.

.github/workflows/build_docker.yml

@@ -57,6 +57,7 @@ jobs:
         touch .env
         echo VITE_GITHUB_SHA=${GITHUB_SHA} >> .env
         echo VITE_GOOGLE_MAPS_API_KEY="${{ secrets.GOOGLE_MAPS_API_KEY_DEV }}" >> .env
+        echo VITE_CLOUDFLARE_TURNSTILE_SITE_KEY="${{ secrets.CLOUDFLARE_TURNSTILE_SITE_KEY_DEV }}" >> .env
         cat .env
 
     - name: Include git Google Maps Key for Frontend Production release
@@ -65,6 +66,7 @@ jobs:
       run: |
         touch .env
         echo VITE_GOOGLE_MAPS_API_KEY="${{ secrets.GOOGLE_MAPS_API_KEY_PROD }}" >> .env
+        echo VITE_CLOUDFLARE_TURNSTILE_SITE_KEY="${{ secrets.CLOUDFLARE_TURNSTILE_SITE_KEY_PROD }}" >> .env
         cat .env
 
     - name: Build Frontend Dist

canarytokens/models.py

@@ -779,6 +779,7 @@ class WindowsDirectoryTokenRequest(TokenRequest):
 
 class CreditCardV2TokenRequest(TokenRequest):
     token_type: Literal[TokenTypes.CREDIT_CARD_V2] = TokenTypes.CREDIT_CARD_V2
+    cf_turnstile_response: Optional[str]
 
 
 AnyTokenRequest = Annotated[

canarytokens/settings.py

@@ -127,6 +127,7 @@ class FrontendSettings(BaseSettings):
     CREDIT_CARD_INFRA_ACCOUNT_ID: Optional[str]
     CREDIT_CARD_INFRA_REGION: Optional[str]
     CREDIT_CARD_INFRA_ACCESS_ROLE: Optional[str]
+    CLOUDFLARE_TURNSTILE_SECRET: Optional[str]
 
     class Config:
         allow_mutation = False

frontend/app.py

@@ -738,6 +738,23 @@ async def api_generate(  # noqa: C901  # gen is large
                 6,
                 "Blocked email supplied. Please see our Acceptable Use Policy at https://canarytokens.org/legal",
             )
+
+    if token_request_details.token_type == TokenTypes.CREDIT_CARD_V2:
+        token = token_request_details.cf_turnstile_response
+        if token is None:
+            return JSONResponse({"message": "failure"}, status_code=401)
+
+        data = {
+            "secret": frontend_settings.CLOUDFLARE_TURNSTILE_SECRET,
+            "response": token,
+        }
+        result = requests.post(
+            "https://challenges.cloudflare.com/turnstile/v0/siteverify", data=data
+        ).json()
+
+        if not result.get("success", False):
+            return JSONResponse({"message": "failure"}, status_code=401)
+
     # TODO: refactor this. KUBECONFIG token creates it's own token
     # value and cannot follow same path as before.
     if token_request_details.token_type == TokenTypes.KUBECONFIG:

frontend_vue/src/components/tokens/credit_card_v2/GenerateTokenForm.vue

@@ -1,14 +1,18 @@
 <template>
 	<GenerateTokenSettingsNotifications
 		memo-helper-example="Credit Card placed in payment card database" />
-	<vue-turnstile site-key="0x4AAAAAAAyZHnv6R_-lfIea" v-model="token" />
-	<div>Token: {{ token }}</div>
+	<vue-turnstile :site-key="cloudflareSiteKey" v-model="cloudflareToken" />
+	{{ cloudflareToken }}
 </template>
 
 <script setup lang="ts">
 import { ref } from 'vue';
+import type { Ref } from 'vue';
 import GenerateTokenSettingsNotifications from '@/components/ui/GenerateTokenSettingsNotifications.vue';
 import VueTurnstile from 'vue-turnstile';
 
+const cloudflareToken: Ref<string> = ref('');
+const cloudflareSiteKey = import.meta.env.VITE_CLOUDFLARE_TURNSTILE_SITE_KEY;
+
 const token = ref();
 </script>

frontend_vue/src/utils/formValidators.ts

@@ -202,4 +202,10 @@ export const formValidators: ValidateSchemaType = {
       ),
     }),
   },
+  [TOKENS_TYPE.CREDIT_CARD_V2]: {
+    schema: Yup.object().shape({
+      ...validationNotificationSettings,
+      'cf-turnstile-response': Yup.string().required('Cloudflare turnstile response required.'),
+    }),
+  },
 };