feat: add captcha support for sign in/up (#4582)

2026-02-11 20:08:37 +00:00 · 2023-10-18 03:06:07 -05:00
parent 524e48c8e6
commit 63ca9671be
42 changed files with 1275 additions and 302 deletions
--- a/.github/actions/deploy/deploy.mjs
+++ b/.github/actions/deploy/deploy.mjs
@@ -13,6 +13,8 @@ const {
  R2_ACCESS_KEY_ID,
  R2_SECRET_ACCESS_KEY,
  R2_BUCKET,
+  ENABLE_CAPTCHA,
+  CAPTCHA_TURNSTILE_SECRET,
  OAUTH_EMAIL_SENDER,
  OAUTH_EMAIL_LOGIN,
  OAUTH_EMAIL_PASSWORD,
@@ -81,6 +83,8 @@ const createHelmCommand = ({ isDryRun }) => {
    `--set        graphql.replicaCount=${graphqlReplicaCount}`,
    `--set-string graphql.image.tag="${imageTag}"`,
    `--set        graphql.app.host=${host}`,
+    `--set        graphql.app.captcha.enabled=${ENABLE_CAPTCHA}`,
+    `--set-string graphql.app.captcha.turnstile.secret="${CAPTCHA_TURNSTILE_SECRET}"`,
    `--set        graphql.app.objectStorage.r2.enabled=true`,
    `--set-string graphql.app.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
    `--set-string graphql.app.objectStorage.r2.accessKeyId="${R2_ACCESS_KEY_ID}"`,
--- a/.github/helm/affine/charts/graphql/templates/captcha-secret.yaml
+++ b/.github/helm/affine/charts/graphql/templates/captcha-secret.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.app.captcha.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.app.captcha.secretName }}"
+type: Opaque
+data:
+  turnstileSecret: {{ .Values.app.captcha.turnstile.secret | b64enc }}
+{{- end }}
--- a/.github/helm/affine/charts/graphql/templates/deployment.yaml
+++ b/.github/helm/affine/charts/graphql/templates/deployment.yaml
@@ -73,6 +73,8 @@ spec:
            value: "{{ .Values.app.host }}"
          - name: ENABLE_R2_OBJECT_STORAGE
            value: "{{ .Values.app.objectStorage.r2.enabled }}"
+          - name: ENABLE_CAPTCHA
+            value: "{{ .Values.app.captcha.enabled }}"
          - name: OAUTH_EMAIL_SENDER
            valueFrom:
              secretKeyRef:
@@ -126,6 +128,13 @@ spec:
                name: "{{ .Values.app.objectStorage.r2.secretName }}"
                key: bucket
          {{ end }}
+          {{ if .Values.app.captcha.enabled }}
+          - name: CAPTCHA_TURNSTILE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.app.captcha.secretName }}"
+                key: turnstileSecret
+          {{ end }}
          {{ if .Values.app.oauth.google.enabled }}
          - name: OAUTH_GOOGLE_CLIENT_ID
            valueFrom:
--- a/.github/helm/affine/charts/graphql/values.yaml
+++ b/.github/helm/affine/charts/graphql/values.yaml
@@ -22,6 +22,11 @@ app:
    secretName: jwt-private-key
    # base64 encoded ecdsa private key
    privateKey: ''
+  captcha:
+    enable: false
+    secretName: captcha
+    turnstile:
+      secret: ''
  objectStorage:
    r2:
      enabled: false
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -57,6 +57,7 @@ jobs:
          BUILD_TYPE_OVERRIDE: ${{ github.event.inputs.flavor }}
          SHOULD_REPORT_TRACE: true
          TRACE_REPORT_ENDPOINT: ${{ secrets.TRACE_REPORT_ENDPOINT }}
+          CAPTCHA_SITE_KEY: ${{ secrets.CAPTCHA_SITE_KEY }}
      - name: Upload core artifact
        uses: actions/upload-artifact@v3
        with:
@@ -197,6 +198,8 @@ jobs:
          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
+          ENABLE_CAPTCHA: true
+          CAPTCHA_TURNSTILE_SECRET: ${{ secrets.CAPTCHA_TURNSTILE_SECRET }}
          OAUTH_EMAIL_SENDER: ${{ secrets.OAUTH_EMAIL_SENDER }}
          OAUTH_EMAIL_LOGIN: ${{ secrets.OAUTH_EMAIL_LOGIN }}
          OAUTH_EMAIL_PASSWORD: ${{ secrets.OAUTH_EMAIL_PASSWORD }}