Skip to content

feat: CAPTCHA, hidden tracking field, preview fix, tests + CI#70

Merged
devCluna merged 5 commits into
mainfrom
feat/captcha-hidden-preview-tests
Jul 9, 2026
Merged

feat: CAPTCHA, hidden tracking field, preview fix, tests + CI#70
devCluna merged 5 commits into
mainfrom
feat/captcha-hidden-preview-tests

Conversation

@devCluna

@devCluna devCluna commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

A batch of anti-spam, tracking, UX and quality work.

Features

  • CAPTCHA (per-form) — choose Cloudflare Turnstile or Google reCAPTCHA v2 per form. Server-side verification is fail-closed, the secret key is never sent to the browser (stripped from the public schema), the public page relaxes its CSP only for the chosen provider, and a client-side guard blocks submit without a token. Saving is blocked when a provider is selected without keys; keys reset when the provider changes.
  • Hidden tracking field — captures a URL query param (e.g. utm_source) or a default value, stored with each submission and included in the CSV export. Never rendered visibly. Lives in the Basic field palette.
  • Regex help link — "Test & learn regex ↗" next to the pattern validation input.

Fixes / cleanup

  • Preview modal now scrolls internally instead of overflowing on tall forms (flex: 1 / minHeight: 0 / alignItems: flex-start).
  • Submissions inbox — removed the redundant Actions column (the whole row already opens the detail drawer).

Tests + CI

  • Vitest added with seed tests on the security/validation paths: verifyCaptcha (fail-closed), public-schema secret-key stripping, and field validation. 13/13 passing.
  • CI now runs npm test between type-check and build.

Verification

  • 13/13 tests, server + admin type-check clean, build OK.
  • CAPTCHA server matrix checked live: fail token → 400, valid → 200, missing token → 400, secret never in the public schema.
  • Hidden field verified end-to-end on the public page via headless Chrome: ?utm_source=… is captured into the hidden input.

Notes

  • dist/ is gitignored (build output not committed).
  • devDeps: vitest; zod pinned to align the transitive ai/zod/v4 resolution for local symlinked plugin dev — not shipped (files: ["dist"]).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added CAPTCHA support for forms, including Turnstile and reCAPTCHA configuration in the admin UI.
    • Added hidden tracking fields that can be prefilled from URL parameters.
    • Added form validation test coverage and CAPTCHA verification test coverage.
  • Bug Fixes

    • Improved submission handling to block invalid CAPTCHA submissions and reset widgets after failures.
    • Streamlined submissions table row interaction.
  • Tests

    • Added automated test runs to CI and new Vitest scripts for local testing.

- fix(admin): Preview modal scrolls internally instead of overflowing
  on tall forms (flex: 1 / minHeight: 0 / alignItems: flex-start).
- feat(captcha): per-form CAPTCHA (Cloudflare Turnstile or Google
  reCAPTCHA v2). Server-side verify (fail-closed), secret key never
  exposed to the browser, CSP relaxed for the provider on the public
  page, client guard blocks submit without a token. Saving is blocked
  when a provider is chosen without keys; keys reset on provider change.
- feat(fields): hidden tracking field — captures a URL query param
  (e.g. utm_source) or a default value, stored with the submission and
  included in CSV export. Never rendered visibly.
- feat(admin): "Test & learn regex" help link on pattern validation.
- refactor(admin): drop the redundant Actions column in the submissions
  inbox (the whole row already opens the detail drawer).
- test: Vitest + seed tests for verifyCaptcha (fail-closed), public
  schema secret-key stripping, and field validation.
- ci: run the test suite in CI.

devDeps: vitest; zod pinned to align the transitive ai/zod-v4
resolution for local symlinked plugin dev (not shipped — files: ["dist"]).
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@devCluna, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 10 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4a457bdb-19fd-4ad3-8c7c-5284fa566781

📥 Commits

Reviewing files that changed from the base of the PR and between 4eae4a8 and c5bd29a.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (8)
  • admin/src/api.ts
  • admin/src/components/FieldSettingsPanel.tsx
  • admin/src/pages/FormBuilderPage.tsx
  • server/src/controllers/form.ts
  • server/src/controllers/submission.ts
  • server/src/routes/admin/index.ts
  • server/src/services/submission.ts
  • tests/verify-captcha.test.ts
📝 Walkthrough

Walkthrough

The form builder adds hidden tracking fields and CAPTCHA settings. Public embeds render and validate CAPTCHA challenges, server submissions verify tokens and redact them, and Vitest coverage runs in CI.

Changes

Form configuration and admin UI

Layer / File(s) Summary
Field and CAPTCHA configuration
admin/src/types.ts, admin/src/ui.ts, admin/src/components/FieldSettingsPanel.tsx, admin/src/pages/FormBuilderPage.tsx, server/src/content-types/form/schema.json
Adds hidden fields, URL parameter configuration, CAPTCHA settings, hidden-field controls, and CAPTCHA validation UI.
Public embed flow
server/src/controllers/form.ts
Renders hidden tracking inputs, loads CAPTCHA widgets, normalizes tokens, blocks missing tokens, resets failed widgets, and updates CSP sources.
Server verification and sanitization
server/src/services/form.ts, server/src/services/submission.ts, server/src/controllers/submission.ts
Redacts CAPTCHA secrets from public schemas, verifies provider responses, removes security tokens from stored submissions, and returns CAPTCHA errors as HTTP 400 responses.
Admin presentation
admin/src/components/FormPreview.tsx, admin/src/pages/SubmissionsPage.tsx
Adjusts preview scrolling and removes the submissions table’s separate Actions column.
Tests and CI
package.json, vitest.config.ts, tests/*, .github/workflows/ci.yml
Adds Vitest scripts and coverage for schema, validation, and CAPTCHA behavior, then runs tests in CI.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Admin as FormBuilderPage
  participant Embed as embedScript
  participant Provider as CAPTCHA provider
  participant Server as submissionService
  Admin->>Embed: Publish CAPTCHA configuration
  Embed->>Provider: Load widget and obtain token
  Embed->>Server: Submit form with _fc_captcha
  Server->>Provider: Verify secret and token
  Provider-->>Server: Return verification result
  Server-->>Embed: Accept or reject submission
Loading

Poem

I’m a bunny with fields tucked out of sight,
CAPTCHA guards the form through the night.
Tokens hop cleanly, secrets stay shy,
Tests run promptly as builds flutter by.
The preview scrolls softly—what a delight!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main changes: CAPTCHA support, hidden tracking fields, preview fix, tests, and CI updates.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/captcha-hidden-preview-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@admin/src/components/FieldSettingsPanel.tsx`:
- Around line 155-169: Hidden fields are still honoring the previous tab
selection, so the Validation panel can remain active even though the General
panel is hidden. In FieldSettingsPanel, update the tab rendering logic around
the tab === 'validation' branch and the isHidden checks so validation content
only renders for non-hidden fields, or reset the local tab state to 'general'
whenever the selected field changes to a hidden one.

In `@server/src/controllers/form.ts`:
- Around line 512-527: The CSP in the form controller’s provider-specific branch
is too permissive because `script-src` includes `'unsafe-inline'` even though
the public CAPTCHA page only needs external scripts. Update the
`Content-Security-Policy` header built in the `provider` block to remove
`'unsafe-inline'` from `script-src` while leaving it in `style-src` if needed,
and keep the existing external CAPTCHA domains intact.

In `@server/src/services/submission.ts`:
- Around line 11-28: verifyCaptcha currently has two issues: it can wait
indefinitely on fetch and it returns true for unrecognized captcha providers.
Update verifyCaptcha in submission.ts to enforce a request timeout around the
siteverify fetch, and change the unknown-provider branch so CAPTCHA verification
fails closed by returning false instead of bypassing checks. Use the existing
CAPTCHA_ENDPOINTS lookup and the verifyCaptcha function as the main place to
apply both fixes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5b12739c-9afb-4f32-992c-57e469ef327d

📥 Commits

Reviewing files that changed from the base of the PR and between 2347e64 and 4eae4a8.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (17)
  • .github/workflows/ci.yml
  • admin/src/components/FieldSettingsPanel.tsx
  • admin/src/components/FormPreview.tsx
  • admin/src/pages/FormBuilderPage.tsx
  • admin/src/pages/SubmissionsPage.tsx
  • admin/src/types.ts
  • admin/src/ui.ts
  • package.json
  • server/src/content-types/form/schema.json
  • server/src/controllers/form.ts
  • server/src/controllers/submission.ts
  • server/src/services/form.ts
  • server/src/services/submission.ts
  • tests/public-schema.test.ts
  • tests/validation.test.ts
  • tests/verify-captcha.test.ts
  • vitest.config.ts
💤 Files with no reviewable changes (1)
  • admin/src/pages/SubmissionsPage.tsx

Comment thread admin/src/components/FieldSettingsPanel.tsx
Comment thread server/src/controllers/form.ts
Comment thread server/src/services/submission.ts
@devCluna devCluna self-assigned this Jul 9, 2026
@devCluna devCluna added the enhancement New feature or request label Jul 9, 2026
@devCluna devCluna merged commit 49cd501 into main Jul 9, 2026
3 checks passed
@devCluna devCluna deleted the feat/captcha-hidden-preview-tests branch July 9, 2026 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant