website/pkg/spam/captcha.go

package spam

import (
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
	"time"

	"code.nonshy.com/nonshy/website/pkg/config"
	"code.nonshy.com/nonshy/website/pkg/log"
)

// ValidateTurnstileCAPTCHA tests a Cloudflare Turnstile CAPTCHA token.
func ValidateTurnstileCAPTCHA(token, actionName string) error {
	if !config.Current.Turnstile.Enabled {
		return errors.New("Cloudflare Turnstile CAPTCHA is not enabled in the server settings")
	}

	// Prepare the request.
	form := url.Values{}
	form.Add("secret", config.Current.Turnstile.SecretKey)
	form.Add("response", token)
	url := "https://challenges.cloudflare.com/turnstile/v0/siteverify"
	req, err := http.NewRequest("POST", url, strings.NewReader(form.Encode()))
	if err != nil {
		return err
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	// Make the request.
	client := &http.Client{
		Timeout: 10 * time.Second,
	}
	resp, err := client.Do(req)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	// Read the response.
	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return fmt.Errorf("Reading response body from Cloudflare: %s", err)
	}

	if resp.StatusCode != http.StatusOK {
		log.Error("Turnstile CAPTCHA error (status %d): %s", resp.StatusCode, string(body))
		return fmt.Errorf("CAPTCHA validation error: status code %d", resp.StatusCode)
	}

	// Parse the response JSON.
	type response struct {
		Success     bool      `json:"success"`
		ErrorCodes  []string  `json:"error-codes"`
		ChallengeTS time.Time `json:"challenge_ts"`
		Hostname    string    `json:"hostname"`
	}
	var result response
	if err := json.Unmarshal(body, &result); err != nil {
		return fmt.Errorf("parsing result json from Cloudflare: %s", err)
	}

	if !result.Success {
		log.Error("Turnstile CAPTCHA error (status %d): %s", resp.StatusCode, string(body))
		return errors.New("verification failed")
	}

	return nil
}