Use cloudflare turnstile.

2025-09-27 12:17:24 +00:00 · 2025-05-15 15:01:39 +08:00
parent 578aab36c3
commit f4e82092eb
11 changed files with 134 additions and 23 deletions
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -8,6 +8,7 @@
      "name": "frontend",
      "version": "0.0.0",
      "dependencies": {
+        "@marsidev/react-turnstile": "^1.1.0",
        "@tailwindcss/vite": "^4.1.5",
        "axios": "^1.9.0",
        "i18next": "^25.1.1",
@@ -1038,6 +1039,16 @@
        "@jridgewell/sourcemap-codec": "^1.4.14"
      }
    },
+    "node_modules/@marsidev/react-turnstile": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@marsidev/react-turnstile/-/react-turnstile-1.1.0.tgz",
+      "integrity": "sha512-X7bP9ZYutDd+E+klPYF+/BJHqEyyVkN4KKmZcNRr84zs3DcMoftlMAuoKqNSnqg0HE7NQ1844+TLFSJoztCdSA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "react": "^17.0.2 || ^18.0.0 || ^19.0",
+        "react-dom": "^17.0.2 || ^18.0.0 || ^19.0"
+      }
+    },
    "node_modules/@modelcontextprotocol/sdk": {
      "version": "1.11.0",
      "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.11.0.tgz",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -10,6 +10,7 @@
    "preview": "vite preview"
  },
  "dependencies": {
+    "@marsidev/react-turnstile": "^1.1.0",
    "@tailwindcss/vite": "^4.1.5",
    "axios": "^1.9.0",
    "i18next": "^25.1.1",
--- a/frontend/src/network/network.ts
+++ b/frontend/src/network/network.ts
@@ -74,11 +74,12 @@ class Network {
    }
  }

-  async register(username: string, password: string): Promise<Response<UserWithToken>> {
+  async register(username: string, password: string, cfToken: string): Promise<Response<UserWithToken>> {
    try {
      const response = await axios.postForm(`${this.apiBaseUrl}/user/register`, {
        username,
-        password
+        password,
+        cf_token: cfToken
      })
      return response.data
    } catch (e: any) {
@@ -599,8 +600,8 @@ class Network {
    }
  }

-  getFileDownloadLink(fileId: string): string {
-    return `${this.apiBaseUrl}/files/download/${fileId}`;
+  getFileDownloadLink(fileId: string, cfToken: string): string {
+    return `${this.apiBaseUrl}/files/download/${fileId}?cf_token=${cfToken}`;
  }

  async createComment(resourceID: number, content: string): Promise<Response<any>> {
--- a/frontend/src/pages/register_page.tsx
+++ b/frontend/src/pages/register_page.tsx
@@ -3,6 +3,7 @@ import {network} from "../network/network.ts";
 import {app} from "../app.ts";
 import {useNavigate} from "react-router";
 import {useTranslation} from "react-i18next";
+import {Turnstile} from "@marsidev/react-turnstile";

 export default function RegisterPage() {
  const {t} = useTranslation();
@@ -11,11 +12,17 @@ export default function RegisterPage() {
  const [username, setUsername] = useState("");
  const [password, setPassword] = useState("");
  const [confirmPassword, setConfirmPassword] = useState("");
+  const [cfToken, setCfToken] = useState("");

  const navigate = useNavigate();

  const onSubmit = async (e: FormEvent<HTMLFormElement>) => {
    e.preventDefault();
+    setError(null);
+    if (app.cloudflareTurnstileSiteKey && !cfToken) {
+      setError(t("Please complete the captcha"));
+      return;
+    }
    if (!username || !password) {
      setError(t("Username and password cannot be empty"));
      return;
@@ -25,7 +32,7 @@ export default function RegisterPage() {
      return;
    }
    setLoading(true);
-    const res = await network.register(username, password);
+    const res = await network.register(username, password, cfToken);
    if (res.success) {
      app.user = res.data!;
      app.token = res.data!.token;
@@ -37,9 +44,9 @@ export default function RegisterPage() {
    }
  };

-    useEffect(() => {
-      document.title = t("Register");
-    }, [])
+  useEffect(() => {
+    document.title = t("Register");
+  }, [t])

  return <div className={"flex items-center justify-center w-full h-full bg-base-200"} id={"register-page"}>
    <div className={"w-96 card card-border bg-base-100 border-base-300"}>
@@ -60,12 +67,21 @@ export default function RegisterPage() {
          </fieldset>
          <fieldset className="fieldset w-full">
            <legend className="fieldset-legend">{t("Password")}</legend>
-            <input type="password" className="input w-full" value={password} onChange={(e) => setPassword(e.target.value)}/>
+            <input type="password" className="input w-full" value={password}
+                   onChange={(e) => setPassword(e.target.value)}/>
          </fieldset>
          <fieldset className="fieldset w-full">
            <legend className="fieldset-legend">{t("Confirm Password")}</legend>
-            <input type="password" className="input w-full" value={confirmPassword} onChange={(e) => setConfirmPassword(e.target.value)}/>
+            <input type="password" className="input w-full" value={confirmPassword}
+                   onChange={(e) => setConfirmPassword(e.target.value)}/>
          </fieldset>
+          {
+            app.cloudflareTurnstileSiteKey && <Turnstile
+              siteKey={app.cloudflareTurnstileSiteKey}
+              onSuccess={setCfToken}
+              onExpire={() => setCfToken("")}
+            />
+          }
          <button className={"btn my-4 btn-primary"} type={"submit"}>
            {isLoading && <span className="loading loading-spinner"></span>}
            {t("Continue")}
--- a/frontend/src/pages/resource_details_page.tsx
+++ b/frontend/src/pages/resource_details_page.tsx
@@ -1,5 +1,5 @@
 import { useNavigate, useParams } from "react-router";
-import { createContext, useCallback, useContext, useEffect, useRef, useState } from "react";
+import {createContext, createRef, useCallback, useContext, useEffect, useRef, useState} from "react";
 import { ResourceDetails, RFile, Storage, Comment } from "../network/models.ts";
 import { network } from "../network/network.ts";
 import showToast from "../components/toast.ts";
@@ -12,6 +12,8 @@ import { uploadingManager } from "../network/uploading.ts";
 import { ErrorAlert } from "../components/alert.tsx";
 import { useTranslation } from "react-i18next";
 import Pagination from "../components/pagination.tsx";
+import showPopup, {useClosePopup} from "../components/popup.tsx";
+import {Turnstile} from "@marsidev/react-turnstile";

 export default function ResourcePage() {
  const params = useParams()
@@ -39,7 +41,7 @@ export default function ResourcePage() {

  useEffect(() => {
    document.title = t("Resource Details");
-  }, [])
+  }, [t])

  useEffect(() => {
    if (!isNaN(id)) {
@@ -155,6 +157,8 @@ function Article({ article }: { article: string }) {
 }

 function FileTile({ file }: { file: RFile }) {
+  const buttonRef = createRef<HTMLButtonElement>()
+
  return <div className={"card card-border border-base-300 my-2"}>
    <div className={"p-4 flex flex-row items-center"}>
      <div className={"grow"}>
@@ -162,9 +166,13 @@ function FileTile({ file }: { file: RFile }) {
        <p className={"text-sm"}>{file.description}</p>
      </div>
      <div>
-        <button className={"btn btn-primary btn-soft btn-square"} onClick={() => {
-          const link = network.getFileDownloadLink(file.id);
-          window.open(link, "_blank");
+        <button ref={buttonRef} className={"btn btn-primary btn-soft btn-square"} onClick={() => {
+          if (!app.cloudflareTurnstileSiteKey) {
+            const link = network.getFileDownloadLink(file.id, "");
+            window.open(link, "_blank");
+          } else {
+            showPopup(<CloudflarePopup file={file}/>, buttonRef.current!)
+          }
        }}>
          <MdOutlineDownload size={24} />
        </button>
@@ -173,6 +181,18 @@ function FileTile({ file }: { file: RFile }) {
  </div>
 }

+function CloudflarePopup({ file }: { file: RFile }) {
+  const closePopup = useClosePopup()
+
+  return <div className={"menu bg-base-100 rounded-box z-1 w-80 p-2 shadow-sm h-20"}>
+    <Turnstile siteKey={app.cloudflareTurnstileSiteKey!} onSuccess={(token) => {
+      closePopup();
+      const link = network.getFileDownloadLink(file.id, token);
+      window.open(link, "_blank");
+    }}></Turnstile>
+  </div>
+}
+
 function Files({ files, resourceID }: { files: RFile[], resourceID: number }) {
  return <div>
    {
--- a/server/api/file.go
+++ b/server/api/file.go
@@ -190,8 +190,9 @@ func deleteFile(c fiber.Ctx) error {
 }

 func downloadFile(c fiber.Ctx) error {
+	cfToken := c.Query("cf_token")
 	ip := c.IP()
-	s, filename, err := service.DownloadFile(ip, c.Params("id"))
+	s, filename, err := service.DownloadFile(ip, c.Params("id"), cfToken)
 	if err != nil {
 		return err
 	}
--- a/server/api/user.go
+++ b/server/api/user.go
@@ -13,10 +13,11 @@ import (
 func handleUserRegister(c fiber.Ctx) error {
 	username := c.FormValue("username")
 	password := c.FormValue("password")
+	cfToken := c.FormValue("cf_token")
 	if username == "" || password == "" {
 		return model.NewRequestError("Username and password are required")
 	}
-	user, err := service.CreateUser(username, password)
+	user, err := service.CreateUser(username, password, cfToken)
 	if err != nil {
 		return err
 	}
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -29,8 +29,8 @@ type ServerConfig struct {
 }

 func init() {
-	filepath := filepath.Join(utils.GetStoragePath(), "config.json")
-	if _, err := os.Stat(filepath); os.IsNotExist(err) {
+	p := filepath.Join(utils.GetStoragePath(), "config.json")
+	if _, err := os.Stat(p); os.IsNotExist(err) {
 		config = &ServerConfig{
 			MaxUploadingSizeInMB:          20 * 1024, // 20GB
 			MaxFileSizeInMB:               8 * 1024,  // 8GB
@@ -42,7 +42,7 @@ func init() {
 			ServerDescription:             "Nysoure is a file sharing service.",
 		}
 	} else {
-		data, err := os.ReadFile(filepath)
+		data, err := os.ReadFile(p)
 		if err != nil {
 			panic(err)
 		}
@@ -96,3 +96,7 @@ func ServerName() string {
 func ServerDescription() string {
 	return config.ServerDescription
 }
+
+func CloudflareTurnstileSecretKey() string {
+	return config.CloudflareTurnstileSecretKey
+}
--- a/server/service/file.go
+++ b/server/service/file.go
@@ -385,7 +385,16 @@ func GetFile(fid string) (*model.FileView, error) {
 	return file.ToView(), nil
 }

-func DownloadFile(ip string, fid string) (string, string, error) {
+func DownloadFile(ip, fid, cfToken string) (string, string, error) {
+	passed, err := verifyCfToken(cfToken)
+	if err != nil {
+		log.Error("failed to verify cf token: ", err)
+		return "", "", model.NewRequestError("failed to verify cf token")
+	}
+	if !passed {
+		log.Info("cf token verification failed")
+		return "", "", model.NewRequestError("cf token verification failed")
+	}
 	downloads, _ := ipDownloads.Load(ip)
 	if downloads == nil {
 		ipDownloads.Store(ip, 1)
--- a/server/service/user.go
+++ b/server/service/user.go
@@ -3,6 +3,7 @@ package service
 import (
 	"errors"
 	"fmt"
+	"github.com/gofiber/fiber/v3/log"
 	"nysoure/server/config"
 	"nysoure/server/dao"
 	"nysoure/server/model"
@@ -18,7 +19,7 @@ const (
 	embedAvatarCount = 1
 )

-func CreateUser(username, password string) (model.UserViewWithToken, error) {
+func CreateUser(username, password, cfToken string) (model.UserViewWithToken, error) {
 	if !config.AllowRegister() {
 		return model.UserViewWithToken{}, model.NewRequestError("User registration is not allowed")
 	}
@@ -28,6 +29,14 @@ func CreateUser(username, password string) (model.UserViewWithToken, error) {
 	if len(password) < 6 || len(password) > 20 {
 		return model.UserViewWithToken{}, model.NewRequestError("Password must be between 6 and 20 characters")
 	}
+	passed, err := verifyCfToken(cfToken)
+	if err != nil {
+		log.Error("Error verifying Cloudflare token:", err)
+		return model.UserViewWithToken{}, model.NewInternalServerError("Failed to verify Cloudflare token")
+	}
+	if !passed {
+		return model.UserViewWithToken{}, model.NewRequestError("invalid Cloudflare token")
+	}
 	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
 		return model.UserViewWithToken{}, err
--- a/server/service/utils.go
+++ b/server/service/utils.go
@@ -1,6 +1,12 @@
 package service

-import "nysoure/server/dao"
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"nysoure/server/config"
+	"nysoure/server/dao"
+)

 func checkUserCanUpload(uid uint) (bool, error) {
 	user, err := dao.GetUserByID(uid)
@@ -17,3 +23,35 @@ func CheckUserIsAdmin(uid uint) (bool, error) {
 	}
 	return user.IsAdmin, nil
 }
+
+func verifyCfToken(cfToken string) (bool, error) {
+	if config.CloudflareTurnstileSecretKey() == "" {
+		return true, nil
+	}
+	client := &http.Client{}
+	data, _ := json.Marshal(map[string]string{
+		"secret":   config.CloudflareTurnstileSecretKey(),
+		"response": cfToken,
+	})
+	reader := bytes.NewReader(data)
+	resp, err := client.Post("https://challenges.cloudflare.com/turnstile/v0/siteverify", "application/json", reader)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return false, nil
+	}
+	var result map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return false, err
+	}
+	if result["success"] == nil {
+		return false, nil
+	}
+	if result["success"].(bool) {
+		return true, nil
+	} else {
+		return false, nil
+	}
+}