Skip to content

feat(auth): add Turnstile captcha + harmony disposable email blocking #3699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 10 commits into from
Mar 21, 2026
Merged

feat(auth): add Turnstile captcha + harmony disposable email blocking #3699

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d25c9d9
feat(turnstile): conditionally added CF turnstile to signup
waleedlatif1 Mar 21, 2026
3cd1d19
feat(auth): add execute-on-submit Turnstile, conditional harmony, and…
waleedlatif1 Mar 21, 2026
3f64772
refactor(validation): remove dead validateEmail and checkMXRecord
waleedlatif1 Mar 21, 2026
0e4dcec
fix(auth): add 15s timeout to Turnstile captcha promise
waleedlatif1 Mar 21, 2026
33b7b31
chore(helm): add Turnstile and harmony env vars to values.yaml
waleedlatif1 Mar 21, 2026
4256aae
fix(auth): reject captcha promise on token expiry
waleedlatif1 Mar 21, 2026
9ceb30d
refactor(login): replace useEffect keydown listener with form onSubmit
waleedlatif1 Mar 21, 2026
7b8f2d0
fix(auth): clear dangling timeout after captcha promise settles
waleedlatif1 Mar 21, 2026
5ae1d9e
refactor(auth): use getResponsePromise() for Turnstile token retrieval
waleedlatif1 Mar 21, 2026
75cb5c3
fix(auth): show captcha errors as form-level message, not password error
waleedlatif1 Mar 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
151 changes: 103 additions & 48 deletions apps/sim/app/(auth)/login/login-form.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
'use client'

import { useEffect, useRef, useState } from 'react'
import { useMemo, useRef, useState } from 'react'
import { Turnstile, type TurnstileInstance } from '@marsidev/react-turnstile'
import { createLogger } from '@sim/logger'
import { Eye, EyeOff } from 'lucide-react'
import Link from 'next/link'
Expand Down Expand Up @@ -86,6 +87,11 @@ export default function LoginPage({
const [password, setPassword] = useState('')
const [passwordErrors, setPasswordErrors] = useState<string[]>([])
const [showValidationError, setShowValidationError] = useState(false)
const [captchaToken, setCaptchaToken] = useState<string | null>(null)
const turnstileRef = useRef<TurnstileInstance>(null)
const captchaResolveRef = useRef<((token: string) => void) | null>(null)
const captchaRejectRef = useRef<((reason: unknown) => void) | null>(null)
const turnstileSiteKey = useMemo(() => getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY'), [])
const buttonClass = useBrandedButtonClass()

const callbackUrlParam = searchParams?.get('callbackUrl')
Expand Down Expand Up @@ -115,19 +121,6 @@ export default function LoginPage({
: null
)

useEffect(() => {
const handleKeyDown = (event: KeyboardEvent) => {
if (event.key === 'Enter' && forgotPasswordOpen) {
handleForgotPassword()
}
}

window.addEventListener('keydown', handleKeyDown)
return () => {
window.removeEventListener('keydown', handleKeyDown)
}
}, [forgotPasswordEmail, forgotPasswordOpen])

const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const newEmail = e.target.value
setEmail(newEmail)
Expand Down Expand Up @@ -178,14 +171,44 @@ export default function LoginPage({
const safeCallbackUrl = callbackUrl
let errorHandled = false

// Execute Turnstile challenge on submit and get a fresh token
let token = captchaToken
if (turnstileSiteKey && turnstileRef.current) {
try {
turnstileRef.current.reset()
token = await Promise.race([
new Promise<string>((resolve, reject) => {
captchaResolveRef.current = resolve
captchaRejectRef.current = reject
turnstileRef.current?.execute()
}),
new Promise<string>((_, reject) =>
setTimeout(() => reject(new Error('Captcha timed out')), 15_000)
),
])
Comment thread
waleedlatif1 marked this conversation as resolved.
Outdated
} catch {
setPasswordErrors(['Captcha verification failed. Please try again.'])
setShowValidationError(true)
setIsLoading(false)
Comment thread
waleedlatif1 marked this conversation as resolved.
return
}
}

const result = await client.signIn.email(
{
email,
password,
callbackURL: safeCallbackUrl,
Comment thread
waleedlatif1 marked this conversation as resolved.
},
{
fetchOptions: {
headers: {
...(token ? { 'x-captcha-response': token } : {}),
},
},
onError: (ctx) => {
turnstileRef.current?.reset()
setCaptchaToken(null)
logger.error('Login error:', ctx.error)

if (ctx.error.code?.includes('EMAIL_NOT_VERIFIED')) {
Expand Down Expand Up @@ -460,6 +483,32 @@ export default function LoginPage({
</div>
</div>

{turnstileSiteKey && (
<Turnstile
ref={turnstileRef}
siteKey={turnstileSiteKey}
onSuccess={(token) => {
setCaptchaToken(token)
captchaResolveRef.current?.(token)
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
onError={() => {
setCaptchaToken(null)
captchaRejectRef.current?.(new Error('Captcha failed'))
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
onExpire={() => {
setCaptchaToken(null)
captchaRejectRef.current?.(new Error('Captcha expired'))
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
options={{ size: 'invisible', execution: 'execute' }}
/>
)}

<BrandedButton
type='submit'
disabled={isLoading}
Expand Down Expand Up @@ -540,45 +589,51 @@ export default function LoginPage({
<ModalContent className='dark' size='sm'>
<ModalHeader>Reset Password</ModalHeader>
<ModalBody>
<ModalDescription className='mb-4 text-[var(--text-muted)] text-sm'>
Enter your email address and we'll send you a link to reset your password if your
account exists.
</ModalDescription>
<div className='space-y-4'>
<div className='space-y-2'>
<Label htmlFor='reset-email'>Email</Label>
<Input
id='reset-email'
value={forgotPasswordEmail}
onChange={(e) => setForgotPasswordEmail(e.target.value)}
placeholder='Enter your email'
required
type='email'
className={cn(
resetStatus.type === 'error' && 'border-red-500 focus:border-red-500'
<form
onSubmit={(e) => {
e.preventDefault()
handleForgotPassword()
}}
>
<ModalDescription className='mb-4 text-[var(--text-muted)] text-sm'>
Enter your email address and we'll send you a link to reset your password if your
account exists.
</ModalDescription>
<div className='space-y-4'>
<div className='space-y-2'>
<Label htmlFor='reset-email'>Email</Label>
<Input
id='reset-email'
value={forgotPasswordEmail}
onChange={(e) => setForgotPasswordEmail(e.target.value)}
placeholder='Enter your email'
required
type='email'
className={cn(
resetStatus.type === 'error' && 'border-red-500 focus:border-red-500'
)}
/>
{resetStatus.type === 'error' && (
<div className='mt-1 text-red-400 text-xs'>
<p>{resetStatus.message}</p>
</div>
)}
/>
{resetStatus.type === 'error' && (
<div className='mt-1 text-red-400 text-xs'>
</div>
{resetStatus.type === 'success' && (
<div className='mt-1 text-[#4CAF50] text-xs'>
<p>{resetStatus.message}</p>
</div>
)}
<BrandedButton
type='submit'
disabled={isSubmittingReset}
loading={isSubmittingReset}
loadingText='Sending'
>
Send Reset Link
</BrandedButton>
</div>
{resetStatus.type === 'success' && (
<div className='mt-1 text-[#4CAF50] text-xs'>
<p>{resetStatus.message}</p>
</div>
)}
<BrandedButton
type='button'
onClick={handleForgotPassword}
disabled={isSubmittingReset}
loading={isSubmittingReset}
loadingText='Sending'
>
Send Reset Link
</BrandedButton>
</div>
</form>
</ModalBody>
</ModalContent>
</Modal>
Expand Down
64 changes: 63 additions & 1 deletion apps/sim/app/(auth)/signup/signup-form.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
'use client'

import { Suspense, useMemo, useState } from 'react'
import { Suspense, useMemo, useRef, useState } from 'react'
import { Turnstile, type TurnstileInstance } from '@marsidev/react-turnstile'
import { createLogger } from '@sim/logger'
import { Eye, EyeOff } from 'lucide-react'
import Link from 'next/link'
Expand Down Expand Up @@ -90,6 +91,11 @@ function SignupFormContent({
const [emailError, setEmailError] = useState('')
const [emailErrors, setEmailErrors] = useState<string[]>([])
const [showEmailValidationError, setShowEmailValidationError] = useState(false)
const [captchaToken, setCaptchaToken] = useState<string | null>(null)
const turnstileRef = useRef<TurnstileInstance>(null)
const captchaResolveRef = useRef<((token: string) => void) | null>(null)
const captchaRejectRef = useRef<((reason: unknown) => void) | null>(null)
const turnstileSiteKey = useMemo(() => getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY'), [])
const buttonClass = useBrandedButtonClass()

const redirectUrl = useMemo(
Expand Down Expand Up @@ -245,14 +251,44 @@ function SignupFormContent({

const sanitizedName = trimmedName

// Execute Turnstile challenge on submit and get a fresh token
let token = captchaToken
if (turnstileSiteKey && turnstileRef.current) {
try {
turnstileRef.current.reset()
token = await Promise.race([
new Promise<string>((resolve, reject) => {
captchaResolveRef.current = resolve
captchaRejectRef.current = reject
turnstileRef.current?.execute()
}),
new Promise<string>((_, reject) =>
setTimeout(() => reject(new Error('Captcha timed out')), 15_000)
),
])
} catch {
setPasswordErrors(['Captcha verification failed. Please try again.'])
setShowValidationError(true)
setIsLoading(false)
return
}
}

const response = await client.signUp.email(
{
email: emailValue,
password: passwordValue,
name: sanitizedName,
},
{
fetchOptions: {
headers: {
...(token ? { 'x-captcha-response': token } : {}),
},
},
onError: (ctx) => {
turnstileRef.current?.reset()
setCaptchaToken(null)
logger.error('Signup error:', ctx.error)
const errorMessage: string[] = ['Failed to create account']

Expand Down Expand Up @@ -453,6 +489,32 @@ function SignupFormContent({
</div>
</div>

{turnstileSiteKey && (
<Turnstile
ref={turnstileRef}
siteKey={turnstileSiteKey}
onSuccess={(token) => {
setCaptchaToken(token)
captchaResolveRef.current?.(token)
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
onError={() => {
setCaptchaToken(null)
captchaRejectRef.current?.(new Error('Captcha failed'))
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
onExpire={() => {
setCaptchaToken(null)
captchaRejectRef.current?.(new Error('Captcha expired'))
captchaResolveRef.current = null
captchaRejectRef.current = null
}}
options={{ size: 'invisible', execution: 'execute' }}
/>
)}

<BrandedButton
type='submit'
disabled={isLoading}
Expand Down
38 changes: 18 additions & 20 deletions apps/sim/lib/auth/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import { drizzleAdapter } from 'better-auth/adapters/drizzle'
import { nextCookies } from 'better-auth/next-js'
import {
admin,
captcha,
createAuthMiddleware,
customSession,
emailOTP,
Expand All @@ -17,6 +18,7 @@ import {
oneTimeToken,
organization,
} from 'better-auth/plugins'
import { emailHarmony } from 'better-auth-harmony'
import { and, eq, inArray, sql } from 'drizzle-orm'
import { headers } from 'next/headers'
import Stripe from 'stripe'
Expand Down Expand Up @@ -63,17 +65,14 @@ import {
isHosted,
isOrganizationsEnabled,
isRegistrationDisabled,
isSignupEmailValidationEnabled,
} from '@/lib/core/config/feature-flags'
import { PlatformEvents } from '@/lib/core/telemetry'
import { getBaseUrl } from '@/lib/core/utils/urls'
import { processCredentialDraft } from '@/lib/credentials/draft-processor'
import { sendEmail } from '@/lib/messaging/email/mailer'
import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
import {
isDisposableEmailFull,
isDisposableMxBackend,
quickValidateEmail,
} from '@/lib/messaging/email/validation'
import { quickValidateEmail } from '@/lib/messaging/email/validation'
import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
import { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
Expand Down Expand Up @@ -629,23 +628,12 @@ export const auth = betterAuth({
}
}

if (ctx.path.startsWith('/sign-up')) {
if (ctx.path.startsWith('/sign-up') && blockedSignupDomains) {
const requestEmail = ctx.body?.email?.toLowerCase()
if (requestEmail) {
// Check manually blocked domains
if (blockedSignupDomains) {
const emailDomain = requestEmail.split('@')[1]
if (emailDomain && blockedSignupDomains.has(emailDomain)) {
throw new Error('Sign-ups from this email domain are not allowed.')
}
}

// Check disposable email domains (full list + MX backend check)
if (isDisposableEmailFull(requestEmail)) {
throw new Error('Sign-ups from disposable email addresses are not allowed.')
}
if (await isDisposableMxBackend(requestEmail)) {
throw new Error('Sign-ups from disposable email addresses are not allowed.')
const emailDomain = requestEmail.split('@')[1]
if (emailDomain && blockedSignupDomains.has(emailDomain)) {
throw new Error('Sign-ups from this email domain are not allowed.')
}
}
}
Comment thread
waleedlatif1 marked this conversation as resolved.
Expand Down Expand Up @@ -677,6 +665,16 @@ export const auth = betterAuth({
},
plugins: [
nextCookies(),
...(isSignupEmailValidationEnabled ? [emailHarmony()] : []),
...(env.TURNSTILE_SECRET_KEY
? [
captcha({
provider: 'cloudflare-turnstile',
secretKey: env.TURNSTILE_SECRET_KEY,
endpoints: ['/sign-up/email', '/sign-in/email'],
}),
]
: []),
admin(),
jwt({
jwks: {
Expand Down
Loading
Loading