chore: Add PR's requested changes

matiasperrone-exo · matiasperrone-exo · commit 14abc2f2aace · 2026-05-13T17:45:52.000Z
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
@@ -13,13 +13,15 @@
  **/
 
 use App\libs\Utils\TextUtils;
+use App\Services\TurnstileClient;
 use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\ServiceProvider;
 use Illuminate\Support\Facades\Validator;
 use models\exceptions\ValidationException;
+use RyanChandler\LaravelCloudflareTurnstile\Contracts\ClientInterface;
 use Sokil\IsoCodes\IsoCodesFactory;
 use Validators\CustomValidator;
 use App\Http\Utils\Log\LaravelMailerHandler;
@@ -142,6 +144,9 @@ public function boot()
      */
     public function register()
     {
-        //
+        // Override vendor Client v3.0.3 whose siteverify() has inverted logic.
+        $this->app->scoped(ClientInterface::class, function ($app) {
+            return new TurnstileClient($app['config']->get('services.turnstile.secret'));
+        });
     }
 }
diff --git a/app/Services/TurnstileClient.php b/app/Services/TurnstileClient.php
@@ -0,0 +1,53 @@
+<?php namespace App\Services;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Support\Facades\Http;
+use RyanChandler\LaravelCloudflareTurnstile\Contracts\ClientInterface;
+use RyanChandler\LaravelCloudflareTurnstile\Responses\SiteverifyResponse;
+
+/**
+ * Replaces the vendor Client (v3.0.3) whose siteverify() has inverted
+ * success/failure logic: it returns success() on HTTP non-2xx and failure()
+ * on HTTP 2xx, causing a TypeError when Cloudflare returns {success:true}.
+ */
+final class TurnstileClient implements ClientInterface
+{
+    public function __construct(private string $secret) {}
+
+    public function siteverify(string $token): SiteverifyResponse
+    {
+        $response = Http::retry(3, 100)
+            ->asForm()
+            ->acceptJson()
+            ->post('https://challenges.cloudflare.com/turnstile/v0/siteverify', [
+                'secret'   => $this->secret,
+                'response' => $token,
+            ]);
+
+        if (! $response->ok()) {
+            return SiteverifyResponse::failure(['http-error']);
+        }
+
+        if ($response->json('success') === true) {
+            return SiteverifyResponse::success();
+        }
+
+        return SiteverifyResponse::failure($response->json('error-codes') ?? []);
+    }
+
+    public function dummy(): string
+    {
+        return self::RESPONSE_DUMMY_TOKEN;
+    }
+}
diff --git a/resources/js/email_verification/email_verification.js b/resources/js/email_verification/email_verification.js
@@ -127,6 +127,8 @@ const EmailVerificationPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
+                    onError={() => setCaptchaConfirmation('The security check encountered an error. Please refresh the page and try again.')}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>
diff --git a/resources/js/forgot_password/forgot_password.js b/resources/js/forgot_password/forgot_password.js
@@ -143,6 +143,8 @@ const ForgotPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
+                    onError={() => setCaptchaConfirmation('The security check encountered an error. Please refresh the page and try again.')}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>
diff --git a/resources/js/login/login.js b/resources/js/login/login.js
@@ -85,6 +85,8 @@ const PasswordInputForm = ({
                                shouldShowCaptcha,
                                captchaPublicKey,
                                onChangeCaptchaProvider,
+                               onExpireCaptchaProvider,
+                               onErrorCaptchaProvider,
                                handleEmitOtpAction,
                                forgotPasswordAction,
                                loginAttempts,
@@ -183,12 +185,15 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
+            <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={onExpireCaptchaProvider}
+                    onError={onErrorCaptchaProvider}
                 />
             }
             <ExistingAccountActions
@@ -214,6 +219,8 @@ const OTPInputForm = ({
                           shouldShowCaptcha,
                           captchaPublicKey,
                           onChangeCaptchaProvider,
+                          onExpireCaptchaProvider,
+                          onErrorCaptchaProvider,
                           onReset,
                           loginAttempts
                       }) => {
@@ -264,12 +271,15 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
+                <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}
                         siteKey={captchaPublicKey}
                         options={{ responseFieldName: "cf-turnstile-response" }}
                         onSuccess={onChangeCaptchaProvider}
+                        onExpire={onExpireCaptchaProvider}
+                        onError={onErrorCaptchaProvider}
                     />
                 }
             </form>
@@ -474,6 +484,8 @@ class LoginPage extends React.Component {
         this.handleDelete = this.handleDelete.bind(this);
         this.onAuthenticate = this.onAuthenticate.bind(this);
         this.onChangeCaptchaProvider = this.onChangeCaptchaProvider.bind(this);
+        this.onExpireCaptchaProvider = this.onExpireCaptchaProvider.bind(this);
+        this.onErrorCaptchaProvider = this.onErrorCaptchaProvider.bind(this);
         this.onUserPasswordChange = this.onUserPasswordChange.bind(this);
         this.onOTPCodeChange = this.onOTPCodeChange.bind(this);
         this.shouldShowCaptcha = this.shouldShowCaptcha.bind(this);
@@ -562,6 +574,14 @@ class LoginPage extends React.Component {
         this.setState({ ...this.state, captcha_value: value });
     }
 
+    onExpireCaptchaProvider() {
+        this.setState({ ...this.state, captcha_value: '' });
+    }
+
+    onErrorCaptchaProvider() {
+        this.setState({ ...this.state, captcha_value: '' });
+    }
+
     onHandleUserNameChange(ev) {
         let { value, id } = ev.target;
         this.setState({ ...this.state, user_name: value });
@@ -833,6 +853,8 @@ class LoginPage extends React.Component {
                                     shouldShowCaptcha={this.shouldShowCaptcha}
                                     captchaPublicKey={this.props.captchaPublicKey}
                                     onChangeCaptchaProvider={this.onChangeCaptchaProvider}
+                                    onExpireCaptchaProvider={this.onExpireCaptchaProvider}
+                                    onErrorCaptchaProvider={this.onErrorCaptchaProvider}
                                     handleEmitOtpAction={this.handleEmitOtpAction}
                                     forgotPasswordAction={this.props.forgotPasswordAction}
                                     loginAttempts={this.props?.loginAttempts}
@@ -870,6 +892,8 @@ class LoginPage extends React.Component {
                                     shouldShowCaptcha={this.shouldShowCaptcha}
                                     captchaPublicKey={this.props.captchaPublicKey}
                                     onChangeCaptchaProvider={this.onChangeCaptchaProvider}
+                                    onExpireCaptchaProvider={this.onExpireCaptchaProvider}
+                                    onErrorCaptchaProvider={this.onErrorCaptchaProvider}
                                     onReset={this.handleDelete}
                                     loginAttempts={this.props?.loginAttempts}
                                 />
diff --git a/resources/js/reset_password/reset_password.js b/resources/js/reset_password/reset_password.js
@@ -178,6 +178,8 @@ const ResetPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
+                    onError={() => setCaptchaConfirmation('The security check encountered an error. Please refresh the page and try again.')}
                   />
                   {captchaConfirmation && (
                       <div className={styles.error_label}>
diff --git a/resources/js/set_password/set_password.js b/resources/js/set_password/set_password.js
@@ -287,6 +287,8 @@ const SetPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
+                    onError={() => setCaptchaConfirmation('The security check encountered an error. Please refresh the page and try again.')}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>
diff --git a/resources/js/signup/signup.js b/resources/js/signup/signup.js
@@ -281,6 +281,8 @@ const SignUpPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
+                    onError={() => setCaptchaConfirmation('The security check encountered an error. Please refresh the page and try again.')}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>
diff --git a/resources/views/auth/email_verification_success.blade.php b/resources/views/auth/email_verification_success.blade.php
@@ -3,7 +3,6 @@
     <title>Welcome to {{ Config::get("app.app_name") }} - Email Verification Complete !!!</title>
 @append
 @section('scripts')
-    {!! script_to('assets/js/auth/email-verification-complete.js') !!}
     <script type="application/javascript">
     </script>
 @append
diff --git a/tests/TurnstileProtectedControllersTest.php b/tests/TurnstileProtectedControllersTest.php
@@ -0,0 +1,140 @@
+<?php namespace Tests;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Support\Facades\Session;
+
+/**
+ * Class TurnstileProtectedControllersTest
+ *
+ * Smoke tests verifying that cf-turnstile-response is always required on the
+ * five auth endpoints that gate every submission behind Turnstile (unlike
+ * UserController::postLogin, which only activates the rule above a threshold).
+ */
+final class TurnstileProtectedControllersTest extends BrowserKitTestCase
+{
+    protected function prepareForTests(): void
+    {
+        parent::prepareForTests();
+        Session::start();
+    }
+
+    private function sessionHasValidationError(string $field): bool
+    {
+        $errors = $this->app['session']->driver()->get('errors');
+        return $errors !== null && $errors->has($field);
+    }
+
+    private function postWithSession(string $url, array $data = []): void
+    {
+        $this->call('GET', $url);
+        $this->call('POST', $url, array_merge(['_token' => Session::token()], $data));
+    }
+
+    // -------------------------------------------------------------------------
+    // RegisterController
+    // -------------------------------------------------------------------------
+
+    public function testRegisterRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/register', [
+            'first_name'      => 'Test',
+            'last_name'       => 'User',
+            'email'           => 'turnstile-test@example.com',
+            'country_iso_code'=> 'US',
+            'password'        => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'RegisterController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // ForgotPasswordController
+    // -------------------------------------------------------------------------
+
+    public function testForgotPasswordRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/email', [
+            'email' => 'anyone@example.com',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'ForgotPasswordController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // ResetPasswordController
+    // -------------------------------------------------------------------------
+
+    public function testResetPasswordRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/reset', [
+            'token'                 => 'any-reset-token',
+            'password'              => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'ResetPasswordController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // PasswordSetController
+    // -------------------------------------------------------------------------
+
+    public function testPasswordSetRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/set', [
+            'token'                 => 'any-set-token',
+            'first_name'            => 'Test',
+            'last_name'             => 'User',
+            'country_iso_code'      => 'US',
+            'password'              => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'PasswordSetController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // EmailVerificationController
+    // -------------------------------------------------------------------------
+
+    public function testEmailVerificationResendRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/verification', [
+            'email' => 'anyone@example.com',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'EmailVerificationController must require cf-turnstile-response'
+        );
+    }
+}
diff --git a/tests/UserLoginTurnstileTest.php b/tests/UserLoginTurnstileTest.php
diff --git a/webpack.common.js b/webpack.common.js
