Skip to content

Add turnstile token to subscription#810

Merged
cocomarine merged 10 commits intomainfrom
1353-add-turnstile-token-to-subscription
May 8, 2026
Merged

Add turnstile token to subscription#810
cocomarine merged 10 commits intomainfrom
1353-add-turnstile-token-to-subscription

Conversation

@cocomarine
Copy link
Copy Markdown
Contributor

@cocomarine cocomarine commented May 6, 2026
edited
Loading

Part of https://github.com/RaspberryPiFoundation/digital-editor-issues/issues/1353
(frontend PR: https://github.com/RaspberryPiFoundation/editor-standalone/pull/859)

Notes

  • Generated turnstile secret keys for staging and prod in Cloudflare and added them as CLOUDFLARE_TURNSTILE_SECRET_KEY to config var using terraform
  • Updated .env.example to reflect this

@cocomarine
Config turnstile screte and add test
3c87df7 
Co-authored-by: Copilot <copilot@github.com>
@cla-bot cla-bot Bot added the cla-signed label May 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026
edited
Loading

Test coverage

89.41% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/25550741178

@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-qbuyad May 7, 2026 08:10 Inactive
@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-pmdvip May 7, 2026 10:37 Inactive
@cocomarine
update errors and test
e7a835f 
Co-authored-by: Copilot <copilot@github.com>
@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-ojj2th May 7, 2026 14:21 Inactive
@cocomarine cocomarine marked this pull request as ready for review May 7, 2026 14:37
Copilot AI review requested due to automatic review settings May 7, 2026 14:37
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Cloudflare Turnstile bot-protection to the subscriptions endpoint by accepting a turnstile_token in the request and verifying it server-side (with fail-open behavior on upstream/network errors), supporting issue RaspberryPiFoundation/digital-editor-issues#1353.

Changes:

  • Add turnstile_token to subscription request payloads and add request specs covering success/failure/fail-open scenarios.
  • Add Turnstile verification before_action to Api::SubscriptionsController#create using Cloudflare’s siteverify endpoint.
  • Add application configuration and example env var for the Turnstile secret key and enablement flag.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
spec/requests/api/subscriptions_spec.rb Extends subscription request payload and adds Turnstile integration request specs (failure + fail-open cases).
app/controllers/api/subscriptions_controller.rb Enforces Turnstile verification (when enabled) before processing subscription creation.
config/application.rb Adds config.x.cloudflare_turnstile secret + enablement derived from env.
.env.example Documents CLOUDFLARE_TURNSTILE_SECRET_KEY for local/testing setup.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread app/controllers/api/subscriptions_controller.rb
Comment thread app/controllers/api/subscriptions_controller.rb Outdated
Comment thread app/controllers/api/subscriptions_controller.rb Outdated
Comment thread .env.example Outdated
@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-ld5hgs May 7, 2026 15:12 Inactive
@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-ld5hgs May 7, 2026 15:17 Inactive
zetter-rpf
zetter-rpf approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@zetter-rpf zetter-rpf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great

My only suggestion is that if the turnstile checking was in it's own class rather than a method in the controller it might be easier to test independently of the controller (and then stub in the controller tests). I saw you used shared examples in the spec to help remove some of this duplication which is good, but can make the tests files harder to work with. Up to you if you think this change is worth it.

@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-f0yfjv May 8, 2026 09:09 Inactive
@cocomarine cocomarine temporarily deployed to editor-api-p-1353-add-t-z1nwlw May 8, 2026 10:31 Inactive
@cocomarine cocomarine merged commit bb54448 into main May 8, 2026
5 checks passed
@cocomarine cocomarine deleted the 1353-add-turnstile-token-to-subscription branch May 8, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zetter-rpf zetter-rpf zetter-rpf approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cocomarine @zetter-rpf