nullcoder
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 0 deletions b/‎README.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/api/gists/route.ts
Lines changed: 33 additions & 1 deletion b/‎app/api/gists/route.ts
Lines changed: 33 additions & 1 deletion
diff --git a/‎app/create/page.tsx
Lines changed: 58 additions & 3 deletions b/‎app/create/page.tsx
Lines changed: 58 additions & 3 deletions
diff --git a/‎components/ui/turnstile.test.tsx
Lines changed: 175 additions & 0 deletions b/‎components/ui/turnstile.test.tsx
Lines changed: 175 additions & 0 deletions
@@ -46,3 +46,4 @@ yarn-error.log*
 # typescript
 *.tsbuildinfo
 next-env.d.ts
+.env
@@ -68,6 +68,7 @@ Simply open the shared link - the decryption key is in the URL fragment (#key=..
 - **Client-Side Encryption**: All encryption/decryption happens in your browser using the Web Crypto API
 - **Zero-Knowledge**: Servers only store encrypted blobs - we can't read your content even if we wanted to
 - **No Tracking**: No analytics, no cookies, no user tracking
+- **Bot Protection**: Optional Cloudflare Turnstile integration for spam prevention
 - **Open Source**: Verify our security claims by reviewing the code
 
 ## 🛠️ Technical Stack
 
@@ -9,6 +9,8 @@ import { createLogger } from "@/lib/logger";
 import { createGistMetadataSchema } from "@/lib/api-schemas";
 import type { CreateGistResponse } from "@/types/api";
 import type { GistMetadata } from "@/types/models";
+import { verifyTurnstileToken, isTurnstileEnabled } from "@/lib/turnstile";
+import { getCloudflareContext } from "@opennextjs/cloudflare";
 
 /**
  * Parse multipart form data from request
@@ -17,13 +19,15 @@ async function parseMultipartFormData(request: NextRequest): Promise<{
   metadata: Record<string, unknown>;
   blob: Uint8Array;
   password?: string;
+  turnstileToken?: string;
 }> {
   const formData = await request.formData();
 
   // Get required parts
   const metadataFile = formData.get("metadata") as File | null;
   const blobFile = formData.get("blob") as File | null;
   const passwordValue = formData.get("password") as string | null;
+  const turnstileToken = formData.get("turnstileToken") as string | null;
 
   if (!metadataFile || !blobFile) {
     throw ApiErrors.badRequest(
@@ -48,6 +52,7 @@ async function parseMultipartFormData(request: NextRequest): Promise<{
     metadata,
     blob,
     password: passwordValue || undefined,
+    turnstileToken: turnstileToken || undefined,
   };
 }
 
@@ -59,6 +64,8 @@ const logger = createLogger("api:gists:post");
  */
 export async function POST(request: NextRequest) {
   try {
+    // Get Cloudflare environment
+    const { env } = getCloudflareContext();
     // CSRF Protection
     if (!validateCSRFProtection(request)) {
       logger.warn("CSRF protection failed", {
@@ -81,6 +88,7 @@ export async function POST(request: NextRequest) {
       metadata: Record<string, unknown>;
       blob: Uint8Array;
       password?: string;
+      turnstileToken?: string;
     };
     try {
       formParts = await parseMultipartFormData(request);
@@ -93,7 +101,31 @@ export async function POST(request: NextRequest) {
       );
     }
 
-    const { metadata: rawMetadata, blob, password } = formParts;
+    const { metadata: rawMetadata, blob, password, turnstileToken } = formParts;
+
+    // Verify Turnstile token if enabled
+    if (isTurnstileEnabled(env)) {
+      if (!turnstileToken) {
+        return errorResponse(
+          ApiErrors.badRequest("Verification token is required")
+        );
+      }
+
+      const turnstileResult = await verifyTurnstileToken(
+        turnstileToken,
+        env.TURNSTILE_SECRET_KEY!,
+        request.headers.get("cf-connecting-ip") || undefined
+      );
+
+      if (!turnstileResult.success) {
+        logger.warn("Turnstile verification failed", {
+          errorCodes: turnstileResult["error-codes"],
+        });
+        return errorResponse(
+          ApiErrors.badRequest("Verification failed. Please try again.")
+        );
+      }
+    }
 
     // Validate metadata
     const validationResult = createGistMetadataSchema.safeParse(rawMetadata);
 
@@ -27,8 +27,12 @@ import { Badge } from "@/components/ui/badge";
 import { encryptGist } from "@/lib/crypto-utils";
 import type { FileData } from "@/components/ui/file-editor";
 import { SecurityLoading } from "@/components/security-loading";
+import { Turnstile } from "@/components/ui/turnstile";
 
 export default function CreateGistPage() {
+  // Get Turnstile site key - safe to use on client as it's a public key
+  const turnstileSiteKey = process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY;
+  console.log("Turnstile Site Key:", turnstileSiteKey);
   const router = useRouter();
   const multiFileEditorRef = useRef<MultiFileEditorHandle>(null);
   const [files, setFiles] = useState<FileData[]>(() => [
@@ -53,10 +57,12 @@ export default function CreateGistPage() {
   const [validationMessage, setValidationMessage] = useState<string | null>(
     null
   );
+  const [turnstileToken, setTurnstileToken] = useState<string | null>(null);
+  const [isTurnstileReady, setIsTurnstileReady] = useState(false);
 
   const handleFilesChange = useCallback((newFiles: FileData[]) => {
     setFiles(newFiles);
-    setError(null);
+    // Don't clear errors on file change - let them persist
 
     // Check for duplicate filenames
     const nameCount = new Map<string, number>();
@@ -103,6 +109,7 @@ export default function CreateGistPage() {
     try {
       setIsCreating(true);
       setError(null);
+      setValidationMessage(null);
 
       // Get current files with their actual content from editors
       const currentFiles = multiFileEditorRef.current?.getFiles() || files;
@@ -131,6 +138,14 @@ export default function CreateGistPage() {
         return;
       }
 
+      // Verify Turnstile token
+      if (!turnstileToken) {
+        setError(
+          "🛡️ Security verification required. Please refresh the page and try again."
+        );
+        return;
+      }
+
       // Encrypt the gist on the client side
       const encryptedGist = await encryptGist(currentFiles, {
         description: description || undefined,
@@ -158,6 +173,9 @@ export default function CreateGistPage() {
         formData.append("password", password);
       }
 
+      // Add Turnstile token
+      formData.append("turnstileToken", turnstileToken);
+
       // Call the API to create the gist
       const response = await fetch("/api/gists", {
         method: "POST",
@@ -304,11 +322,43 @@ export default function CreateGistPage() {
           </CardContent>
         </Card>
 
+        {/* Invisible Turnstile Verification */}
+        {turnstileSiteKey && (
+          <div className="hidden">
+            <Turnstile
+              sitekey={turnstileSiteKey}
+              onVerify={(token) => {
+                setTurnstileToken(token);
+                setIsTurnstileReady(true);
+                // Don't clear errors here - let them persist
+              }}
+              onError={() => {
+                setError(
+                  "🛡️ Security check failed. Please refresh the page and try again."
+                );
+                setIsTurnstileReady(false);
+              }}
+              onExpire={() => {
+                setTurnstileToken(null);
+                setIsTurnstileReady(false);
+                setError(
+                  "⏰ Security verification expired. Please refresh the page to continue."
+                );
+              }}
+              theme="auto"
+              size="invisible"
+            />
+          </div>
+        )}
+
         {/* Error Display */}
         {(error || validationMessage) && (
           <Alert variant="destructive">
             <AlertCircle className="h-4 w-4" />
-            <AlertDescription>{error || validationMessage}</AlertDescription>
+            <AlertDescription>
+              {validationMessage && <div>{validationMessage}</div>}
+              {error && <div>{error}</div>}
+            </AlertDescription>
           </Alert>
         )}
 
@@ -317,7 +367,12 @@ export default function CreateGistPage() {
           <Button
             size="lg"
             onClick={handleCreate}
-            disabled={isCreating || files.length === 0 || hasValidationErrors}
+            disabled={
+              isCreating ||
+              files.length === 0 ||
+              hasValidationErrors ||
+              (!!turnstileSiteKey && !isTurnstileReady)
+            }
           >
             {isCreating ? (
               <LoadingState type="spinner" message="Creating..." />
 
@@ -0,0 +1,175 @@
+import { render, waitFor } from "@testing-library/react";
+import { vi, describe, it, expect, beforeEach, afterEach } from "vitest";
+import { Turnstile } from "./turnstile";
+
+// Mock Next.js Script component
+vi.mock("next/script", () => ({
+  default: ({ onLoad }: { onLoad: () => void }) => {
+    // Simulate script loading
+    setTimeout(() => onLoad(), 0);
+    return null;
+  },
+}));
+
+describe("Turnstile", () => {
+  const mockRender = vi.fn().mockReturnValue("widget-123");
+  const mockReset = vi.fn();
+  const mockRemove = vi.fn();
+  const mockOnVerify = vi.fn();
+  const mockOnError = vi.fn();
+  const mockOnExpire = vi.fn();
+
+  beforeEach(() => {
+    // Mock window.turnstile
+    global.window.turnstile = {
+      render: mockRender,
+      reset: mockReset,
+      remove: mockRemove,
+    };
+
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    // Clean up
+    delete (global.window as any).turnstile;
+  });
+
+  it("renders turnstile widget when script loads", async () => {
+    const { container } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        onError={mockOnError}
+        onExpire={mockOnExpire}
+      />
+    );
+
+    // Wait for script to load and widget to render
+    await waitFor(() => {
+      expect(mockRender).toHaveBeenCalledWith(
+        expect.any(HTMLElement),
+        expect.objectContaining({
+          sitekey: "test-site-key",
+          callback: mockOnVerify,
+          "error-callback": mockOnError,
+          "expired-callback": mockOnExpire,
+          theme: "auto",
+          size: "normal",
+        })
+      );
+    });
+
+    // Check container exists
+    const turnstileContainer = container.querySelector(".cf-turnstile");
+    expect(turnstileContainer).toBeInTheDocument();
+  });
+
+  it("applies custom theme and size", async () => {
+    render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        theme="dark"
+        size="compact"
+      />
+    );
+
+    await waitFor(() => {
+      expect(mockRender).toHaveBeenCalledWith(
+        expect.any(HTMLElement),
+        expect.objectContaining({
+          theme: "dark",
+          size: "compact",
+        })
+      );
+    });
+  });
+
+  it("cleans up widget on unmount", async () => {
+    const { unmount } = render(
+      <Turnstile sitekey="test-site-key" onVerify={mockOnVerify} />
+    );
+
+    await waitFor(() => {
+      expect(mockRender).toHaveBeenCalled();
+    });
+
+    unmount();
+
+    expect(mockRemove).toHaveBeenCalledWith("widget-123");
+  });
+
+  it("handles render errors gracefully", async () => {
+    mockRender.mockImplementationOnce(() => {
+      throw new Error("Render failed");
+    });
+
+    render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        onError={mockOnError}
+      />
+    );
+
+    await waitFor(() => {
+      expect(mockOnError).toHaveBeenCalledWith(
+        "Failed to load verification widget"
+      );
+    });
+  });
+
+  it("applies custom className", () => {
+    const { container } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        className="custom-class"
+      />
+    );
+
+    const turnstileContainer = container.querySelector(".cf-turnstile");
+    expect(turnstileContainer).toHaveClass("custom-class");
+  });
+
+  it("applies correct height classes based on size", () => {
+    const { container: container1 } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        size="compact"
+      />
+    );
+    expect(container1.querySelector(".cf-turnstile")).toHaveClass("h-[65px]");
+
+    const { container: container2 } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        size="normal"
+      />
+    );
+    expect(container2.querySelector(".cf-turnstile")).toHaveClass("h-[65px]");
+
+    const { container: container3 } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        size="flexible"
+      />
+    );
+    expect(container3.querySelector(".cf-turnstile")).toHaveClass(
+      "min-h-[65px]"
+    );
+
+    const { container: container4 } = render(
+      <Turnstile
+        sitekey="test-site-key"
+        onVerify={mockOnVerify}
+        size="invisible"
+      />
+    );
+    expect(container4.querySelector(".cf-turnstile")).toHaveClass("h-0");
+  });
+});