Module: Controllers::TurnstileVerification

Extended by:

ActiveSupport::Concern

Included in:

ApplicationController

Defined in:

app/concerns/controllers/turnstile_verification.rb

Overview

Cloudflare Turnstile CAPTCHA integration

Provides helper methods for rendering and validating Turnstile widgets.

Usage:

In view - render widget

<%= turnstile_widget %>
<%= turnstile_lazy_widget %> # Lazy-loaded version

In controller action - validate

validate_turnstile!

See: https://developers.cloudflare.com/turnstile/

Instance Method Summary

• #load_turnstile_script_tag ⇒ Object

  Load Turnstile script tag into the head (only once).

• #turnstile_lazy_widget(**options) ⇒ Object

  Lazy-loaded Turnstile widget - only loads script when visible in viewport Use this instead of turnstile_widget + load_turnstile_script_tag for better performance.

• #turnstile_script_tag ⇒ Object

  Render the Turnstile script tag.

• #turnstile_widget(**options) ⇒ Object

  Render the Turnstile widget.

• #validate_turnstile! ⇒ Object

  Validate Turnstile response and redirect with error if failed Call this from create/update actions that require CAPTCHA validation.

Instance Method Details

#load_turnstile_script_tag ⇒ Object

Load Turnstile script tag into the head (only once)

# File 'app/concerns/controllers/turnstile_verification.rb', line 32

def load_turnstile_script_tag
  return ''.html_safe unless Turnstile.enabled?
  return ''.html_safe if content_for?(:turnstile_script_loaded)

  content_for :turnstile_script_loaded, true
  content_for :head, turnstile_script_tag
  ''.html_safe
rescue NoMethodError
  # Fallback if content_for is not available (e.g., in tests or console)
  turnstile_script_tag
end

#turnstile_lazy_widget(**options) ⇒ Object

Lazy-loaded Turnstile widget - only loads script when visible in viewport
Use this instead of turnstile_widget + load_turnstile_script_tag for better performance

# File 'app/concerns/controllers/turnstile_verification.rb', line 53

def turnstile_lazy_widget(**options)
  return ''.html_safe unless Turnstile.enabled?

  Turnstile.lazy_widget(options)
end

#turnstile_script_tag ⇒ Object

Render the Turnstile script tag

# File 'app/concerns/controllers/turnstile_verification.rb', line 24

def turnstile_script_tag
  return ''.html_safe unless Turnstile.enabled?

  nonce = request&.content_security_policy_nonce
  Turnstile.script_tag(nonce: nonce)
end

#turnstile_widget(**options) ⇒ Object

Render the Turnstile widget

# File 'app/concerns/controllers/turnstile_verification.rb', line 45

def turnstile_widget(**options)
  return ''.html_safe unless Turnstile.enabled?

  Turnstile.widget(options)
end

#validate_turnstile! ⇒ Object

Validate Turnstile response and redirect with error if failed
Call this from create/update actions that require CAPTCHA validation

# File 'app/concerns/controllers/turnstile_verification.rb', line 61

def validate_turnstile!
  # Skip entirely in development/test - production keys don't work on localhost,
  # and system tests (Playwright) cannot solve a CAPTCHA challenge.
  return true if Rails.env.development? || Rails.env.test?

  return true unless Turnstile.enabled?

  token = params['cf-turnstile-response'] || params['cf_turnstile_response']
  ok = Turnstile.verify(token, remote_ip: request.remote_ip)

  return if ok

  log_turnstile_failure(token)
  store_failed_form_data
  flash[:error] = 'Please complete the security verification to submit the form.'
  redirect_back_or_to(root_path)
end