Moved cloudflare turnstile away from add to cart and signup in favour of a single turnstil when the widget is loaded

Author: Herve Tribouilloy

vite_project/src/BookingSystemWidget.tsx

@@ -17,10 +17,10 @@ export function BookingSystemWidget({ host }: Props) {
     }
 
     return (
-        <SystemStateProvider config={booking}>
-            <UserStateProvider config={user}>
-                <BookingSystemWrapper venueId={booking.venueId} />
-            </UserStateProvider>
-        </SystemStateProvider>
+            <SystemStateProvider config={booking}>
+                <UserStateProvider config={user}>
+                    <BookingSystemWrapper venueId={booking.venueId} />
+                </UserStateProvider>
+            </SystemStateProvider>
     );
 }

vite_project/src/components/BookingSystem.tsx

@@ -7,11 +7,18 @@ import {EventDashboard} from "./event/EventDashboard.tsx";
 import {BookingContextSummary} from "./event/Dashboard/BookingContextSummary.tsx";
 import {useMediaQuery} from "../hooks/ui/useMediaQuery.tsx";
 import {HostFilter} from "./event/Filter/HostFilter.tsx";
+import {Spinner} from "./global/Spinner.tsx";
 
-export function BookingSystem() {
+interface Props {
+    canStartBooking: boolean
+}
+
+export function BookingSystem({canStartBooking}: Props) {
     const { visitIntent} = useVisitIntentState();
     const isMobile = useMediaQuery('(max-width: 768px)');
 
+    if (!canStartBooking) return <Spinner />
+
     return (
         <div className="booking-system">
             {(visitIntent.weekIntent !== '' && visitIntent.eventTypeId !== '') && (<>

vite_project/src/components/BookingSystemWrapper.tsx

@@ -8,13 +8,20 @@ import type {ConfigInfoState} from "../state/Config/type.ts";
 import {VisitIntentStateProvider} from "../state/Intent/VisitIntentStateProvider.tsx";
 import {BookingSystem} from "./BookingSystem.tsx";
 import {ConfigStateProvider} from "../state/Config/ConfigStateProvider.tsx";
+import {Turnstile} from "../security/Turnstile.tsx";
+import {useSystemState} from "../state/System/useSystemState.ts";
+import {useHumanVerification} from "../hooks/domain/useHumanVerification.tsx";
 
 interface Props {
     venueId: string
 }
 
 export function BookingSystemWrapper({venueId}: Props) {
     const { venue, venueError: venueError } = useVenue(venueId);
+    const { cloudflareKey, isTurnstileEnabled } = useSystemState()
+    const turnstileEnabled = isTurnstileEnabled();
+    const { onToken, isHumanVerified } = useHumanVerification();
+    const canStartBooking = isHumanVerified;
 
     const {
         eventHosts,
@@ -38,6 +45,12 @@ export function BookingSystemWrapper({venueId}: Props) {
 
     activity('config-load', 'Config Data',{venue, eventHosts, groups});
 
+    if (!turnstileEnabled) {
+        activity('form-ready', 'Turnstile Disabled',{
+            cloudflareKey
+        }, 'warn');
+    }
+
     const config: ConfigInfoState = {
         venue,
         eventHosts,
@@ -47,7 +60,15 @@ export function BookingSystemWrapper({venueId}: Props) {
     return (
         <ConfigStateProvider config={config}>
             <VisitIntentStateProvider eventTypeGroups={config.eventTypeGroups} eventHosts={config.eventHosts}>
-                <BookingSystem />
+                <BookingSystem canStartBooking={canStartBooking} />
+                {/* 2. The security gate */}
+                {turnstileEnabled && (
+                    <Turnstile
+                        siteKey={cloudflareKey}
+                        containerId="booking-turnstile"
+                        onToken={onToken}
+                    />
+                )}
             </VisitIntentStateProvider>
         </ConfigStateProvider>
     );

vite_project/src/components/event/Dashboard/DayEvent/AddToCart.tsx

@@ -1,16 +1,12 @@
-import {useEffect, useState} from "react";
+import {useEffect} from "react";
 import {getEventCartQty} from "../../../../domain/cart/cart.ts";
 import {ErrorState} from "../../../global/ErrorState.tsx";
 import {useUserState} from "../../../../state/User/useUserState.ts";
 import {useEventState} from "../../../../state/Event/useEventState.ts";
 import {useVisitIntentState} from "../../../../state/Intent/useVisitIntentState.ts";
 import {useAddToCart} from "../../../../hooks/domain/useAddToCart.tsx";
 import {useDashboardState} from "../../../../state/Dashboard/useDashboardState.ts";
-import {Turnstile} from "../../../../security/Turnstile.tsx";
-import {useSystemState} from "../../../../state/System/useSystemState.ts";
-import {activity} from "../../../../../activity";
 import {UserState} from "../../../user-authentication/UserState.tsx";
-import {useHumanVerification} from "../../../../hooks/domain/useHumanVerification.tsx";
 
 interface AddToCartProps {
     onRequireAuth: () => void
@@ -22,10 +18,6 @@ export function AddToCart({onRequireAuth}: AddToCartProps) {
     const { visitIntent } = useVisitIntentState();
     const { addToCart, loadingAddToCart, errorAddToCart } = useAddToCart();
     const { increaseVersionNumber, setLastBookedEventId } = useDashboardState();
-    const [awaitingSecurity, setAwaitingSecurity] = useState(false);
-    const { cloudflareKey, isTurnstileEnabled } = useSystemState();
-    const turnstileEnabled = isTurnstileEnabled();
-    const { token, onToken, isHumanVerified, requireVerification } = useHumanVerification();
 
     const refreshDashboard = () => {
         increaseVersionNumber()
@@ -38,44 +30,29 @@ export function AddToCart({onRequireAuth}: AddToCartProps) {
             return;
         }
 
-        if (!isHumanVerified) {
-            requireVerification()
-            return;
-        }
-
         try {
             await addToCart({
                 eventId: eventState.activeEventId,
                 eventTypeId: visitIntent.eventTypeId,
                 shampoo: eventState.shampoo ? 1 : 0,
-                userId: user?.id || '',
-                turnstileToken: token as string,
+                userId: user?.id || ''
             });
 
             refreshDashboard();
-            setAwaitingSecurity(false);
         } catch (err) {
             console.error(err);
-            setAwaitingSecurity(false);
         }
     };
 
     const onAddClick = async () => {
         if (!user) {
-            setAwaitingSecurity(true);
             onRequireAuth();
             return;
         }
 
         await handleAdd();
     };
 
-    useEffect(() => {
-        if (awaitingSecurity && token && user) {
-            handleAdd();
-        }
-    }, [awaitingSecurity, token, user]);
-
     const activeEventId = eventState.activeEventId;
 
     const eventAlreadyInCart =
@@ -86,16 +63,10 @@ export function AddToCart({onRequireAuth}: AddToCartProps) {
     const canAttemptAdd =
         !!activeEventId &&
         !eventAlreadyInCart &&
-        !loadingAddToCart &&
-        (!turnstileEnabled || Boolean(token));
+        !loadingAddToCart;
 
     if (errorAddToCart) return <ErrorState />
 
-    activity('form-ready', 'Can submit',{
-        turnstileEnabled,
-        token
-    });
-
     return (
         <>
             {eventAlreadyInCart && (
@@ -109,13 +80,6 @@ export function AddToCart({onRequireAuth}: AddToCartProps) {
             >
                 Book{loadingAddToCart && 'ing'} appointment+-
             </button>
-            {isTurnstileEnabled() && (
-                <Turnstile
-                    siteKey={cloudflareKey}
-                    containerId="booking-turnstile"
-                    onToken={onToken}
-                />
-            )}
             <UserState />
         </>
     );

vite_project/src/components/user-authentication/SignUp.tsx

@@ -1,10 +1,6 @@
-import {useEffect, useState} from "react";
+import {useState} from "react";
 import {useRegisterUser} from "../../hooks/domain/useRegisterUser.tsx";
 import {Spinner} from "../global/Spinner.tsx";
-import {useSystemState} from "../../state/System/useSystemState.ts";
-import {activity} from "../../../activity";
-import {Turnstile} from "../../security/Turnstile.tsx";
-import {useHumanVerification} from "../../hooks/domain/useHumanVerification.tsx";
 
 interface SignUpProps {
     onSuccess?: () => void;
@@ -19,24 +15,10 @@ export const SignUp: React.FC<SignUpProps> = ({ onSuccess, onCancel }) => {
         confirmPassword: '',
     });
     const { register, loadingRegister } = useRegisterUser();
-    const { cloudflareKey, isTurnstileEnabled } = useSystemState()
-    const [awaitingSecurity, setAwaitingSecurity] = useState(false);
-
     const [error, setError] = useState<string | null>(null);
     const [loading, setLoading] = useState(false);
 
-    const { token, onToken, isHumanVerified, requireVerification } = useHumanVerification();
-
-    const turnstileEnabled = isTurnstileEnabled();
-    const canSubmit =
-        status !== "loading" &&
-        (!turnstileEnabled || Boolean(token));
-
-    useEffect(() => {
-        if (awaitingSecurity && token) {
-            submitSignUp()
-        }
-    }, [awaitingSecurity, token]);
+    const canSubmit = status !== "loading";
 
     function handleChange(e: React.ChangeEvent<HTMLInputElement>) {
         setValues(v => ({ ...v, [e.target.name]: e.target.value }));
@@ -49,12 +31,6 @@ export const SignUp: React.FC<SignUpProps> = ({ onSuccess, onCancel }) => {
 
     async function submitSignUp() {
         setError(null);
-        setAwaitingSecurity(true);
-
-        if (!isHumanVerified) {
-            requireVerification()
-            return;
-        }
 
         if (values.password !== values.confirmPassword) {
             setError('Passwords do not match');
@@ -81,20 +57,12 @@ export const SignUp: React.FC<SignUpProps> = ({ onSuccess, onCancel }) => {
             setError('Signup failed');
         } finally {
             setLoading(false);
-            setAwaitingSecurity(false);
         }
     }
 
-    if (!turnstileEnabled) {
-        activity('form-ready', 'Turnstile Disabled',{
-            cloudflareKey
-        }, 'warn');
-    }
-
     if (loadingRegister) return <Spinner />
 
     return (
-        <>
             <form className="widget-form" onSubmit={handleSubmit}>
                 <h2>Sign Up</h2>
 
@@ -162,14 +130,5 @@ export const SignUp: React.FC<SignUpProps> = ({ onSuccess, onCancel }) => {
                     )}
                 </fieldset>
             </form>
-        {/* 2. The security gate */}
-        {turnstileEnabled && (
-            <Turnstile
-                siteKey={cloudflareKey}
-                containerId="booking-turnstile"
-                onToken={onToken}
-            />
-        )}
-        </>
     );
 };

vite_project/src/domain/user/authentication.ts

@@ -54,4 +54,18 @@ export async function loginWithGoogle(config: UserConfig) {
 
     activity('login', 'Google Login');
     window.location.href = `${config.auth}/auth/google?returnTo=${returnTo}`;
+}
+
+export async function verifyUser(config: UserConfig, token: string) {
+    const res = await fetch(`${config.auth}/security/verify-human`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ token }),
+    });
+
+    activity('verifyUser', 'Verify User', res);
+
+    if (!res.ok) {
+        throw new Error('Logout failed');
+    }
 }

vite_project/src/hooks/domain/useHumanVerification.tsx

@@ -28,13 +28,11 @@ export function useHumanVerification() {
 
     useEffect(() => {
         const onSuccess = (e: CustomEvent) => {
-            setToken(e.detail.token);
-            setVerifiedAt(Date.now());
+            onToken(e.detail.token);
         };
 
         const onExpired = () => {
-            setToken(null);
-            setVerifiedAt(null);
+            onToken(null);
         };
 
         window.addEventListener("booking:security-success", onSuccess as EventListener);

vite_project/src/hooks/domain/useTurnstileVerification.tsx

@@ -3,8 +3,8 @@ import type {KeystoneCartEventParams} from "../../types/infra/keystone";
 import {useSystemState} from "../../state/System/useSystemState.ts";
 
 const MUTATION = `
-    mutation AddToCart($eventId: ID!, $eventTypeId: ID!, $shampoo: Int, $userId: ID!, $turnstileToken: String!) {
-      addToCart(eventId: $eventId, eventTypeId: $eventTypeId, shampoo: $shampoo, userId: $userId, turnstileToken: $turnstileToken)
+    mutation AddToCart($eventId: ID!, $eventTypeId: ID!, $shampoo: Int, $userId: ID!) {
+      addToCart(eventId: $eventId, eventTypeId: $eventTypeId, shampoo: $shampoo, userId: $userId)
     }
 `;
 

vite_project/src/hooks/infra/useKeystoneAddToCart.tsx

@@ -1,7 +1,8 @@
 import { useEffect, useRef } from "react";
-import {ensureTurnstileLoaded} from "./turnstileService.ts";
 import {activity} from "../../activity";
-
+import {ensureTurnstileLoaded} from "./turnstileService.ts";
+import {verifyUser} from "../domain/user/authentication.ts";
+import {useUserState} from "../state/User/useUserState.ts";
 
 type TurnstileProps = {
     siteKey: string;
@@ -11,6 +12,7 @@ type TurnstileProps = {
 
 export function Turnstile({ siteKey, onToken, containerId }: TurnstileProps) {
     const widgetId = useRef<string | null>(null);
+    const { config } = useUserState()
 
     useEffect(() => {
         let cancelled = false;
@@ -30,7 +32,10 @@ export function Turnstile({ siteKey, onToken, containerId }: TurnstileProps) {
 
             widgetId.current = window.turnstile.render(container, {
                 sitekey: siteKey,
-                callback: onToken,
+                callback: (token: string) => {
+                    verifyUser(config, token)
+                    onToken(token)
+                },
                 "expired-callback": () => onToken(null),
             });
         });