CAPTCHA support with Cloudflare Turnstile

Cloudflare Turnstile is a friendly, free CAPTCHA replacement, and it works seamlessly with Supabase Edge Functions to protect your forms. View on GitHub.

Setup

Follow these steps to set up a new site: https://developers.cloudflare.com/turnstile/get-started/
Add the Cloudflare Turnstile widget to your site: https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/

Code

Create a new function in your project:


_10supabase functions new cloudflare-turnstile

And add the code to the index.ts file:

index.ts


_38import { corsHeaders } from '../_shared/cors.ts'
_38
_38console.log('Hello from Cloudflare Trunstile!')
_38
_38function ips(req: Request) {
_38  return req.headers.get('x-forwarded-for')?.split(/\s*,\s*/)
_38}
_38
_38Deno.serve(async (req) => {
_38  // This is needed if you're planning to invoke your function from a browser.
_38  if (req.method === 'OPTIONS') {
_38    return new Response('ok', { headers: corsHeaders })
_38  }
_38
_38  const { token } = await req.json()
_38  const clientIps = ips(req) || ['']
_38  const ip = clientIps[0]
_38
_38  // Validate the token by calling the
_38  // "/siteverify" API endpoint.
_38  let formData = new FormData()
_38  formData.append('secret', Deno.env.get('CLOUDFLARE_SECRET_KEY') ?? '')
_38  formData.append('response', token)
_38  formData.append('remoteip', ip)
_38
_38  const url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'
_38  const result = await fetch(url, {
_38    body: formData,
_38    method: 'POST',
_38  })
_38
_38  const outcome = await result.json()
_38  console.log(outcome)
_38  if (outcome.success) {
_38    return new Response('success', { headers: corsHeaders })
_38  }
_38  return new Response('failure', { headers: corsHeaders })
_38})

Deploy the server-side validation Edge Functions

https://developers.cloudflare.com/turnstile/get-started/server-side-validation/


_10supabase functions deploy cloudflare-turnstile
_10supabase secrets set CLOUDFLARE_SECRET_KEY=your_secret_key

Invoke the function from your site


_10const { data, error } = await supabase.functions.invoke('cloudflare-turnstile', {
_10  body: { token },
_10})

CAPTCHA support with Cloudflare Turnstile

Setup#

Code#

Deploy the server-side validation Edge Functions#

Invoke the function from your site#

Setup

Code

Deploy the server-side validation Edge Functions

Invoke the function from your site