Feat: Add reCAPTCHA server-side verification

functions/api/links/create.js

@@ -1 +1 @@
-const genSlug=l=>[...Array(l)].map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"[Math.random()*62|0]).join("");const R=new Set(['api','dash','admin','login','logout','signin','signup','register','account','settings','profile','password','user','users','link','links','url','urls','robots','sitemap','favicon','well-known','assets','static','img','js','css','public']);export async function onRequestPost({request,env}){try{const{destination_url,slug,username,pass_hash}=await request.json();if(!destination_url||!username||!pass_hash)return new Response("Missing fields",{status:400});const user=await env.D1_EV.prepare("SELECT pass_hash, custom_slugs FROM users WHERE username = ?").bind(username).first();if(user?.pass_hash!==pass_hash)return new Response("Invalid credentials",{status:401});let finalSlug=slug;if(finalSlug){if(R.has(finalSlug.toLowerCase())||!/^[a-zA-Z0-9-]{3,32}$/.test(finalSlug)||await env.KV_EV.get(finalSlug))return new Response("Invalid or taken slug",{status:400})}else{do{finalSlug=genSlug(6)}while(await env.KV_EV.get(finalSlug))}let dest=destination_url.startsWith("http")?destination_url:`https://${destination_url}`;try{new URL(dest)}catch{return new Response("Invalid destination URL",{status:400})}const storedDest=dest.replace(/^https?:\/\//,"");let s;try{s=JSON.parse(user.custom_slugs)}catch(e){}const customSlugs=Array.isArray(s)?s:[];customSlugs.push(finalSlug);await Promise.all([env.KV_EV.put(finalSlug,storedDest),env.D1_EV.prepare("UPDATE users SET custom_slugs = ? WHERE username = ?").bind(JSON.stringify(customSlugs),username).run()]);return Response.json({slug:finalSlug},{status:201})}catch(e){return new Response(e.message,{status:500})}}
+const genSlug=l=>[...Array(l)].map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"[Math.random()*62|0]).join(""),R=new Set(["api","dash","admin","login","logout","signin","signup","register","account","settings","profile","password","user","users","link","links","url","urls","robots","sitemap","favicon","well-known","assets","static","img","js","css","public"]);export async function onRequestPost({request:r,env:e}){try{const{'g-recaptcha-response':t,...b}=await r.json(),v=await fetch("https://www.google.com/recaptcha/api/siteverify",{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:`secret=${e.RECAPCHA_KEY}&response=${t}`}).then(r=>r.json());if(!v.success)return new Response("CAPTCHA verification failed.",{status:403});const{destination_url:d,slug:s,username:u,pass_hash:h}=b;if(!d||!u||!h)return new Response("Missing fields",{status:400});const a=await e.D1_EV.prepare("SELECT pass_hash, custom_slugs FROM users WHERE username = ?").bind(u).first();if(a?.pass_hash!==h)return new Response("Invalid credentials",{status:401});let i=s;if(i){if(R.has(i.toLowerCase())||!/^[a-zA-Z0-9-]{3,32}$/.test(i)||await e.KV_EV.get(i))return new Response("Invalid or taken slug",{status:400})}else{do{i=genSlug(6)}while(await e.KV_EV.get(i))}let o=d.startsWith("http")?d:`https://${d}`;try{new URL(o)}catch{return new Response("Invalid destination URL",{status:400})}const n=o.replace(/^https?:\/\//,"");let p;try{p=JSON.parse(a.custom_slugs)}catch(r){}const c=Array.isArray(p)?p:[];c.push(i);await Promise.all([e.KV_EV.put(i,n),e.D1_EV.prepare("UPDATE users SET custom_slugs = ? WHERE username = ?").bind(JSON.stringify(c),u).run()]);return Response.json({slug:i},{status:201})}catch(r){return new Response(r.message,{status:500})}}