Skip to content

Commit 3c87df7

Browse files
cocomarineCopilot
andcommitted
Config turnstile screte and add test
Co-authored-by: Copilot <copilot@github.com>
1 parent c32e7c4 commit 3c87df7

3 files changed

Lines changed: 57 additions & 2 deletions

File tree

.env.example

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,4 +67,7 @@ SCRATCH_ASSET_CONFIG_BASE_URL=https://example.com/config/
6767
SCRATCH_ASSET_IMPORT_BASE_URL=https://example.com/assets/
6868

6969
# Pardot Form Handler endpoint for subscription forwarding
70-
PARDOT_SUBSCRIPTION_URL=
70+
PARDOT_SUBSCRIPTION_URL=
71+
72+
# Cloudflare Turnstile bot protection for the subscription form
73+
CLOUDFLARE_TURNSTILE_SECRET_KEY=

config/application.rb

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,5 +70,8 @@ class Application < Rails::Application
7070
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
7171

7272
config.x.subscriptions.pardot_form_handler_url = ENV.fetch('PARDOT_SUBSCRIPTION_URL', '')
73+
74+
config.x.cloudflare_turnstile.secret_key = ENV.fetch('CLOUDFLARE_TURNSTILE_SECRET_KEY', nil)
75+
config.x.cloudflare_turnstile.enabled = ENV['CLOUDFLARE_TURNSTILE_SECRET_KEY'].present?
7376
end
7477
end

spec/requests/api/subscriptions_spec.rb

Lines changed: 50 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010
subscription: {
1111
email: 'teacher@example.com',
1212
test_opt_in: true,
13-
privacy_policy: true
13+
privacy_policy: true,
14+
turnstile_token: 'test-token'
1415
}
1516
}
1617
end
@@ -110,5 +111,53 @@
110111
'message' => 'Subscription provider rejected the request.'
111112
)
112113
end
114+
115+
describe 'Cloudflare Turnstile integration' do
116+
let(:request_url) { 'https://challenges.cloudflare.com/turnstile/v0/siteverify' }
117+
118+
before do
119+
allow(Rails.configuration.x.cloudflare_turnstile).to receive(:enabled).and_return(true)
120+
allow(Rails.configuration.x.cloudflare_turnstile).to receive(:secret_key).and_return('test-secret')
121+
end
122+
123+
it 'returns 422 when turnstile token is missing' do
124+
post(path, params: payload.deep_merge(subscription: { turnstile_token: '' }), as: :json)
125+
126+
expect(response).to have_http_status(:unprocessable_content)
127+
expect(response.parsed_body['error_code']).to eq('turnstile_verification_failed')
128+
end
129+
130+
it 'returns 422 when turnstile verification fails' do
131+
stub_request(:post, request_url)
132+
.with(
133+
body: hash_including(
134+
secret: 'test-secret',
135+
response: 'test-token'
136+
)
137+
)
138+
.to_return(status: 200, body: { success: false }.to_json)
139+
140+
post(path, params: payload, as: :json)
141+
142+
expect(response).to have_http_status(:unprocessable_content)
143+
expect(response.parsed_body['error_code']).to eq('turnstile_verification_failed')
144+
end
145+
146+
it 'allows request through if turnstile verification is unavailable' do
147+
stub_request(:post, request_url)
148+
.with(
149+
body: hash_including(
150+
secret: 'test-secret',
151+
response: 'test-token'
152+
)
153+
)
154+
.to_timeout
155+
156+
post(path, params: payload, as: :json)
157+
158+
expect(response).to have_http_status(:ok)
159+
expect(response.parsed_body['ok']).to eq(true)
160+
end
161+
end
113162
end
114163
end

0 commit comments

Comments
 (0)