fix: reduce Turnstile verification timeouts from 15s to 8s on the client and 10s to 5s on the server, and check userAgent for bot patterns

Author: HMarzban

packages/webapp/Helpers/validateTurnstileAccess.ts

@@ -5,6 +5,58 @@ import { type GetServerSidePropsContext } from 'next'
 export const validateTurnstileAccess = (context: GetServerSidePropsContext): boolean => {
   const cookies = cookie.parse(context.req.headers.cookie || '')
 
+  // Always challenge bots and suspicious traffic
+  const userAgent = context.req.headers['user-agent'] || ''
+  const botPatterns = [
+    // Generic patterns
+    'bot',
+    'crawler',
+    'spider',
+    'scraper',
+    // Tools & scripts
+    'curl',
+    'wget',
+    'python',
+    'java',
+    'ruby',
+    'go-http',
+    'postman',
+    'insomnia',
+    'httpie',
+    // Social media bots
+    'facebookexternalhit',
+    'twitterbot',
+    'linkedinbot',
+    'slackbot',
+    'discordbot',
+    'telegrambot',
+    'whatsapp',
+    // Search engines
+    'googlebot',
+    'bingbot',
+    'duckduckbot',
+    'baiduspider',
+    'yandexbot',
+    'sogou',
+    'msnbot',
+    'applebot',
+    // SEO & monitoring
+    'ahrefsbot',
+    'semrushbot',
+    'mj12bot',
+    'dotbot',
+    'blexbot',
+    'petalbot',
+    'bytedance',
+    'facebot',
+    // Archives & misc
+    'ia_archiver',
+    'wayback'
+  ]
+
+  const isBot = new RegExp(botPatterns.join('|'), 'i').test(userAgent)
+  if (isBot) return false // Always challenge bots
+
   const isTurnstileVerified = Config.app.turnstile.isEnabled
     ? cookies.turnstileVerified === 'true'
     : true

packages/webapp/components/skeleton/SlugPageLoaderWithTurnstile.tsx

@@ -47,7 +47,7 @@ const TurnstileModal = ({ showTurnstile }: Props) => {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({ token }),
-          signal: AbortSignal.timeout(15000)
+          signal: AbortSignal.timeout(8000) // Reduced from 15s to 8s
         })
 
         const data = await response.json()
@@ -62,20 +62,12 @@ const TurnstileModal = ({ showTurnstile }: Props) => {
           throw new Error(data.message || 'Verification failed')
         }
       } catch (err) {
-        let errorMessage = 'Verification failed. Please try again.'
-
-        if (err instanceof Error) {
-          if (err.name === 'TimeoutError') {
-            errorMessage = 'Verification timed out. Please try again.'
-          } else if (err.message.includes('fetch')) {
-            errorMessage = 'Network error. Please check your connection.'
-          } else {
-            errorMessage = err.message
-          }
-        }
-
         setState('error')
-        setError(errorMessage)
+        setError(
+          err instanceof Error && err.name === 'TimeoutError'
+            ? 'Verification timed out. Please try again.'
+            : 'Verification failed. Please try again.'
+        )
         console.error('Turnstile verification error:', err)
       }
     },

packages/webapp/pages/api/verify-turnstile.ts

@@ -41,8 +41,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     const response = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
       method: 'POST',
       body: formData,
-      // Add timeout to prevent hanging
-      signal: AbortSignal.timeout(10000)
+      signal: AbortSignal.timeout(5000) // Reduced timeout
     })
 
     if (!response.ok) {