feat(auth/v1.0): add option to only use cf turnstile on certain hosts…

… only

.config/config-schema.json

@@ -7,7 +7,7 @@
 			"properties": {
 				"credentials": {
 					"additionalProperties": false,
-					"description": "Credentials configuration. Leave `undefined` to disable user/password signups.",
+					"description": "Credentials configuration. Leave `undefined` to disable user/password signups, or as `{}` to enable.",
 					"properties": {
 						"signups": {
 							"default": false,
@@ -54,18 +54,8 @@
 					"type": "string"
 				},
 				"turnstile": {
-					"additionalProperties": false,
-					"description": "Cloudflare turnstile configuration. Leave `undefined` to disable turnstile.",
-					"properties": {
-						"secret": {
-							"type": "string"
-						},
-						"siteKey": {
-							"type": "string"
-						}
-					},
-					"required": ["secret", "siteKey"],
-					"type": "object"
+					"$ref": "#/definitions/TurnstileConfig",
+					"description": "Cloudflare turnstile configuration. Leave `undefined` to disable turnstile."
 				}
 			},
 			"required": ["secret"],
@@ -135,6 +125,25 @@
 				}
 			},
 			"type": "object"
+		},
+		"TurnstileConfig": {
+			"additionalProperties": false,
+			"properties": {
+				"hosts": {
+					"items": {
+						"type": "string"
+					},
+					"type": "array"
+				},
+				"secret": {
+					"type": "string"
+				},
+				"siteKey": {
+					"type": "string"
+				}
+			},
+			"required": ["secret", "siteKey"],
+			"type": "object"
 		}
 	}
 }

package.json

@@ -53,8 +53,8 @@
 		"next-themes": "^0.3.0",
 		"node-loader": "^2.0.0",
 		"postgres": "^3.4.4",
-		"react": "19.0.0-rc-163365a0-20240717",
-		"react-dom": "19.0.0-rc-163365a0-20240717",
+		"react": "19.0.0-rc-f6cce072-20240723",
+		"react-dom": "19.0.0-rc-f6cce072-20240723",
 		"server-only": "^0.0.1",
 		"sharp": "^0.33.3",
 		"sonner": "^1.4.41",

src/actions/image.ts

@@ -42,7 +42,7 @@ export async function addImage(data: FormData) {
 			await pullImage(fields.dockerImage);
 		} else {
 			await pullImage(fields.dockerImage);
-			await deleteImage(oldImg[0].Id);
+			await deleteImage(oldImg[0].Id, false);
 		}
 	}
 	await db
@@ -59,14 +59,14 @@ export async function addImage(data: FormData) {
 	redirect("/admin/images");
 }
 
-export async function deleteImage(dockerImage: string) {
+export async function deleteImage(dockerImage: string, dbDelete = true) {
 	await Promise.all(
 		(await db.select().from(session).where(eq(session.dockerImage, dockerImage))).map((s) => deleteSession(s.id, true)),
 	);
 	await docker
 		.getImage(dockerImage)
 		.remove()
 		.catch(() => {});
-	await db.delete(image).where(eq(image.dockerImage, dockerImage));
+	if (dbDelete) await db.delete(image).where(eq(image.dockerImage, dockerImage));
 	revalidatePath("/admin/images");
 }

src/components/turnstile.tsx

@@ -1,4 +1,15 @@
+import { getConfig } from "@/lib/config";
 import { Turnstile as BaseTurnstile } from "@marsidev/react-turnstile";
+import { headers } from "next/headers";
 export default function Turnstile() {
-	return process.env.TURNSTILE_SITEKEY ? <BaseTurnstile siteKey={process.env.TURNSTILE_SITEKEY} /> : null;
+	const config = getConfig();
+	const host = headers().get("x-forwarded-host") || headers().get("host");
+	const TurnstileComponent = (props: { siteKey: string }) => <BaseTurnstile {...props} />;
+	if (
+		config?.auth.turnstile?.siteKey &&
+		(!config.auth.turnstile.hosts || config.auth.turnstile.hosts.includes(host as string))
+	) {
+		return <TurnstileComponent siteKey={config.auth.turnstile.siteKey} />;
+	}
+	return null;
 }

src/lib/turnstile.ts

@@ -1,8 +1,14 @@
+import { headers } from "next/headers";
 import { getConfig } from "./config";
 
 export default async function turnstileCheck(data: FormData) {
 	const config = getConfig();
 	if (!config.auth.turnstile) return true;
+	if (
+		config.auth.turnstile.hosts &&
+		!config.auth.turnstile.hosts?.includes(headers().get("x-forwarded-host") || headers().get("host") || "")
+	)
+		return true;
 	const key = data.get("cf-turnstile-response")?.toString();
 	const result = await fetch("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
 		body: JSON.stringify({

src/types/config.d.ts

@@ -45,12 +45,9 @@ export interface AuthConfig {
 	/**
 	 * Cloudflare turnstile configuration. Leave `undefined` to disable turnstile.
 	 **/
-	turnstile?: {
-		secret: string;
-		siteKey: string;
-	};
+	turnstile?: TurnstileConfig;
 	/**
-	 * Credentials configuration. Leave `undefined` to disable user/password signups.
+	 * Credentials configuration. Leave `undefined` to disable user/password signups, or as `{}` to enable.
 	 **/
 	credentials?: {
 		/**
@@ -95,3 +92,18 @@ export interface SessionConfig {
 	 */
 	keepaliveDuration?: number;
 }
+
+export interface TurnstileConfig {
+	/*
+	 * The Turnstile secret key, used by the backend
+	 */
+	secret: string;
+	/*
+	 * The Turnstile site key, used by the frontend
+	 */
+	siteKey: string;
+	/*
+	 * The hosts to enable Turnstile on
+	 */
+	hosts?: string[];
+}