Integrate Cloudflare Turnstile for Enhanced Security #2
Description
Description
We need to integrate Cloudflare Turnstile (a CAPTCHA alternative) on key pages where non-authenticated users submit information (e.g., login, registration, and password reset) to enhance security and prevent spam.
Tasks
-
Set Up Environment Variables
- Ensure the following environment variables are set:
CLOUDFLARE_TURNSTYLE_SITE_KEY=SiteKeyCLOUDFLARE_TURNSTYLE_SECRET_KEY=SecretKey
- Ensure the following environment variables are set:
-
Update Templates
- Add the Cloudflare Turnstile widget to the login, registration, and password reset templates.
<div class="cf-turnstile" data-sitekey="{{ site_key }}"></div> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
- Add the Cloudflare Turnstile widget to the login, registration, and password reset templates.
-
Verify Turnstile in Routes
- Implement server-side verification of Turnstile in the corresponding form handling routes.
import requests from flask import request, flash def verify_turnstile(response_token): secret_key = os.getenv('CLOUDFLARE_TURNSTYLE_SECRET_KEY') data = { 'secret': secret_key, 'response': response_token } verify_url = "https://challenges.cloudflare.com/turnstile/v0/siteverify" response = requests.post(verify_url, data=data) return response.json().get('success', False) @auth_bp.route('/login', methods=['GET', 'POST']) def login(): # Existing code... if form.validate_on_submit(): turnstile_response = request.form.get('cf-turnstile-response') if not verify_turnstile(turnstile_response): flash('Invalid CAPTCHA. Please try again.', 'danger') return render_template('auth/login.html', form=form) # Continue with login logic...
- Implement server-side verification of Turnstile in the corresponding form handling routes.
-
Test Integration
- Verify the Turnstile integration to ensure it prevents spam submissions and does not obstruct valid users.