From 4634e4bac35cedba5b68e8cc49e42a22f48f42af Mon Sep 17 00:00:00 2001
From: Max Mclaughlin <max@thinkst.com>
Date: Fri, 25 Oct 2024 16:10:40 +0200
Subject: [PATCH] .

---
 .github/workflows/build_docker.yml              |  2 ++
 canarytokens/models.py                          |  1 +
 canarytokens/settings.py                        |  1 +
 frontend/app.py                                 | 17 +++++++++++++++++
 .../tokens/credit_card_v2/GenerateTokenForm.vue |  8 ++++++--
 frontend_vue/src/utils/formValidators.ts        |  6 ++++++
 6 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml
index 4beea9b91..5984e15e3 100644
--- a/.github/workflows/build_docker.yml
+++ b/.github/workflows/build_docker.yml
@@ -57,6 +57,7 @@ jobs:
         touch .env
         echo VITE_GITHUB_SHA=${GITHUB_SHA} >> .env
         echo VITE_GOOGLE_MAPS_API_KEY="${{ secrets.GOOGLE_MAPS_API_KEY_DEV }}" >> .env
+        echo VITE_CLOUDFLARE_TURNSTILE_SITE_KEY="${{ secrets.CLOUDFLARE_TURNSTILE_SITE_KEY_DEV }}" >> .env
         cat .env
 
     - name: Include git Google Maps Key for Frontend Production release
@@ -65,6 +66,7 @@ jobs:
       run: |
         touch .env
         echo VITE_GOOGLE_MAPS_API_KEY="${{ secrets.GOOGLE_MAPS_API_KEY_PROD }}" >> .env
+        echo VITE_CLOUDFLARE_TURNSTILE_SITE_KEY="${{ secrets.CLOUDFLARE_TURNSTILE_SITE_KEY_PROD }}" >> .env
         cat .env
 
     - name: Build Frontend Dist
diff --git a/canarytokens/models.py b/canarytokens/models.py
index 0379e28be..c0219f46a 100644
--- a/canarytokens/models.py
+++ b/canarytokens/models.py
@@ -779,6 +779,7 @@ class WindowsDirectoryTokenRequest(TokenRequest):
 
 class CreditCardV2TokenRequest(TokenRequest):
     token_type: Literal[TokenTypes.CREDIT_CARD_V2] = TokenTypes.CREDIT_CARD_V2
+    cf_turnstile_response: Optional[str]
 
 
 AnyTokenRequest = Annotated[
diff --git a/canarytokens/settings.py b/canarytokens/settings.py
index 2b6bbe97a..986cadf23 100644
--- a/canarytokens/settings.py
+++ b/canarytokens/settings.py
@@ -127,6 +127,7 @@ class FrontendSettings(BaseSettings):
     CREDIT_CARD_INFRA_ACCOUNT_ID: Optional[str]
     CREDIT_CARD_INFRA_REGION: Optional[str]
     CREDIT_CARD_INFRA_ACCESS_ROLE: Optional[str]
+    CLOUDFLARE_TURNSTILE_SECRET: Optional[str]
 
     class Config:
         allow_mutation = False
diff --git a/frontend/app.py b/frontend/app.py
index 8d102b3b0..a189a3782 100644
--- a/frontend/app.py
+++ b/frontend/app.py
@@ -738,6 +738,23 @@ async def api_generate(  # noqa: C901  # gen is large
                 6,
                 "Blocked email supplied. Please see our Acceptable Use Policy at https://canarytokens.org/legal",
             )
+
+    if token_request_details.token_type == TokenTypes.CREDIT_CARD_V2:
+        token = token_request_details.cf_turnstile_response
+        if token is None:
+            return JSONResponse({"message": "failure"}, status_code=401)
+
+        data = {
+            "secret": frontend_settings.CLOUDFLARE_TURNSTILE_SECRET,
+            "response": token,
+        }
+        result = requests.post(
+            "https://challenges.cloudflare.com/turnstile/v0/siteverify", data=data
+        ).json()
+
+        if not result.get("success", False):
+            return JSONResponse({"message": "failure"}, status_code=401)
+
     # TODO: refactor this. KUBECONFIG token creates it's own token
     # value and cannot follow same path as before.
     if token_request_details.token_type == TokenTypes.KUBECONFIG:
diff --git a/frontend_vue/src/components/tokens/credit_card_v2/GenerateTokenForm.vue b/frontend_vue/src/components/tokens/credit_card_v2/GenerateTokenForm.vue
index 6af533767..9b8910487 100644
--- a/frontend_vue/src/components/tokens/credit_card_v2/GenerateTokenForm.vue
+++ b/frontend_vue/src/components/tokens/credit_card_v2/GenerateTokenForm.vue
@@ -1,14 +1,18 @@
 <template>
 	<GenerateTokenSettingsNotifications
 		memo-helper-example="Credit Card placed in payment card database" />
-	<vue-turnstile site-key="0x4AAAAAAAyZHnv6R_-lfIea" v-model="token" />
-	<div>Token: {{ token }}</div>
+	<vue-turnstile :site-key="cloudflareSiteKey" v-model="cloudflareToken" />
+	{{ cloudflareToken }}
 </template>
 
 <script setup lang="ts">
 import { ref } from 'vue';
+import type { Ref } from 'vue';
 import GenerateTokenSettingsNotifications from '@/components/ui/GenerateTokenSettingsNotifications.vue';
 import VueTurnstile from 'vue-turnstile';
 
+const cloudflareToken: Ref<string> = ref('');
+const cloudflareSiteKey = import.meta.env.VITE_CLOUDFLARE_TURNSTILE_SITE_KEY;
+
 const token = ref();
 </script>
diff --git a/frontend_vue/src/utils/formValidators.ts b/frontend_vue/src/utils/formValidators.ts
index a3256d046..15bb8aff0 100644
--- a/frontend_vue/src/utils/formValidators.ts
+++ b/frontend_vue/src/utils/formValidators.ts
@@ -202,4 +202,10 @@ export const formValidators: ValidateSchemaType = {
       ),
     }),
   },
+  [TOKENS_TYPE.CREDIT_CARD_V2]: {
+    schema: Yup.object().shape({
+      ...validationNotificationSettings,
+      'cf-turnstile-response': Yup.string().required('Cloudflare turnstile response required.'),
+    }),
+  },
 };