Skip to content

feat: add Turnstile registration and image fixes#45

Merged
chenyme merged 2 commits into
DEEIX-AI:devfrom
GeorgeXie2333:dev
May 25, 2026
Merged

feat: add Turnstile registration and image fixes#45
chenyme merged 2 commits into
DEEIX-AI:devfrom
GeorgeXie2333:dev

Conversation

@GeorgeXie2333

@GeorgeXie2333 GeorgeXie2333 commented May 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Change type

  • Bug fix
  • Feature
  • Documentation
  • Refactor
  • Configuration / deployment
  • Security hardening
  • Other

Affected areas

  • Frontend / UI
  • Backend / API
  • Authentication / authorization
  • Conversations / streaming
  • Files / RAG / extraction
  • Model routing / providers
  • MCP / tools
  • Billing / payments
  • Admin console
  • Deployment / Docker / configuration
  • Documentation

Verification

  • run successfully

Screenshots, API examples, or logs

Configuration, migration, and compatibility notes

Documentation

  • Documentation is not needed for this change.
  • Documentation was updated.
  • Documentation still needs to be updated.

Security and privacy

  • No secrets, tokens, credentials, local config, or personal data are included.
  • User data access remains scoped by authenticated user context unless an admin-only path explicitly requires broader access.
  • Security-sensitive behavior was reviewed, including authentication, authorization, provider routing, file processing, billing, and admin APIs where relevant.

Checklist

  • I searched existing issues and pull requests.
  • Changes are focused and do not include unrelated refactors.
  • Tests or static verification were run where practical.
  • User-facing behavior, deployment steps, API contracts, or configuration changes are documented.
  • Generated artifacts are included only when this project explicitly requires them.
  • Caches, build output, .pyc files, .env files, and local storage data are not committed.

@GeorgeXie2333 GeorgeXie2333 changed the title feat(auth): add Cloudflare Turnstile email registration verification 邮箱注册Cloudflare Turnstile人机验证支持 feat(auth): add Cloudflare Turnstile email registration verification ; fix: omit default OpenAI image partials May 24, 2026
Comment thread backend/internal/application/auth/turnstile.go Outdated
Comment thread backend/internal/transport/http/auth/dto.go
Comment thread backend/internal/transport/http/auth/dto.go
Comment thread backend/internal/application/settings/service.go
@chenyme

chenyme commented May 25, 2026

Copy link
Copy Markdown
Contributor

合入前需要处理下面几个问题:

  1. P1: Turnstile 出站 HTTP 绕过 SSRF policy

    backend/internal/application/auth/turnstile.go:L58

    这里 fallback 到 http.DefaultClient,会绕过项目的 outbound security policy。go test ./... 当前也会失败:

    TestOutboundHTTPCallSitesAreExplicit:
    unreviewed outbound HTTP call site "http.DefaultClient"
    

    建议把 Turnstile siteverify 客户端作为接口注入,HTTP 实现使用项目统一的 outbound client,例如 security.NewOutboundHTTPClient,并在 wiring 里创建。

  2. P1: API 契约变更没有同步后端 Docs / Swagger

    backend/internal/transport/http/auth/dto.go:L57
    backend/internal/transport/http/auth/dto.go:L193

    PR 新增了 turnstileTokenturnstileRegistrationEnabledturnstileSiteKey,但 backend/docs/* 里没有这些字段,也没有 /auth/register/email/*/auth/login-options 的 Swagger 记录。按后端 Docs 规范,改 routes/DTO/API comments 后需要补 Swagger 注释并跑 make swagger

  3. P2: 新布尔设置没有进入后端校验白名单

    backend/internal/application/settings/service.go:L381

    auth:turnstile_registration_enabled 已加入 seed/runtime,但没有加入 bool 校验 case。这样后端会接受类似 "yes" 的非法值,运行时 ParseBool 失败后可能静默回退。建议加入 bool 校验并补一个 invalid patch 测试。

  4. P2: 用户可见配置缺少 README 说明

    新增 Cloudflare Turnstile 会影响邮箱注册流程,也引入外部 Cloudflare 依赖。建议在 backend/README.md 或根 README 补充启用条件、Site Key/Secret Key、影响范围,以及邮箱验证码开启/关闭时 token 提交到哪个注册阶段。

验证:我跑了 go test ./...,当前失败点是 SSRF 出站策略测试,其余基本通过。

  1. PS: Commit Messages 规范:CONTRIBUTING.md

Reviewed With Codex ❤️

@GeorgeXie2333 GeorgeXie2333 changed the title feat(auth): add Cloudflare Turnstile email registration verification ; fix: omit default OpenAI image partials feat: add Turnstile registration and image fixes May 25, 2026
@chenyme
chenyme self-requested a review May 25, 2026 06:03
chenyme
chenyme previously approved these changes May 25, 2026
@chenyme
chenyme requested a review from Noxiven May 25, 2026 06:08
Comment thread backend/internal/application/auth/registration.go
Comment thread backend/internal/application/auth/service.go
Comment thread backend/internal/application/auth/service.go
Comment thread backend/internal/application/auth/turnstile.go Outdated
Comment thread backend/internal/application/auth/turnstile.go
Comment thread backend/internal/application/auth/turnstile.go Outdated
Comment thread backend/internal/application/auth/turnstile.go Outdated
Comment thread backend/internal/application/auth/turnstile.go Outdated
Comment thread backend/internal/infra/llm/openai_images.go
Comment thread backend/internal/infra/llm/openai_images.go Outdated
@GeorgeXie2333

Copy link
Copy Markdown
Contributor Author

@OrenZhang 已处理本轮 review:

  1. Turnstile siteverify endpoint 已改为静态配置项,默认仍使用 Cloudflare 官方地址,支持 TURNSTILE_SITEVERIFY_URL / security.turnstile_siteverify_url 覆盖。
  2. auth 出站请求已合并复用同一个受 SSRF policy 保护的 outbound client,移除了 turnstileHTTPClient 和 nil fallback。
  3. Turnstile Site Key 为空时现在跳过校验;Secret Key 缺失仍返回配置错误。
  4. 邮箱验证码开启时 Turnstile 在发送验证码阶段校验;验证码关闭时 complete 阶段校验。代码中已补注释和测试说明这个差异。
  5. Turnstile 日志已收敛为 message 文本,不再新增动态 zap 字段。
  6. partial_images 保持“未显式配置不发送”,同时只接受正数,避免额外引入 0 值语义。

验证已通过:go test ./...

@chenyme
chenyme self-requested a review May 25, 2026 12:21
@chenyme
chenyme merged commit f7076ec into DEEIX-AI:dev May 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants