feat(captcha): add Cloudflare Turnstile verification for protected endpoints #2892
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dpoints - Add CaptchaModule with Turnstile token verification service - Add CaptchaGuard to protect sensitive endpoints (e.g., owners controller) - Add Turnstile configuration (secret key) to application config - Update .env.sample with Turnstile environment variables
PooyaRaki
reviewed
Feb 2, 2026
| throw new UnauthorizedException('CAPTCHA token is required'); | ||
| } | ||
|
|
||
| const remoteip = |
Contributor
There was a problem hiding this comment.
Nit(recommendation): We could extract this to a separate helper for reusability as we are fetching the client IP in different places.
| } from '@/datasources/network/network.service.interface'; | ||
| import { ILoggingService, LoggingService } from '@/logging/logging.interface'; | ||
|
|
||
| interface TurnstileVerifyResponse { |
Contributor
There was a problem hiding this comment.
We should extract it to a separate interface/entity file.
| }); | ||
|
|
||
| // response.data is Raw<TurnstileVerifyResponse>, cast to actual type | ||
| const verifyResponse = |
Contributor
There was a problem hiding this comment.
We usually validate the responses coming from the networkService using our validator i.e. Zod which also gives you the actual type. e.g.:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds Cloudflare Turnstile CAPTCHA verification to protect sensitive API endpoints from bot abuse.
CaptchaModulewithCaptchaServicefor server-side token verification via Turnstile APICaptchaGuardthat validatesX-Captcha-Tokenheader on protected routesGET /v2/owners/:ownerAddress/safes)Changes
src/routes/captcha/captcha.module.tssrc/routes/captcha/captcha.service.tssrc/routes/captcha/guards/captcha.guard.tssrc/modules/owners/routes/owners.controller.v2.tssrc/modules/owners/owners.module.tssrc/config/entities/configuration.ts.env.sampleConfiguration
CAPTCHA_ENABLEDfalseCAPTCHA_SECRET_KEYHow it works
X-Captcha-Tokenheader with Turnstile tokenCaptchaGuardintercepts the request and validates the tokenTest plan
CAPTCHA_ENABLED=false) - requests should pass without token