[Feature Added] > Added Cloudflare Turnstile captcha for better security and bot disengagement. Also updated features, like file_routes, auth_routes to support Turnstile.

backend/app/api/auth_routes.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Request, status, BackgroundTasks
+from fastapi import APIRouter, Depends, HTTPException, Request, status, BackgroundTasks, Header
 from sqlalchemy.orm import Session
 from app.schemas.auth_schema import LoginRequest, PasswordResetRequest, PasswordResetConfirm, VerifyEmailConfirm, ResendVerificationRequest
 from app.services.auth_service import login_user, request_password_reset, confirm_password_reset, confirm_email_verification, resend_verification
@@ -6,13 +6,17 @@ from app.db.session import get_db
 from app.auth.oauth import oauth
 from app.services.oauth_service import handle_oauth_login
 from app.services.email_service import send_reset_password_email, send_verification_email
+from app.security.turnstile import verify_turnstile_token
 
 router = APIRouter(prefix="/auth", tags=["Auth"])
 
 @router.post("/login")
-def login(data: LoginRequest, request: Request, db: Session = Depends(get_db)):
+async def login(data: LoginRequest, request: Request, user_data: dict, cf_turnstile_response: str = Header(None, alias="cf-turnstile-response"), db: Session = Depends(get_db)):
     try:
+        client_ip = request.client.host
+        await verify_turnstile_token(cf_turnstile_response, client_ip)
         token = login_user(db, data.email, data.password, request)
+        
         if not token:
             raise HTTPException(status_code=401, detail="Invalid Credentials")
         return {"access_token": token}

backend/app/api/file_routes.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, UploadFile, File as FastAPIFile, Request
+from fastapi import APIRouter, Depends, UploadFile, File as FastAPIFile, Request, Header
 from sqlalchemy.orm import Session
 from app.db.session import get_db
 from app.core.auth_dependancy import get_current_user
@@ -9,6 +9,7 @@ from app.services.file_delete_service import delete_file_service
 from app.models.user_model import User
 from app.worker.tasks import process_file_task
 from app.core.limiter import limiter
+from app.security.turnstile import verify_turnstile_token
 
 router = APIRouter(prefix="/files", tags=["files"])
 
@@ -59,12 +60,16 @@ def get_file(
 
 @router.post("/upload")
 @limiter.limit("5/minute")
-def upload_file(
+async def upload_file(
     request: Request,
     file: UploadFile = FastAPIFile(...),
+    cf_turnstile_response: str = Header(None, alias="cf-turnstile-response"),
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
+    client_ip = request.client.host
+    await verify_turnstile_token(cf_turnstile_response, client_ip)
+
     saved_file = upload_file_service(
         db=db,
         file=file,

backend/app/api/user_routes.py

@@ -1,18 +1,24 @@
-from fastapi import APIRouter, Depends, HTTPException, BackgroundTasks
+from fastapi import Header, Request, APIRouter, Depends, HTTPException, BackgroundTasks
 from sqlalchemy.orm import Session
 from app.schemas.user_schema import UserCreate
 from app.services.user_service import create_user
 from app.db.session import get_db
 from app.services.email_service import send_verification_email
+from app.security.turnstile import verify_turnstile_token
 
 router = APIRouter(prefix="/users", tags=["Users"])
 
 @router.post("/register")
-def register(
+async def register(
+    request: Request,
     user: UserCreate,
     background_tasks: BackgroundTasks,
+    cf_turnstile_response: str = Header(None, alias="cf-turnstile-response"),
     db: Session = Depends(get_db)
 ):
+    client_ip = request.client.host
+    await verify_turnstile_token(cf_turnstile_response, client_ip)
+
     new_user, raw_token = create_user(
         db,
         email=user.email,

backend/app/core/config.py

@@ -19,6 +19,7 @@ class Settings(BaseSettings):
     SMTP_PORT: int = 587
     SMTP_SERVER: str | None = None
     FRONTEND_URL: str = "http://localhost:3000"
+    TURNSTILE_SECRET_KEY: str | None = None
 
     model_config = SettingsConfigDict(
         env_file=".env",

backend/app/security/turnstile.py

@@ -0,0 +1,40 @@
+import httpx
+import logging
+from fastapi import HTTPException
+from app.core.config import settings
+
+logger = logging.getLogger(__name__)
+
+async def verify_turnstile_token(token: str, ip_address: str = None) -> bool:
+    if not token:
+        logger.warning("Turnstile Verification Failed: Missing token.")
+        raise HTTPException(status_code=400, detail="CAPTCHA token is missing.")
+
+    verify_url = "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+    payload = {
+        "secret": settings.TURNSTILE_SECRET_KEY,
+        "response": token
+    }
+
+    if ip_address:
+        payload["remoteip"] = ip_address
+
+    try:
+        async with httpx.AsyncClient(timeout=5.0) as client:
+            response = await client.post(verify_url, data=payload)
+            result = response.json()
+        
+        if result.get("success"):
+            return True
+        else:
+            error_codes = result.get("error-codes", [])
+            logger.warning(f"Turnstile Verification Failed. Errors: {error_codes}")
+
+            if "timeout-or-duplicate" in error_codes:
+                raise HTTPException(status_code=400, detail="CAPTCHA expired or already used. Please refresh.")
+            
+            raise HTTPException(status_code=403, detail="CAPTCHA verification failed.")
+        
+    except httpx.RequestError as e:
+        logger.error(f"Turnstile API connection error: {str(e)}")
+        raise HTTPException(status_code=503, detail="Security validation service unavailable.")

frontend/components/ui/TurnstileWidget.tsx

@@ -0,0 +1,36 @@
+import { Turnstile } from '@marsidev/react-turnstile';
+import { useState } from 'react';
+
+interface TurnstileProps {
+    onVerify: (token: string) => void;
+    actionName?: string
+}
+
+export default function TurnstileWidget({ onVerify, actionName = "login" }: TurnstileProps) {
+    const [token, setToken] = useState<string | null>(null);
+
+    const handleSuccess = (token: string) => {
+        setToken(token);
+        onVerify(token);
+    };
+
+    const handleError = () => {
+        console.error("Turnstile encountered an error.");
+        setToken(null);
+    }
+
+    return (
+        <div className="my-4">
+            <Turnstile
+                siteKey={process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY || ""}
+                onSuccess={handleSuccess}
+                onError={handleError}
+                onExpire={() => setToken(null)}
+                options={{
+                    action: actionName,
+                    theme: "auto",
+                }}
+            />
+        </div>
+    )
+}

frontend/package-lock.json

@@ -8,6 +8,7 @@
       "name": "frontend",
       "version": "0.1.0",
       "dependencies": {
+        "@marsidev/react-turnstile": "^1.4.2",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
         "lucide-react": "^0.575.0",
@@ -1595,6 +1596,16 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@marsidev/react-turnstile": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/@marsidev/react-turnstile/-/react-turnstile-1.4.2.tgz",
+      "integrity": "sha512-xs1qOuyeMOz6t9BXXCXWiukC0/0+48vR08B7uwNdG05wCMnbcNgxiFmdFKDOFbM76qFYFRYlGeRfhfq1U/iZmA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "react": "^17.0.2 || ^18.0.0 || ^19.0",
+        "react-dom": "^17.0.2 || ^18.0.0 || ^19.0"
+      }
+    },
     "node_modules/@modelcontextprotocol/sdk": {
       "version": "1.26.0",
       "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.26.0.tgz",

frontend/package.json

@@ -9,6 +9,7 @@
     "lint": "eslint"
   },
   "dependencies": {
+    "@marsidev/react-turnstile": "^1.4.2",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "lucide-react": "^0.575.0",