From 33e7cf09aac4ec6af9bb57c9c8aab7e1805ffd3f Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Thu, 2 Oct 2025 14:41:07 -0700
Subject: [PATCH] Feat: Add Turnstile verification to forms

---
 functions/api/comments.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/functions/api/comments.js b/functions/api/comments.js
index 7a63453..6cde2b6 100644
--- a/functions/api/comments.js
+++ b/functions/api/comments.js
@@ -24,7 +24,12 @@ export async function onRequestPost({request,env}){
     const user=await auth(request,env.D1_SPCHCAP);
     if(!user)return json({error:'Unauthorized'},{status:401},request);
     
-    const{post_id,parent_id,content}=await request.json();
+    const body=await request.json();
+    const fd=new FormData();fd.append('secret',env.SEC_TURNSTILE);fd.append('response',body['cf-turnstile-response']);fd.append('remoteip',request.headers.get('CF-Connecting-IP'));
+    const ts=await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify',{body:fd,method:'POST'});
+    if(!(await ts.json()).success)return json({error:'Invalid CAPTCHA'},{status:403},request);
+    
+    const{post_id,parent_id,content}=body;
     if(!post_id||!content)return json({error:'Missing fields'},{status:400},request);
     
     const{meta}=await env.D1_SPCHCAP.prepare('INSERT INTO comments(post_id,user_id,parent_id,content)VALUES(?,?,?,?)').bind(post_id,user.id,parent_id||null,content).run();