only validate Turnstile captcha on Vercel environments (#6314)

jnsdls · jnsdls · commit 43638e5d967a · 2025-02-22T00:16:34.000Z
diff --git a/apps/dashboard/src/app/login/auth-actions.ts b/apps/dashboard/src/app/login/auth-actions.ts
@@ -11,6 +11,7 @@ import type {
   LoginPayload,
   VerifyLoginPayloadParams,
 } from "thirdweb/auth";
+import { isVercel } from "../../lib/vercel-utils";
 
 export async function getLoginPayload(
   params: GenerateLoginPayloadParams,
@@ -45,80 +46,83 @@ export async function doLogin(
     throw new Error("API_SERVER_SECRET is not set");
   }
 
-  if (!turnstileToken) {
-    return {
-      error: "Missing Turnstile token.",
-    };
-  }
+  // only validate the turnstile token if we are in a vercel environment
+  if (isVercel()) {
+    if (!turnstileToken) {
+      return {
+        error: "Missing Turnstile token.",
+      };
+    }
 
-  // get the request headers
-  const requestHeaders = await headers();
-  if (!requestHeaders) {
-    return {
-      error: "Failed to get request headers. Please try again.",
-    };
-  }
-  // CF header, fallback to req.ip, then X-Forwarded-For
-  const [ip, errors] = (() => {
-    let ip: string | null = null;
-    const errors: string[] = [];
-    try {
-      ip = requestHeaders.get("CF-Connecting-IP") || null;
-    } catch (err) {
-      console.error("failed to get IP address from CF-Connecting-IP", err);
-      errors.push("failed to get IP address from CF-Connecting-IP");
+    // get the request headers
+    const requestHeaders = await headers();
+    if (!requestHeaders) {
+      return {
+        error: "Failed to get request headers. Please try again.",
+      };
     }
-    if (!ip) {
+    // CF header, fallback to req.ip, then X-Forwarded-For
+    const [ip, errors] = (() => {
+      let ip: string | null = null;
+      const errors: string[] = [];
       try {
-        ip = ipAddress(requestHeaders) || null;
+        ip = requestHeaders.get("CF-Connecting-IP") || null;
       } catch (err) {
-        console.error(
-          "failed to get IP address from ipAddress() function",
-          err,
-        );
-        errors.push("failed to get IP address from ipAddress() function");
+        console.error("failed to get IP address from CF-Connecting-IP", err);
+        errors.push("failed to get IP address from CF-Connecting-IP");
       }
-    }
-    if (!ip) {
-      try {
-        ip = requestHeaders.get("X-Forwarded-For");
-      } catch (err) {
-        console.error("failed to get IP address from X-Forwarded-For", err);
-        errors.push("failed to get IP address from X-Forwarded-For");
+      if (!ip) {
+        try {
+          ip = ipAddress(requestHeaders) || null;
+        } catch (err) {
+          console.error(
+            "failed to get IP address from ipAddress() function",
+            err,
+          );
+          errors.push("failed to get IP address from ipAddress() function");
+        }
       }
-    }
-    return [ip, errors];
-  })();
+      if (!ip) {
+        try {
+          ip = requestHeaders.get("X-Forwarded-For");
+        } catch (err) {
+          console.error("failed to get IP address from X-Forwarded-For", err);
+          errors.push("failed to get IP address from X-Forwarded-For");
+        }
+      }
+      return [ip, errors];
+    })();
 
-  if (!ip) {
-    return {
-      error: "Could not get IP address. Please try again.",
-      context: errors,
-    };
-  }
+    if (!ip) {
+      return {
+        error: "Could not get IP address. Please try again.",
+        context: errors,
+      };
+    }
 
-  // https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
-  // Validate the token by calling the "/siteverify" API endpoint.
-  const result = await fetch(
-    "https://challenges.cloudflare.com/turnstile/v0/siteverify",
-    {
-      body: JSON.stringify({
-        secret: process.env.TURNSTILE_SECRET_KEY,
-        response: turnstileToken,
-        remoteip: ip,
-      }),
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
+    // https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
+    // Validate the token by calling the "/siteverify" API endpoint.
+    const result = await fetch(
+      "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+      {
+        body: JSON.stringify({
+          secret: process.env.TURNSTILE_SECRET_KEY,
+          response: turnstileToken,
+          remoteip: ip,
+        }),
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
       },
-    },
-  );
+    );
 
-  const outcome = await result.json();
-  if (!outcome.success) {
-    return {
-      error: "Could not validate captcha.",
-    };
+    const outcome = await result.json();
+    if (!outcome.success) {
+      return {
+        error: "Could not validate captcha.",
+      };
+    }
   }
 
   const cookieStore = await cookies();
diff --git a/apps/dashboard/src/lib/vercel-utils.ts b/apps/dashboard/src/lib/vercel-utils.ts
@@ -1,8 +1,11 @@
 import { isBrowser } from "utils/isBrowser";
 
+export function isVercel() {
+  return !!(process.env.vercel || process.env.NEXT_PUBLIC_VERCEL_ENV);
+}
+
 export function getVercelEnv() {
-  const onVercel = process.env.vercel || process.env.NEXT_PUBLIC_VERCEL_ENV;
-  if (!onVercel) {
+  if (!isVercel()) {
     return "development";
   }
   return (process.env.VERCEL_ENV ||
