Turnstile: require token before joining a multiplayer game (#2572)

When user tries to join either a public or private multiplayer game, the turnstile callback is triggered, and the turnstile token is passed to the server when joining a game. ## Please complete the following: - [x] I have added screenshots for all UI updates - [x] I process any text displayed to the user through translateText() and I've added it to the en.json file - [x] I have added relevant tests to the test directory - [x] I confirm I have thoroughly tested these changes and take full responsibility for any bugs introduced ## Please put your Discord username so you can be contacted if a bug or regression is found: evan
2026-06-21 07:40:43 +00:00 · 2025-12-08 16:16:31 -08:00
parent 075c232d8a
commit 3314ca16ce
16 changed files with 219 additions and 29 deletions
@@ -120,6 +120,7 @@ jobs:
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
+          TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
          API_KEY: ${{ secrets.API_KEY }}
          SERVER_HOST_MASTERS: ${{ secrets.SERVER_HOST_MASTERS }}
          SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
@@ -78,6 +78,7 @@ jobs:
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
+          TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
          API_KEY: ${{ secrets.API_KEY }}
          SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
          SSH_KEY: ~/.ssh/id_rsa
@@ -135,6 +136,7 @@ jobs:
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
+          TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
          API_KEY: ${{ secrets.API_KEY }}
          SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
          SSH_KEY: ~/.ssh/id_rsa
@@ -192,6 +194,7 @@ jobs:
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
+          TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
          API_KEY: ${{ secrets.API_KEY }}
          SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
          SSH_KEY: ~/.ssh/id_rsa
@@ -249,6 +252,7 @@ jobs:
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
+          TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
          API_KEY: ${{ secrets.API_KEY }}
          SERVER_HOST_FALK1: ${{ secrets.SERVER_HOST_FALK1 }}
          SSH_KEY: ~/.ssh/id_rsa
@@ -176,6 +176,7 @@ R2_ACCESS_KEY=$R2_ACCESS_KEY
 R2_SECRET_KEY=$R2_SECRET_KEY
 R2_BUCKET=$R2_BUCKET
 CF_API_TOKEN=$CF_API_TOKEN
+TURNSTILE_SECRET_KEY=$TURNSTILE_SECRET_KEY
 API_KEY=$API_KEY
 DOMAIN=$DOMAIN
 SUBDOMAIN=$SUBDOMAIN
@@ -58,6 +58,7 @@ export interface LobbyConfig {
  clientID: ClientID;
  gameID: GameID;
  token: string;
+  turnstileToken: string | null;
  // GameStartInfo only exists when playing a singleplayer game.
  gameStartInfo?: GameStartInfo;
  // GameRecord exists when replaying an archived game.
@@ -2,7 +2,9 @@ import version from "../../resources/version.txt";
 import { UserMeResponse } from "../core/ApiSchemas";
 import { EventBus } from "../core/EventBus";
 import { GameRecord, GameStartInfo, ID } from "../core/Schemas";
+import { GameEnv } from "../core/configuration/Config";
 import { getServerConfigFromClient } from "../core/configuration/ConfigLoader";
+import { GameType } from "../core/game/Game";
 import { UserSettings } from "../core/game/UserSettings";
 import "./AccountModal";
 import { joinLobby } from "./ClientGameRunner";
@@ -46,6 +48,7 @@ import "./styles.css";

 declare global {
  interface Window {
+    turnstile: any;
    enableAds: boolean;
    PageOS: {
      session: {
@@ -105,9 +108,16 @@ class Client {

  private gutterAds: GutterAds;

+  private turnstileTokenPromise: Promise<{
+    token: string;
+    createdAt: number;
+  }> | null = null;
+
  constructor() {}

  initialize(): void {
+    this.turnstileTokenPromise = getTurnstileToken();
+
    const gameVersion = document.getElementById(
      "game-version",
    ) as HTMLDivElement;
@@ -484,6 +494,7 @@ class Client {
              ? ""
              : this.flagInput.getCurrentFlag(),
        },
+        turnstileToken: await this.getTurnstileToken(lobby),
        playerName: this.usernameInput?.getCurrentUsername() ?? "",
        token: getPlayToken(),
        clientID: lobby.clientID,
@@ -596,6 +607,40 @@ class Client {
      }
    }, 100);
  }
+
+  private async getTurnstileToken(
+    lobby: JoinLobbyEvent,
+  ): Promise<string | null> {
+    const config = await getServerConfigFromClient();
+    if (
+      config.env() === GameEnv.Dev ||
+      lobby.gameStartInfo?.config.gameType === GameType.Singleplayer
+    ) {
+      return null;
+    }
+
+    const token = await this.turnstileTokenPromise;
+    if (token === null) {
+      return null;
+    }
+
+    const tokenTTL = 3 * 60 * 1000;
+    // If token is still valid, use it and kick off new one for next time
+    if (Date.now() < token.createdAt + tokenTTL) {
+      this.turnstileTokenPromise = getTurnstileToken(); // Prefetch for next join
+      return token.token;
+    }
+
+    // Token expired, get new one immediately
+    console.log("Turnstile token expired, getting new token");
+    const newToken = await getTurnstileToken();
+    this.turnstileTokenPromise = getTurnstileToken(); // Prefetch for next time
+
+    if (newToken === null) {
+      return null;
+    }
+    return newToken.token;
+  }
 }

 // Initialize the client when the DOM is loaded
@@ -642,3 +687,31 @@ function getPersistentIDFromCookie(): string {

  return newID;
 }
+
+async function getTurnstileToken(): Promise<{
+  token: string;
+  createdAt: number;
+}> {
+  const config = await getServerConfigFromClient();
+  const widgetId = window.turnstile.render("#turnstile-container", {
+    sitekey: config.turnstileSiteKey(),
+    size: "normal",
+    appearance: "interaction-only",
+    theme: "light",
+  });
+
+  return new Promise((resolve, reject) => {
+    window.turnstile.execute(widgetId, {
+      callback: (token: string) => {
+        window.turnstile.remove(widgetId);
+        console.log(`Turnstile token received: ${token}`);
+        resolve({ token, createdAt: Date.now() });
+      },
+      "error-callback": () => {
+        window.turnstile.remove(widgetId);
+        alert("Something went wrong, please refresh the page and try again.");
+        reject(new Error("Turnstile failed"));
+      },
+    });
+  });
+}
@@ -393,6 +393,7 @@ export class Transport {
      token: this.lobbyConfig.token,
      username: this.lobbyConfig.playerName,
      cosmetics: this.lobbyConfig.cosmetics,
+      turnstileToken: this.lobbyConfig.turnstileToken,
    } satisfies ClientJoinMessage);
  }

@@ -90,6 +90,13 @@
      document.documentElement.className = "preload";
    </script>

+    <!-- Cloudflare Turnstile -->
+    <script
+      src="https://challenges.cloudflare.com/turnstile/v0/api.js"
+      async
+      defer
+    ></script>
+
    <!-- Publift/Fuse ads -->
    <script
      async
@@ -201,7 +208,10 @@
      </div>
    </header>
    <div class="bg-image"></div>
-
+    <div
+      id="turnstile-container"
+      class="fixed top-1/2 left-1/2 -translate-x-1/2 -translate-y-1/2 z-[99999]"
+    ></div>
    <gutter-ads></gutter-ads>

    <!-- Main container with responsive padding -->
@@ -534,6 +534,7 @@ export const ClientJoinMessageSchema = z.object({
  username: UsernameSchema,
  // Server replaces the refs with the actual cosmetic data.
  cosmetics: PlayerCosmeticRefsSchema.optional(),
+  turnstileToken: z.string().nullable(),
 });

 export const ClientRejoinMessageSchema = z.object({
@@ -27,6 +27,8 @@ export enum GameEnv {
 }

 export interface ServerConfig {
+  turnstileSiteKey(): string;
+  turnstileSecretKey(): string;
  turnIntervalMs(): number;
  gameCreationRate(): number;
  lobbyMaxPlayers(
@@ -80,6 +80,10 @@ const numPlayersConfig = {
 } as const satisfies Record<GameMapType, [number, number, number]>;

 export abstract class DefaultServerConfig implements ServerConfig {
+  turnstileSecretKey(): string {
+    return process.env.TURNSTILE_SECRET_KEY ?? "";
+  }
+  abstract turnstileSiteKey(): string;
  allowedFlares(): string[] | undefined {
    return;
  }
@@ -1,10 +1,17 @@
-import { UnitInfo, UnitType } from "../game/Game";
 import { UserSettings } from "../game/UserSettings";
 import { GameConfig } from "../Schemas";
 import { GameEnv, ServerConfig } from "./Config";
 import { DefaultConfig, DefaultServerConfig } from "./DefaultConfig";

 export class DevServerConfig extends DefaultServerConfig {
+  turnstileSiteKey(): string {
+    return "1x00000000000000000000AA";
+  }
+
+  turnstileSecretKey(): string {
+    return "1x0000000000000000000000000000000AA";
+  }
+
  adminToken(): string {
    return "WARNING_DEV_ADMIN_KEY_DO_NOT_USE_IN_PRODUCTION";
  }
@@ -57,31 +64,4 @@ export class DevConfig extends DefaultConfig {
  ) {
    super(sc, gc, us, isReplay);
  }
-
-  unitInfo(type: UnitType): UnitInfo {
-    const info = super.unitInfo(type);
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const oldCost = info.cost;
-    // info.cost = (p: Player) => oldCost(p) / 1000000000;
-    return info;
-  }
-
-  // tradeShipSpawnRate(): number {
-  //   return 10;
-  // }
-
-  // percentageTilesOwnedToWin(): number {
-  //     return 1
-  // }
-
-  // boatMaxDistance(): number {
-  //     return 5000
-  // }
-
-  //   numBots(): number {
-  //     return 0;
-  //   }
-  //   spawnNPCs(): boolean {
-  //     return false;
-  //   }
 }
@@ -8,6 +8,9 @@ export const preprodConfig = new (class extends DefaultServerConfig {
  numWorkers(): number {
    return 2;
  }
+  turnstileSiteKey(): string {
+    return "0x4AAAAAAB7QetxHwRCKw-aP";
+  }
  jwtAudience(): string {
    return "openfront.dev";
  }
@@ -11,4 +11,7 @@ export const prodConfig = new (class extends DefaultServerConfig {
  jwtAudience(): string {
    return "openfront.io";
  }
+  turnstileSiteKey(): string {
+    return "0x4AAAAAACFLkaecN39lS8sk";
+  }
 })();
@@ -0,0 +1,73 @@
+export async function verifyTurnstileToken(
+  ip: string,
+  turnstileToken: string | null,
+  turnstileSecret: string,
+): Promise<
+  | { status: "approved" }
+  | { status: "rejected"; reason: string }
+  | { status: "error"; reason: string }
+> {
+  if (!turnstileToken) {
+    return { status: "rejected", reason: "No turnstile token provided" };
+  }
+
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 3000);
+
+    const response = await fetch(
+      "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          secret: turnstileSecret,
+          response: turnstileToken,
+          remoteip: ip,
+        }),
+        signal: controller.signal,
+      },
+    );
+
+    clearTimeout(timeoutId);
+
+    if (!response.ok) {
+      return {
+        status: "error",
+        reason: `Turnstile API returned ${response.status}`,
+      };
+    }
+
+    const result = (await response.json()) as {
+      success: boolean;
+      challenge_ts?: string;
+      hostname?: string;
+      "error-codes"?: string[];
+      action?: string;
+      cdata?: string;
+    };
+
+    if (!result.success) {
+      const codes = result["error-codes"]?.join(", ") ?? "unknown";
+      return {
+        status: "rejected",
+        reason: `Turnstile token validation failed: ${codes}`,
+      };
+    }
+
+    return { status: "approved" };
+  } catch (e) {
+    if (e instanceof Error && e.name === "AbortError") {
+      return {
+        status: "error",
+        reason: "Turnstile token validation timed out after 3 seconds",
+      };
+    }
+    return {
+      status: "error",
+      reason: `Turnstile token validation failed, ${e}`,
+    };
+  }
+}
@@ -24,8 +24,10 @@ import { GameManager } from "./GameManager";
 import { getUserMe, verifyClientToken } from "./jwt";
 import { logger } from "./Logger";

+import { GameEnv } from "../core/configuration/Config";
 import { MapPlaylist } from "./MapPlaylist";
 import { PrivilegeRefresher } from "./PrivilegeRefresher";
+import { verifyTurnstileToken } from "./Turnstile";
 import { initWorkerMetrics } from "./WorkerMetrics";

 const config = getServerConfigFromServer();
@@ -406,6 +408,31 @@ export async function startWorker() {
          return;
        }

+        if (config.env() !== GameEnv.Dev) {
+          const turnstileResult = await verifyTurnstileToken(
+            ip,
+            clientMsg.turnstileToken,
+            config.turnstileSecretKey(),
+          );
+          switch (turnstileResult.status) {
+            case "approved":
+              break;
+            case "rejected":
+              log.warn("Unauthorized: Turnstile token rejected", {
+                clientID: clientMsg.clientID,
+                reason: turnstileResult.reason,
+              });
+              ws.close(1002, "Unauthorized");
+              return;
+            case "error":
+              // Fail open, allow the client to join.
+              log.error("Turnstile token error", {
+                clientID: clientMsg.clientID,
+                reason: turnstileResult.reason,
+              });
+          }
+        }
+
        // Create client and add to game
        const client = new Client(
          clientMsg.clientID,
@@ -4,6 +4,12 @@ import { GameMapType } from "../../src/core/game/Game";
 import { GameID } from "../../src/core/Schemas";

 export class TestServerConfig implements ServerConfig {
+  turnstileSiteKey(): string {
+    throw new Error("Method not implemented.");
+  }
+  turnstileSecretKey(): string {
+    throw new Error("Method not implemented.");
+  }
  enableMatchmaking(): boolean {
    throw new Error("Method not implemented.");
  }