feat: CAPTCHA, hidden tracking field, preview fix, tests + CI#70
Conversation
- fix(admin): Preview modal scrolls internally instead of overflowing on tall forms (flex: 1 / minHeight: 0 / alignItems: flex-start). - feat(captcha): per-form CAPTCHA (Cloudflare Turnstile or Google reCAPTCHA v2). Server-side verify (fail-closed), secret key never exposed to the browser, CSP relaxed for the provider on the public page, client guard blocks submit without a token. Saving is blocked when a provider is chosen without keys; keys reset on provider change. - feat(fields): hidden tracking field — captures a URL query param (e.g. utm_source) or a default value, stored with the submission and included in CSV export. Never rendered visibly. - feat(admin): "Test & learn regex" help link on pattern validation. - refactor(admin): drop the redundant Actions column in the submissions inbox (the whole row already opens the detail drawer). - test: Vitest + seed tests for verifyCaptcha (fail-closed), public schema secret-key stripping, and field validation. - ci: run the test suite in CI. devDeps: vitest; zod pinned to align the transitive ai/zod-v4 resolution for local symlinked plugin dev (not shipped — files: ["dist"]).
|
Warning Review limit reached
Next review available in: 10 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (8)
📝 WalkthroughWalkthroughThe form builder adds hidden tracking fields and CAPTCHA settings. Public embeds render and validate CAPTCHA challenges, server submissions verify tokens and redact them, and Vitest coverage runs in CI. ChangesForm configuration and admin UI
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Admin as FormBuilderPage
participant Embed as embedScript
participant Provider as CAPTCHA provider
participant Server as submissionService
Admin->>Embed: Publish CAPTCHA configuration
Embed->>Provider: Load widget and obtain token
Embed->>Server: Submit form with _fc_captcha
Server->>Provider: Verify secret and token
Provider-->>Server: Return verification result
Server-->>Embed: Accept or reject submission
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@admin/src/components/FieldSettingsPanel.tsx`:
- Around line 155-169: Hidden fields are still honoring the previous tab
selection, so the Validation panel can remain active even though the General
panel is hidden. In FieldSettingsPanel, update the tab rendering logic around
the tab === 'validation' branch and the isHidden checks so validation content
only renders for non-hidden fields, or reset the local tab state to 'general'
whenever the selected field changes to a hidden one.
In `@server/src/controllers/form.ts`:
- Around line 512-527: The CSP in the form controller’s provider-specific branch
is too permissive because `script-src` includes `'unsafe-inline'` even though
the public CAPTCHA page only needs external scripts. Update the
`Content-Security-Policy` header built in the `provider` block to remove
`'unsafe-inline'` from `script-src` while leaving it in `style-src` if needed,
and keep the existing external CAPTCHA domains intact.
In `@server/src/services/submission.ts`:
- Around line 11-28: verifyCaptcha currently has two issues: it can wait
indefinitely on fetch and it returns true for unrecognized captcha providers.
Update verifyCaptcha in submission.ts to enforce a request timeout around the
siteverify fetch, and change the unknown-provider branch so CAPTCHA verification
fails closed by returning false instead of bypassing checks. Use the existing
CAPTCHA_ENDPOINTS lookup and the verifyCaptcha function as the main place to
apply both fixes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 5b12739c-9afb-4f32-992c-57e469ef327d
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (17)
.github/workflows/ci.ymladmin/src/components/FieldSettingsPanel.tsxadmin/src/components/FormPreview.tsxadmin/src/pages/FormBuilderPage.tsxadmin/src/pages/SubmissionsPage.tsxadmin/src/types.tsadmin/src/ui.tspackage.jsonserver/src/content-types/form/schema.jsonserver/src/controllers/form.tsserver/src/controllers/submission.tsserver/src/services/form.tsserver/src/services/submission.tstests/public-schema.test.tstests/validation.test.tstests/verify-captcha.test.tsvitest.config.ts
💤 Files with no reviewable changes (1)
- admin/src/pages/SubmissionsPage.tsx
Summary
A batch of anti-spam, tracking, UX and quality work.
Features
utm_source) or a default value, stored with each submission and included in the CSV export. Never rendered visibly. Lives in the Basic field palette.Fixes / cleanup
flex: 1/minHeight: 0/alignItems: flex-start).Tests + CI
verifyCaptcha(fail-closed), public-schema secret-key stripping, and field validation. 13/13 passing.npm testbetween type-check and build.Verification
?utm_source=…is captured into the hidden input.Notes
dist/is gitignored (build output not committed).vitest;zodpinned to align the transitiveai/zod/v4resolution for local symlinked plugin dev — not shipped (files: ["dist"]).🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Tests