feat(turnstile): integrate Cloudflare Turnstile for enhanced security in login and registration processes

2026-06-02 06:00:40 +08:00 · 2025-10-22 23:31:48 +08:00
parent 1ffe920d47
commit e431c1fe5b
22 changed files with 480 additions and 56 deletions
--- a/app/api/config/route.ts
+++ b/app/api/config/route.ts
@@ -7,18 +7,36 @@ export const runtime = "edge"

 export async function GET() {
  const env = getRequestContext().env
-  const [defaultRole, emailDomains, adminContact, maxEmails] = await Promise.all([
+  const canManageConfig = await checkPermission(PERMISSIONS.MANAGE_CONFIG)
+
+  const [
+    defaultRole,
+    emailDomains,
+    adminContact,
+    maxEmails,
+    turnstileEnabled,
+    turnstileSiteKey,
+    turnstileSecretKey
+  ] = await Promise.all([
    env.SITE_CONFIG.get("DEFAULT_ROLE"),
    env.SITE_CONFIG.get("EMAIL_DOMAINS"),
    env.SITE_CONFIG.get("ADMIN_CONTACT"),
-    env.SITE_CONFIG.get("MAX_EMAILS")
+    env.SITE_CONFIG.get("MAX_EMAILS"),
+    env.SITE_CONFIG.get("TURNSTILE_ENABLED"),
+    env.SITE_CONFIG.get("TURNSTILE_SITE_KEY"),
+    env.SITE_CONFIG.get("TURNSTILE_SECRET_KEY")
  ])

  return Response.json({
    defaultRole: defaultRole || ROLES.CIVILIAN,
    emailDomains: emailDomains || "moemail.app",
    adminContact: adminContact || "",
-    maxEmails: maxEmails || EMAIL_CONFIG.MAX_ACTIVE_EMAILS.toString()
+    maxEmails: maxEmails || EMAIL_CONFIG.MAX_ACTIVE_EMAILS.toString(),
+    turnstile: {
+      enabled: turnstileEnabled === "true",
+      siteKey: turnstileSiteKey || "",
+      ...(canManageConfig ? { secretKey: turnstileSecretKey || "" } : {})
+    }
  })
 }

@@ -31,24 +49,48 @@ export async function POST(request: Request) {
    }, { status: 403 })
  }

-  const { defaultRole, emailDomains, adminContact, maxEmails } = await request.json() as { 
+  const {
+    defaultRole,
+    emailDomains,
+    adminContact,
+    maxEmails,
+    turnstile
+  } = await request.json() as { 
    defaultRole: Exclude<Role, typeof ROLES.EMPEROR>,
    emailDomains: string,
    adminContact: string,
-    maxEmails: string
+    maxEmails: string,
+    turnstile?: {
+      enabled: boolean,
+      siteKey: string,
+      secretKey: string
+    }
  }
  
  if (![ROLES.DUKE, ROLES.KNIGHT, ROLES.CIVILIAN].includes(defaultRole)) {
    return Response.json({ error: "无效的角色" }, { status: 400 })
  }

+  const turnstileConfig = turnstile ?? {
+    enabled: false,
+    siteKey: "",
+    secretKey: ""
+  }
+
+  if (turnstileConfig.enabled && (!turnstileConfig.siteKey || !turnstileConfig.secretKey)) {
+    return Response.json({ error: "Turnstile 启用时需要提供 Site Key 和 Secret Key" }, { status: 400 })
+  }
+
  const env = getRequestContext().env
  await Promise.all([
    env.SITE_CONFIG.put("DEFAULT_ROLE", defaultRole),
    env.SITE_CONFIG.put("EMAIL_DOMAINS", emailDomains),
    env.SITE_CONFIG.put("ADMIN_CONTACT", adminContact),
-    env.SITE_CONFIG.put("MAX_EMAILS", maxEmails)
+    env.SITE_CONFIG.put("MAX_EMAILS", maxEmails),
+    env.SITE_CONFIG.put("TURNSTILE_ENABLED", turnstileConfig.enabled.toString()),
+    env.SITE_CONFIG.put("TURNSTILE_SITE_KEY", turnstileConfig.siteKey),
+    env.SITE_CONFIG.put("TURNSTILE_SECRET_KEY", turnstileConfig.secretKey)
  ])

  return Response.json({ success: true })
-} 
+}