update params and add timeouts to faraday

Author: cocomarine

.env.example

@@ -69,7 +69,7 @@ SCRATCH_ASSET_IMPORT_BASE_URL=https://example.com/assets/
 # Pardot Form Handler endpoint for subscription forwarding
 PARDOT_SUBSCRIPTION_URL=
 
-# Cloudflare Turnstile bot protection.This is a test key that always passes. 
+# Cloudflare Turnstile bot protection. This is a test key that always passes.
 # Others are available for testing purposes at
 # https://developers.cloudflare.com/turnstile/troubleshooting/testing/.
 CLOUDFLARE_TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA

app/controllers/api/subscriptions_controller.rb

@@ -7,7 +7,8 @@ class SubscriptionsController < ApiController
     API_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'
 
     def create
-      payload = subscription_params.to_h
+      # turnstile token is only used for bot check so strip it out before validation and submission
+      payload = subscription_params.except(:turnstile_token).to_h
       errors = validation_errors_for(payload)
 
       if errors.empty?
@@ -45,6 +46,7 @@ def create
 
     def check_cloudflare_turnstile
       return unless Rails.configuration.x.cloudflare_turnstile.enabled
+      return if params[:subscription].blank?
       return if valid_turnstile_token?
 
       Rails.logger.warn('[subscriptions#create] outcome=failure error_code=turnstile_verification_failed')
@@ -65,6 +67,9 @@ def valid_turnstile_token?
           secret: Rails.configuration.x.cloudflare_turnstile.secret_key,
           response: token,
           remoteip: request.remote_ip
+        },
+        {
+          request: { timeout: 5, open_timeout: 2 }
         }
       )
       unless response.success?
@@ -82,7 +87,7 @@ def valid_turnstile_token?
     end
 
     def subscription_params
-      params.require(:subscription).permit(:email, :test_opt_in, :privacy_policy)
+      params.require(:subscription).permit(:email, :test_opt_in, :privacy_policy, :turnstile_token)
     end
 
     def subscriptions_submitter