Turnstile Addition

public/css/modals.css

@@ -195,3 +195,18 @@
 .limit-icon { font-size: 40px; margin-bottom: 12px; }
 .limit-title { font-size: 20px; font-weight: 600; margin-bottom: 6px; }
 .limit-desc { font-size: 14px; color: var(--text-dim); margin-bottom: 20px; }
+
+/* ── Turnstile verification overlay ─────────────────────────────────────── */
+.turnstile-overlay { display: flex; align-items: center; justify-content: center; }
+.turnstile-box {
+  background: rgba(17,17,19,0.96);
+  border-radius: var(--radius-lg);
+  padding: 20px;
+  width: 100%; max-width: 420px;
+  box-shadow: 0 8px 30px rgba(0,0,0,0.6);
+  text-align: center; color: var(--text);
+}
+.turnstile-message { margin-bottom: 12px; color: var(--text-dim); font-size: 14px; }
+
+/* make the rest of the page dim and inert while overlay visible */
+.page-faded { filter: blur(2px) brightness(0.6); pointer-events: none; user-select: none; }

public/index.html

@@ -14,6 +14,12 @@
   <link rel="stylesheet" href="/css/modals.css" />
   <link rel="stylesheet" href="/css/input.css" />
   <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.16.9/dist/katex.min.css" />
+  <script
+  src="https://challenges.cloudflare.com/turnstile/v0/api.js"
+  async
+  defer
+></script>
+<link rel="preconnect" href="https://challenges.cloudflare.com" />
 </head>
 <body>
   <!-- Share import overlay -->
@@ -160,6 +166,16 @@
     <div id="modal-box" class="modal-box"></div>
   </div>
 
+  <!-- Turnstile verification overlay (shows until user verifies) -->
+  <div id="turnstile-overlay" class="modal-overlay turnstile-overlay">
+    <div class="turnstile-box" id="turnstile-box">
+      <div class="turnstile-message">Please verify you are human to continue using the chat.</div>
+      <div id="turnstile-widget">
+        <div class="cf-turnstile" data-sitekey="0x4AAAAAAC1ZXKIhZ9Kdz8j9" data-callback="onTurnstileSuccess"></div>
+      </div>
+    </div>
+  </div>
+
   <!-- Notification area -->
   <div id="notifications" class="notifications"></div>
 
@@ -171,6 +187,8 @@
   <script src="https://cdn.jsdelivr.net/npm/katex@0.16.9/dist/contrib/auto-render.min.js"></script>
   <script src="https://cdn.jsdelivr.net/npm/marked@9.1.6/marked.min.js"></script>
   <script src="https://cdn.jsdelivr.net/npm/dompurify@3.1.6/dist/purify.min.js"></script>
+  <!-- Turnstile widget handler (shows verification overlay) -->
+  <script type="module" src="/js/turnstile.js"></script>
   <script type="module" src="/js/app.js"></script>
   <div 
     style="

public/js/turnstile.js

@@ -0,0 +1,38 @@
+// turnstile.js — show overlay and handle verification
+(function() {
+  function hasTurnstileCookie() {
+    return document.cookie.split(';').some(c => c.trim().startsWith('turnstile='));
+  }
+
+  const overlay = document.getElementById('turnstile-overlay');
+  const pageRoot = document.getElementById('app') || document.body;
+
+  function hideOverlay() {
+    if (overlay) overlay.style.display = 'none';
+    if (pageRoot) pageRoot.classList.remove('page-faded');
+  }
+  function showOverlay() {
+    if (overlay) overlay.style.display = 'flex';
+    if (pageRoot) pageRoot.classList.add('page-faded');
+  }
+
+  // Global callback for Cloudflare Turnstile
+  window.onTurnstileSuccess = async function(token) {
+    try {
+      // Try REST verify first (sets cookie)
+      await fetch('/api/turnstile', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ token }) });
+    } catch (e) {
+      console.error('Turnstile REST verify failed', e);
+    }
+    // Also notify server over websocket (if connected)
+    try {
+      if (window.ws?.send) window.ws.send({ type: 'turnstile:verify', token });
+    } catch (e) { /* ignore */ }
+
+    // Hide overlay
+    hideOverlay();
+  };
+
+  // Initialize visibility
+  if (hasTurnstileCookie()) hideOverlay(); else showOverlay();
+})();

public/oauth-callback.html

@@ -78,5 +78,14 @@
       msgEl.textContent = 'No token received. You can close this window.';
     }
   </script>
+  <!-- Cloudflare Turnstile -->
+  <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
+  <div id="turnstile-overlay" style="position:fixed;inset:0;display:flex;align-items:center;justify-content:center;background:rgba(0,0,0,0.6);z-index:9999;">
+    <div style="background:#0d0e11;padding:18px;border-radius:10px;text-align:center;max-width:420px;width:90%;">
+      <div style="color:#d7d7d7;margin-bottom:12px;">Please verify you are human to continue.</div>
+      <div class="cf-turnstile" data-sitekey="0x4AAAAAAC1ZXKIhZ9Kdz8j9" data-callback="onTurnstileSuccess"></div>
+    </div>
+  </div>
+  <script type="module" src="/js/turnstile.js"></script>
 </body>
 </html>

server/index.js

@@ -23,6 +23,14 @@ const app  = express();
 
 app.use(express.static(path.join(__dirname, '..', 'public')));
 app.use(express.json({ limit: '10mb' }));
+// Require turnstile cookie for API routes (except the verification endpoint itself)
+app.use('/api', (req, res, next) => {
+  const exempt = ['/turnstile', '/health'];
+  if (exempt.includes(req.path)) return next();
+  const cookieHeader = req.headers.cookie || '';
+  if (cookieHeader.includes('turnstile=1')) return next();
+  return res.status(403).json({ error: 'turnstile:required' });
+});
 app.get('/health', (_req, res) => res.json({ ok: true }));
 
 app.get('/api/share/:token', async (req, res) => {
@@ -40,6 +48,31 @@ app.get('/api/share/:token', async (req, res) => {
   } catch { res.status(500).json({ error: 'Server error' }); }
 });
 
+// Turnstile verification endpoint - accepts token and verifies with Cloudflare
+app.post('/api/turnstile', async (req, res) => {
+  try {
+    const token = req.body?.token;
+    const secret = process.env.TURNSTILE_SECRET_KEY;
+    if (!token || !secret) return res.status(400).json({ error: 'Missing token or server not configured' });
+
+    const params = new URLSearchParams();
+    params.append('secret', secret);
+    params.append('response', token);
+    if (req.ip) params.append('remoteip', req.ip);
+
+    const r = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+      method: 'POST', body: params,
+    });
+    const j = await r.json();
+    if (j?.success) {
+      // Set a short-lived cookie to allow access to other endpoints
+      res.cookie('turnstile', '1', { maxAge: 24 * 3600 * 1000, path: '/', sameSite: 'lax' });
+      return res.json({ success: true });
+    }
+    return res.status(403).json({ error: 'Verification failed' });
+  } catch (e) { console.error('turnstile verify', e); return res.status(500).json({ error: 'Server error' }); }
+});
+
 app.get('*', (req, res) => {
   if (!req.path.startsWith('/api/'))
     res.sendFile(path.join(__dirname, '..', 'public', 'index.html'));
@@ -54,7 +87,11 @@ wss.on('connection', (ws, req) => {
   const ip = (req.headers['x-forwarded-for'] || '').split(',')[0].trim()
     || req.socket.remoteAddress || 'unknown';
   const userAgent = req.headers['user-agent'] || 'unknown';
-  wsClients.set(ws, { tempId: crypto.randomUUID(), ip, userAgent, userId: null, authenticated: false });
+  // Mark verified if request included a turnstile cookie
+  const cookies = (req.headers.cookie || '').split(';').map(s => s.trim()).filter(Boolean);
+  const cookieMap = Object.fromEntries(cookies.map(c => { const i = c.indexOf('='); return [c.slice(0, i), c.slice(i+1)]; }));
+  const verified = cookieMap.turnstile === '1';
+  wsClients.set(ws, { tempId: crypto.randomUUID(), ip, userAgent, userId: null, authenticated: false, verified });
 
   ws.on('message', async raw => {
     try { await handleWsMessage(ws, JSON.parse(raw.toString()), wsClients); }

server/wsHandler.js

@@ -15,6 +15,10 @@ const activeStreams = new Map();
 
 export async function handleWsMessage(ws, msg, wsClients) {
   const client = wsClients.get(ws); if (!client) return;
+  // Require turnstile verification for most message types
+  if (!client.verified && msg.type !== 'ping' && msg.type !== 'turnstile:verify') {
+    return safeSend(ws, { type: 'error', message: 'turnstile:required' });
+  }
   const h = handlers[msg.type];
   if (h) return h(ws, msg, client, wsClients);
   safeSend(ws, { type: 'error', message: `Unknown: ${msg.type}` });
@@ -27,6 +31,21 @@ function bcast(wsClients, userId, data, excludeWs) {
 const handlers = {
   'ping': (ws) => { safeSend(ws, { type: 'pong' }); },
 
+  // Verify turnstile token sent over websocket
+  'turnstile:verify': async (ws, msg, client) => {
+    try {
+      const token = msg?.token;
+      const secret = process.env.TURNSTILE_SECRET_KEY;
+      if (!token || !secret) return safeSend(ws, { type: 'turnstile:error', message: 'Missing token or server not configured' });
+      const params = new URLSearchParams(); params.append('secret', secret); params.append('response', token);
+      if (client.ip) params.append('remoteip', client.ip);
+      const r = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', { method: 'POST', body: params });
+      const j = await r.json();
+      if (j?.success) { client.verified = true; return safeSend(ws, { type: 'turnstile:ok' }); }
+      return safeSend(ws, { type: 'turnstile:error', message: 'Verification failed' });
+    } catch (e) { console.error('ws turnstile verify', e); return safeSend(ws, { type: 'turnstile:error', message: 'Server error' }); }
+  },
+
   'auth:login': async (ws, msg, client, wsClients) => {
     const { accessToken, tempId: clientTempId } = msg;
     if (!accessToken) return safeSend(ws, { type: 'auth:error', message: 'Missing token' });