable Svelte 5 component wraps the Turnstile widget with `reset()` export
+- New `src/lib/server/turnstile.ts` server-side token verification utility (`verifyTurnstileToken`)
+- All auth endpoints verify the Turnstile challenge token before processing requests
+- New env vars: `PUBLIC_TURNSTILE_SITE_KEY` (client) and `TURNSTILE_SECRET_KEY` (server)
+- Extend `app.d.ts` with `PublicEnv`, `PrivateEnv` (add `TURNSTILE_SECRET_KEY`), and `Window.turnstile` types; wrap in `declare global`
+
 # 5.6.1
 
 - Add JSDoc comments throughout the codebase (`app.d.ts`, server hooks, route handlers, lib utilities, Svelte components)

package/README.md

@@ -4,18 +4,19 @@
 [![Node](https://img.shields.io/node/v/sveltekit-auth-example)](https://nodejs.org)
 [![Svelte](https://img.shields.io/badge/Svelte-5-orange)](https://svelte.dev)
 
-A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, and OWASP-compliant password hashing out of the box.
+A complete, production-ready authentication and authorization starter for **Svelte 5** and **SvelteKit 2**. Skip the boilerplate — get secure local accounts, Google OAuth, MFA, email verification, role-based access control, OWASP-compliant password hashing, and bot protection out of the box.
 
 ## Features
 
-|                                                |                                         |
-| ---------------------------------------------- | --------------------------------------- |
-| ✅ Local accounts (email + password)           | ✅ Sign in with Google / Google One Tap |
-| ✅ Multi-factor authentication (MFA via email) | ✅ Email verification                   |
-| ✅ Forgot password / email reset (SendGrid)    | ✅ User profile management              |
-| ✅ Session management + timeout                | ✅ Rate limiting                        |
-| ✅ Role-based access control                   | ✅ Password complexity enforcement      |
-| ✅ Content Security Policy (CSP)               | ✅ OWASP-compliant password hashing     |
+|                                                  |                                         |
+| ------------------------------------------------ | --------------------------------------- |
+| ✅ Local accounts (email + password)             | ✅ Sign in with Google / Google One Tap |
+| ✅ Multi-factor authentication (MFA via email)   | ✅ Email verification                   |
+| ✅ Forgot password / email reset (Brevo)         | ✅ User profile management              |
+| ✅ Session management + timeout                  | ✅ Rate limiting                        |
+| ✅ Role-based access control                     | ✅ Password complexity enforcement      |
+| ✅ Content Security Policy (CSP)                 | ✅ OWASP-compliant password hashing     |
+| ✅ Cloudflare Turnstile CAPTCHA (bot protection) |                                         |
 
 ## Stack
 
@@ -28,8 +29,9 @@ A complete, production-ready authentication and authorization starter for **Svel
 
 - Node.js 24.14.0 or later
 - PostgreSQL 16 or later
-- A [SendGrid](https://sendgrid.com) account (for password reset emails)
+- A [Brevo](https://brevo.com) account (for transactional emails)
 - A [Google API client ID](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid) (for Sign in with Google)
+- A [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) site key and secret key (for bot protection on auth forms)
 
 ## Setting up the project
 
@@ -49,7 +51,7 @@ bash db_create.sh
 
 2. Create a **Google API client ID** per [these instructions](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid). Make sure you include `http://localhost:3000` and `http://localhost` in the Authorized JavaScript origins, and `http://localhost:3000/auth/google/callback` in the Authorized redirect URIs for your Client ID for Web application. **Do not access the site using http://127.0.0.1:3000** — use `http://localhost:3000` or it will not work.
 
-3. [Create a free Twilio SendGrid account](https://signup.sendgrid.com) and generate an API Key following [this documentation](https://docs.sendgrid.com/ui/account-and-settings/api-keys) and add a sender as documented [here](https://docs.sendgrid.com/ui/sending-email/senders).
+3. [Create a free Brevo account](https://app.brevo.com/account/register) and generate an API Key under **SMTP & API** settings. Set `EMAIL` to the sender address verified in your Brevo account.
 
 4. Create a **.env** file at the top level of the project with the following values (substituting your own id and PostgreSQL username and password):
 
@@ -58,9 +60,11 @@ DATABASE_URL=postgres://user:password@localhost:5432/auth
 DATABASE_SSL=false
 DOMAIN=http://localhost:3000
 JWT_SECRET=replace_with_your_own
-SENDGRID_KEY=replace_with_your_own
-SENDGRID_SENDER=replace_with_your_own
+BREVO_KEY=replace_with_your_own
+EMAIL=replace_with_your_own
 PUBLIC_GOOGLE_CLIENT_ID=replace_with_your_own
+PUBLIC_TURNSTILE_SITE_KEY=replace_with_your_own
+TURNSTILE_SECRET_KEY=replace_with_your_own
 ```
 
 ## Run locally
@@ -84,11 +88,13 @@ yarn preview
 
 The db_create.sql script adds three users to the database with obvious roles:
 
-| Email               | Password   | Role    |
-| ------------------- | ---------- | ------- |
-| admin@example.com   | admin123   | admin   |
-| teacher@example.com | teacher123 | teacher |
-| student@example.com | student123 | student |
+| Email               | Password     | Role    |
+| ------------------- | ------------ | ------- |
+| admin@example.com   | Admin1234!   | admin   |
+| teacher@example.com | Teacher1234! | teacher |
+| student@example.com | Student1234! | student |
+
+> **MFA note:** Local account logins require a 6-digit code sent to the user's email address. To successfully log in with the seed accounts above, either update their email addresses in the database to your own (`UPDATE users SET email = 'you@yourdomain.com' WHERE email = 'admin@example.com';`), or retrieve the code directly from the `mfa_codes` table after submitting the login form (`SELECT code FROM mfa_codes;`).
 
 ## How it works
 

package/db_create.sql

@@ -1,6 +1,5 @@
 -- Run via db_create.sh or:
 -- $ psql -d postgres -f db_create.sql && psql -d auth -f db_schema.sql
-
 -- Create role if not already there
 DO $do$
 BEGIN

package/db_schema.sql

@@ -357,13 +357,13 @@ $BODY$;
 ALTER FUNCTION public.verify_mfa_code (text, text) OWNER TO auth;
 
 CALL public.upsert_user (
-	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"admin123", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
+	'{"id":0, "role":"admin", "email":"admin@example.com", "password":"Admin1234!", "firstName":"Jane", "lastName":"Doe", "phone":"412-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"teacher123", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
+	'{"id":0, "role":"teacher", "email":"teacher@example.com", "password":"Teacher1234!", "firstName":"John", "lastName":"Doe", "phone":"724-555-1212"}'::json
 );
 
 CALL public.upsert_user (
-	'{"id":0, "role":"student", "email":"student@example.com", "password":"student123", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
+	'{"id":0, "role":"student", "email":"student@example.com", "password":"Student1234!", "firstName":"Justin", "lastName":"Case", "phone":"814-555-1212"}'::json
 );

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "sveltekit-auth-example",
 	"description": "SvelteKit Authentication Example",
-	"version": "5.6.1",
+	"version": "5.8.3",
 	"author": "Nate Stuyvesant",
 	"license": "https://github.com/nstuyvesant/sveltekit-auth-example/blob/master/LICENSE",
 	"repository": {
@@ -49,28 +49,31 @@
 		"@sveltejs/adapter-node": "^5.5.4",
 		"@sveltejs/kit": "^2.54.0",
 		"@sveltejs/mcp": "^0.1.21",
-		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"@sveltejs/vite-plugin-svelte": "^7.0.0",
 		"@tailwindcss/vite": "^4.2.1",
 		"@types/bootstrap": "5.2.10",
 		"@types/google.accounts": "^0.0.18",
 		"@types/jsonwebtoken": "^9.0.10",
 		"@types/pg": "^8.18.0",
+		"@vitest/coverage-v8": "4.1.0",
 		"eslint": "^10.0.3",
 		"eslint-config-prettier": "^10.1.8",
 		"eslint-plugin-svelte": "^3.15.2",
 		"globals": "^17.4.0",
+		"jsdom": "^28.1.0",
 		"playwright": "^1.58.2",
 		"prettier": "^3.8.1",
 		"prettier-plugin-sql": "^0.19.2",
 		"prettier-plugin-svelte": "^3.5.1",
 		"prettier-plugin-tailwindcss": "^0.7.2",
-		"svelte": "^5.53.10",
+		"svelte": "^5.53.11",
 		"svelte-check": "^4.4.5",
 		"tslib": "^2.8.1",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.57.0",
-		"vite": "^7.3.1",
-		"vitest": "^4.0.18",
+		"vite": "^8.0.0",
+		"vite-plugin-devtools-json": "^1.0.0",
+		"vitest": "^4.1.0",
 		"vitest-browser-svelte": "^2.0.2"
 	},
 	"packageManager": "yarn@4.13.0"

package/src/app.d.ts

@@ -3,75 +3,139 @@
 // See https://kit.svelte.dev/docs/types#app
 // for information about these interfaces
 // and what to do when importing types
-declare namespace App {
-	/** Per-request server-side locals populated by `hooks.server.ts`. */
-	interface Locals {
-		/** The authenticated user, or `undefined` when no valid session exists. */
-		user: User | undefined
-	}
+declare global {
+	declare namespace App {
+		/** Per-request server-side locals populated by `hooks.server.ts`. */
+		interface Locals {
+			/** The authenticated user, or `undefined` when no valid session exists. */
+			user: User | undefined
+		}
+
+		// interface Platform {}
+
+		/** Error response returned by the Brevo email API. */
+		interface BrevoErrorResponse {
+			/** Optional machine‑readable error code. */
+			code?: string
+			/** Human‑readable error message. */
+			message?: string
+		}
+
+		/** Successful response returned by the Brevo email API. */
+		interface BrevoSuccessResponse {
+			/** Message identifier assigned by Brevo. */
+			messageId: string
+		}
 
-	// interface Platform {}
+		/** Basic email address with optional display name. */
+		interface EmailAddress {
+			/** Email address string. */
+			email: string
+			/** Optional display name associated with the address. */
+			name?: string
+		}
 
-	/** Private environment variables (server-side only). */
-	interface PrivateEnv {
-		// $env/static/private
-		/** PostgreSQL connection string. */
-		DATABASE_URL: string
-		/** Public-facing domain used to construct email links (e.g. `https://example.com`). */
-		DOMAIN: string
-		/** Secret key used to sign and verify JWTs. */
-		JWT_SECRET: string
-		/** SendGrid API key. */
-		SENDGRID_KEY: string
-		/** Default sender email address for outgoing mail. */
-		SENDGRID_SENDER: string
+		/** Payload used when sending email via Brevo. */
+		interface EmailMessageBrevo {
+			/** Primary recipients. */
+			to: EmailAddress[]
+			/** Carbon‑copy recipients. */
+			cc?: EmailAddress[]
+			/** Blind carbon‑copy recipients. */
+			bcc?: EmailAddress[]
+			/** Sender address. */
+			sender: EmailAddress
+			/** Optional reply‑to address. */
+			replyTo?: EmailAddress
+			/** Subject line for the email. */
+			subject: string
+			/** Additional SMTP or provider‑specific headers. */
+			headers?: Record<string, string>
+			/** Tag names applied to the message. */
+			tags?: string[]
+			/** HTML content of the email. */
+			htmlContent?: string
+			/** Plain‑text content of the email. */
+			textContent?: string
+			/** Attachments encoded as base64 strings. */
+			attachment?: Array<{ content: string; name: string }>
+		}
+
+		/** Private environment variables (server-side only). */
+		interface PrivateEnv {
+			// $env/static/private
+			/** PostgreSQL connection string. */
+			DATABASE_URL: string
+			/** Public-facing domain used to construct email links (e.g. `https://example.com`). */
+			DOMAIN: string
+			/** Secret key used to sign and verify JWTs. */
+			JWT_SECRET: string
+			/** Brevo (Sendinblue) API key. */
+			BREVO_KEY: string
+			/** Default sender email address for outgoing mail. */
+			EMAIL: string
+			/** Cloudflare Turnstile secret key used to verify challenge tokens server-side. */
+			TURNSTILE_SECRET_KEY: string
+		}
+
+		/** Public environment variables (safe to expose to the client). */
+		interface PublicEnv {
+			// $env/static/public
+			/** Google OAuth 2.0 client ID for Google Sign-In. */
+			PUBLIC_GOOGLE_CLIENT_ID: string
+			/** Cloudflare Turnstile site key rendered in the browser widget. */
+			PUBLIC_TURNSTILE_SITE_KEY: string
+		}
 	}
 
-	/** Public environment variables (safe to expose to the client). */
-	interface PublicEnv {
-		// $env/static/public
-		/** Google OAuth 2.0 client ID for Google Sign-In. */
-		PUBLIC_GOOGLE_CLIENT_ID: string
+	/** Result returned by the `authenticate` and `register` SQL functions. */
+	interface AuthenticationResult {
+		/** HTTP status code to use when the operation fails. */
+		statusCode: NumericRange<400, 599>
+		/** Human-readable status message. */
+		status: string
+		/** The authenticated or registered user, if successful. */
+		user: User
+		/** The newly created session ID. */
+		sessionId: string
 	}
-}
 
-/** Result returned by the `authenticate` and `register` SQL functions. */
-interface AuthenticationResult {
-	/** HTTP status code to use when the operation fails. */
-	statusCode: NumericRange<400, 599>
-	/** Human-readable status message. */
-	status: string
-	/** The authenticated or registered user, if successful. */
-	user: User
-	/** The newly created session ID. */
-	sessionId: string
-}
+	/** Raw login credentials submitted by the user. */
+	interface Credentials {
+		email: string
+		password: string
+	}
 
-/** Raw login credentials submitted by the user. */
-interface Credentials {
-	email: string
-	password: string
-}
+	/** Persistent properties stored in the database for a user account. */
+	interface UserProperties {
+		id: number
+		/** ISO-8601 datetime at which the current session expires. */
+		expires?: string
+		role: 'student' | 'teacher' | 'admin'
+		password?: string
+		firstName?: string
+		lastName?: string
+		email?: string
+		phone?: string
+	}
 
-/** Persistent properties stored in the database for a user account. */
-interface UserProperties {
-	id: number
-	/** ISO-8601 datetime at which the current session expires. */
-	expires?: string
-	role: 'student' | 'teacher' | 'admin'
-	password?: string
-	firstName?: string
-	lastName?: string
-	email?: string
-	phone?: string
-}
+	/** A user record, or `undefined`/`null` when unauthenticated. */
+	type User = UserProperties | undefined | null
 
-/** A user record, or `undefined`/`null` when unauthenticated. */
-type User = UserProperties | undefined | null
+	/** A database session paired with its associated user. */
+	interface UserSession {
+		/** UUID session identifier stored in the `session` cookie. */
+		id: string
+		user: User
+	}
 
-/** A database session paired with its associated user. */
-interface UserSession {
-	/** UUID session identifier stored in the `session` cookie. */
-	id: string
-	user: User
+	interface Window {
+		turnstile?: {
+			render: (container: HTMLElement, options: Record<string, unknown>) => string
+			reset: (widgetId: string) => void
+			remove: (widgetId: string) => void
+		}
+	}
 }
+
+export {}

package/src/app.html

@@ -11,6 +11,12 @@
 			async
 			defer
 		></script>
+		<script
+			nonce="%sveltekit.nonce%"
+			src="https://challenges.cloudflare.com/turnstile/v0/api.js"
+			async
+			defer
+		></script>
 		%sveltekit.head%
 	</head>
 	<body data-sveltekit-preload-data="hover">

package/src/hooks.server.unit.test.ts

@@ -0,0 +1,163 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { error } from '@sveltejs/kit'
+
+vi.mock('$lib/server/db', () => ({ query: vi.fn() }))
+
+import { handle } from './hooks.server'
+import { query } from '$lib/server/db'
+
+const mockQuery = vi.mocked(query)
+
+/** Build a minimal event object for the hook. */
+function makeEvent({
+	pathname = '/page',
+	sessionCookie = undefined as string | undefined,
+	ip = '1.2.3.4'
+} = {}) {
+	const cookieStore = new Map<string, string>()
+	if (sessionCookie) cookieStore.set('session', sessionCookie)
+
+	return {
+		url: new URL(`http://localhost${pathname}`),
+		cookies: {
+			get: (name: string) => cookieStore.get(name),
+			delete: vi.fn()
+		},
+		locals: {} as Record<string, unknown>,
+		getClientAddress: () => ip
+	} as unknown as Parameters<typeof handle>[0]['event']
+}
+
+const resolve = vi.fn(async (event: unknown) => new Response('ok', { status: 200 }))
+
+beforeEach(() => {
+	vi.resetAllMocks()
+	resolve.mockResolvedValue(new Response('ok', { status: 200 }))
+})
+
+// ── Static asset bypass ────────────────────────────────────────────────────────
+
+describe('static asset bypass', () => {
+	it('calls resolve immediately for /_app/ paths without touching the db', async () => {
+		const event = makeEvent({ pathname: '/_app/immutable/app.js' })
+
+		await handle({ event, resolve })
+
+		expect(resolve).toHaveBeenCalledOnce()
+		expect(mockQuery).not.toHaveBeenCalled()
+	})
+})
+
+// ── Rate limiting ──────────────────────────────────────────────────────────────
+
+describe('rate limiting', () => {
+	it('allows requests under the limit', async () => {
+		const event = makeEvent({ pathname: '/auth/login', ip: '10.0.0.1' })
+
+		await expect(handle({ event, resolve })).resolves.not.toThrow()
+	})
+
+	it('throws 429 after exceeding the request limit for a rate-limited path', async () => {
+		const ip = '10.0.0.99'
+
+		// Exhaust the 20-request allowance
+		for (let i = 0; i < 20; i++) {
+			await handle({ event: makeEvent({ pathname: '/auth/login', ip }), resolve }).catch(() => {})
+		}
+
+		await expect(
+			handle({ event: makeEvent({ pathname: '/auth/login', ip }), resolve })
+		).rejects.toMatchObject({ status: 429 })
+	})
+
+	it('does not rate-limit non-auth paths', async () => {
+		const ip = '10.0.0.2'
+
+		for (let i = 0; i < 25; i++) {
+			await handle({ event: makeEvent({ pathname: '/about', ip }), resolve })
+		}
+
+		expect(resolve).toHaveBeenCalledTimes(25)
+	})
+})
+
+// ── Session handling ───────────────────────────────────────────────────────────
+
+describe('session handling', () => {
+	it('attaches user to locals when a valid session cookie is present', async () => {
+		const user = { id: 1, role: 'admin' }
+		mockQuery.mockResolvedValue({ rows: [{ get_and_update_session: user }] } as any)
+
+		const event = makeEvent({ sessionCookie: 'valid-session-uuid' })
+
+		await handle({ event, resolve })
+
+		expect(event.locals.user).toEqual(user)
+	})
+
+	it('does not call query when no session cookie is present', async () => {
+		const event = makeEvent()
+
+		await handle({ event, resolve })
+
+		expect(mockQuery).not.toHaveBeenCalled()
+	})
+
+	it('deletes the session cookie when the session is not found in the db', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ get_and_update_session: undefined }] } as any)
+
+		const event = makeEvent({ sessionCookie: 'stale-session-uuid' })
+
+		await handle({ event, resolve })
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('deletes the session cookie when no session cookie is present and locals.user is unset', async () => {
+		const event = makeEvent()
+
+		await handle({ event, resolve })
+
+		expect(event.cookies.delete).toHaveBeenCalledWith('session', { path: '/' })
+	})
+
+	it('does not delete the session cookie when a valid session exists', async () => {
+		const user = { id: 2, role: 'student' }
+		mockQuery.mockResolvedValue({ rows: [{ get_and_update_session: user }] } as any)
+
+		const event = makeEvent({ sessionCookie: 'valid-session-uuid' })
+
+		await handle({ event, resolve })
+
+		expect(event.cookies.delete).not.toHaveBeenCalled()
+	})
+
+	it('uses the named prepared statement for session lookup', async () => {
+		mockQuery.mockResolvedValue({ rows: [{ get_and_update_session: { id: 3 } }] } as any)
+
+		const event = makeEvent({ sessionCookie: 'some-uuid' })
+
+		await handle({ event, resolve })
+
+		expect(mockQuery).toHaveBeenCalledWith(
+			expect.stringContaining('get_and_update_session'),
+			['some-uuid'],
+			'get-and-update-session'
+		)
+	})
+})
+
+// ── Response pass-through ──────────────────────────────────────────────────────
+
+describe('response', () => {
+	it('returns the response from resolve', async () => {
+		const fakeResponse = new Response('hello', { status: 200 })
+		resolve.mockResolvedValue(fakeResponse)
+
+		const event = makeEvent()
+
+		const result = await handle({ event, resolve })
+
+		expect(result).toBe(fakeResponse)
+	})
+})

package/src/lib/Turnstile.svelte

@@ -0,0 +1,53 @@
+<script lang="ts">
+	import { onMount, onDestroy } from 'svelte'
+	import { PUBLIC_TURNSTILE_SITE_KEY } from '$env/static/public'
+
+	interface Props {
+		token: string
+		theme?: 'light' | 'dark' | 'auto'
+	}
+
+	let { token = $bindable(''), theme = 'auto' }: Props = $props()
+
+	let container: HTMLDivElement | undefined = $state()
+	let widgetId: string | undefined
+
+	/** Resets the Turnstile widget and clears the token. Call this after a failed submission. */
+	export function reset() {
+		if (widgetId !== undefined && typeof window !== 'undefined' && window.turnstile) {
+			window.turnstile.reset(widgetId)
+			token = ''
+		}
+	}
+
+	onMount(() => {
+		const tryRender = () => {
+			if (!container || !window.turnstile) {
+				setTimeout(tryRender, 50)
+				return
+			}
+			widgetId = window.turnstile.render(container, {
+				sitekey: PUBLIC_TURNSTILE_SITE_KEY,
+				theme,
+				callback: (t: string) => {
+					token = t
+				},
+				'expired-callback': () => {
+					token = ''
+				},
+				'error-callback': () => {
+					token = ''
+				}
+			})
+		}
+		tryRender()
+	})
+
+	onDestroy(() => {
+		if (widgetId !== undefined && window.turnstile) {
+			window.turnstile.remove(widgetId)
+		}
+	})
+</script>
+
+<div bind:this={container}></div>