enhance: form builder field Cloudflare Turnstile #1496
Conversation
WalkthroughThe pull request introduces several enhancements to the settings API and form builder components, particularly focusing on the integration of Cloudflare's Turnstile feature. Key changes include the addition of a toggle field method and conditional display logic for settings fields. A new Vue component for the Turnstile feature is created, along with associated templates and mixins. CSS styles are updated to support new UI elements, while the login process is fortified with Turnstile verification. Overall, these changes enhance user interaction and security within the form management system. Changes
Assessment against linked issues
Possibly related PRs
Suggested labels
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 18
🧹 Outside diff range and nitpick comments (16)
admin/form-builder/assets/js/components/form-cloudflare_turnstile/template.php (1)
1-1: Add ARIA role for better accessibility.The root container should have an appropriate ARIA role to improve accessibility.
-<div class="wpuf-fields"> +<div class="wpuf-fields" role="group" aria-label="Cloudflare Turnstile verification">admin/form-builder/assets/js/components/form-cloudflare_turnstile/index.js (1)
1-36: Consider adding documentation for component configurationThe component would benefit from JSDoc documentation explaining its purpose, required props, and configuration options.
Add comprehensive documentation:
/** * Field template: Cloudflare Turnstile + * + * @component form-cloudflare_turnstile + * @description Implements Cloudflare Turnstile integration for form validation + * + * @requires wpuf_form_builder - Global configuration object + * @requires wpuf_mixins.form_field_mixin - Form field mixin + * + * @property {Object} field - Field configuration + * @property {string} field.turnstile_theme - Theme ('light' or 'dark') + * @property {string} field.turnstile_size - Size ('normal' or 'compact') */admin/form-builder/assets/js/mixins/global.js (1)
47-49: Add JSDoc documentation for better maintainability.The implementation looks good and follows the pattern of
has_recaptcha_api_keys. Consider adding JSDoc documentation to describe the method's purpose and return value.+/** + * Checks if Cloudflare Turnstile API keys are configured. + * + * @returns {boolean} True if both site and secret keys are present, false otherwise. + */ has_turnstile_api_keys: function () { return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; },templates/login-form.php (2)
Line range hint
1-1: Consider addressing the WooCommerce Multivendor Marketplace conflict.While the Turnstile integration looks good, the changes don't address the menu visibility issue mentioned in #646. Consider:
- Adding compatibility checks for the WooCommerce Multivendor Marketplace plugin
- Implementing proper menu priority handling
- Adding documentation about plugin compatibility
Would you like assistance in implementing these compatibility improvements?
SSL handling for reCAPTCHA is properly implemented but has room for improvement
The code correctly handles SSL through:
- Proper use of
is_ssl()in the template to determine SSL status- The
recaptcha_get_html()function switches between secure/non-secure endpoints based on the SSL flag- HTTPS endpoint is defined as
RECAPTCHA_API_SECURE_SERVERHowever, there are two minor concerns:
- Non-HTTPS endpoint is still defined in
recaptchalib.phpand used as fallback- Mailhide API link in error message uses HTTP
Recommendation:
- Consider enforcing HTTPS-only communication by always using
RECAPTCHA_API_SECURE_SERVER- Update documentation links to use HTTPS
🔗 Analysis chain
Line range hint
39-75: Verify SSL enforcement for reCAPTCHA.While the code properly escapes HTML output, let's verify the SSL configuration to ensure secure communication with reCAPTCHA servers.
Let me gather more information about the reCAPTCHA implementation to verify SSL handling.
Let me check how the API server selection is implemented in the reCAPTCHA library.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Check if SSL is properly enforced for reCAPTCHA echo "Checking for SSL enforcement in configuration..." rg -A 2 "FORCE_SSL|force_ssl|require_ssl" # Check if there are any non-HTTPS reCAPTCHA implementations echo "Checking for potential non-HTTPS reCAPTCHA usage..." rg -A 2 "recaptcha.*http://"Length of output: 499
Script:
#!/bin/bash # Check the recaptchalib.php implementation for SSL handling echo "Checking recaptchalib.php implementation..." rg -A 10 "is_ssl|HTTPS|secure" Lib/recaptchalib.php # Check if there are any reCAPTCHA API endpoint definitions echo "Checking reCAPTCHA API endpoints..." rg -A 2 "api-server|api_server|RECAPTCHA_API_SERVER" Lib/recaptchalib.php # Check for any reCAPTCHA configuration settings echo "Checking reCAPTCHA configuration..." ast-grep --pattern 'wpuf_get_option($_, "wpuf_general")'Length of output: 712
Script:
#!/bin/bash # Check how secure server is selected echo "Checking server selection logic..." rg -B 5 -A 10 "\$server = RECAPTCHA_API_SERVER" Lib/recaptchalib.php # Check recaptcha_get_html function implementation echo "Checking recaptcha_get_html function..." rg -B 2 -A 15 "function recaptcha_get_html" Lib/recaptchalib.phpLength of output: 934
includes/Fields/Form_Field_Cloudflare_Turnstile.php (4)
5-8: Add comprehensive class documentation.The class documentation should include:
- Purpose of the class
- Requirements (Cloudflare Turnstile setup)
- Usage example
- @SInCE tag with version number
68-80: Improve validation configuration.The implementation looks good, but consider these improvements:
- Document the
has_turnstile_api_keyscallback function- Escape URLs properly
return [ 'callback' => 'has_turnstile_api_keys', 'button_class' => 'button-faded', 'msg_title' => __( 'Site key and Secret key', 'wp-user-frontend' ), 'msg' => sprintf( // translators: %s: settings url __( 'You need to set Site key and Secret key in <a href="%1$s" target="_blank">Settings</a> in order to use "Cloudflare Turnstile" field. <a href="%2$s" target="_blank">Click here to get the these key</a>.', 'wp-user-frontend' ), - admin_url( 'admin.php?page=wpuf-settings' ), - 'https://developers.cloudflare.com/turnstile/' + esc_url( admin_url( 'admin.php?page=wpuf-settings' ) ), + esc_url( 'https://developers.cloudflare.com/turnstile/' ) ), ];
89-143: Add missing translations and validation.Consider these improvements:
- Add missing translations for field titles
- Add validation for radio options to ensure only valid values are accepted
[ 'name' => 'turnstile_theme', - 'title' => 'Turnstile Theme', + 'title' => __( 'Turnstile Theme', 'wp-user-frontend' ), 'type' => 'radio', 'options' => [ 'light' => __( 'Light', 'wp-user-frontend' ), 'dark' => __( 'Dark', 'wp-user-frontend' ), ], + 'sanitize_callback' => function( $value ) { + return in_array( $value, ['light', 'dark'] ) ? $value : 'light'; + }, 'default' => 'light', // ... ],
152-167: Document return values and fix inconsistency.
- Add documentation for return values
- Fix inconsistent input_type value (turnstile vs cloudflare_turnstile)
+ /** + * Get the field properties + * + * @return array { + * Field properties + * + * @type string $input_type Type of input field + * @type string $template Template name + * @type string $label Field label + * @type string $turnstile_type Turnstile widget type + * @type string $turnstile_theme Turnstile theme + * @type string $turnstile_size Turnstile size + * @type string $is_meta Whether field is meta + * @type int $id Field ID + * @type mixed $wpuf_cond Conditional logic + * } + */ public function get_field_props() { $props = [ - 'input_type' => 'turnstile', + 'input_type' => 'cloudflare_turnstile', 'template' => $this->get_type(), // ... ]; return $props; }assets/js/wpuf-form-builder-mixins.js (1)
154-156: LGTM! Consider adding JSDoc documentation.The implementation is clean and follows the established patterns. For consistency with other methods, consider adding JSDoc documentation.
+ /** + * Check if Turnstile API keys are configured + * + * @return {boolean} True if both site and secret keys are present + */ has_turnstile_api_keys: function () { return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; },includes/Admin/Forms/Field_Manager.php (2)
175-175: Consider UX implications of multiple CAPTCHA options.The field is correctly added to the Others section. However, since both reCAPTCHA and Cloudflare Turnstile serve similar purposes, consider:
- Adding validation to prevent both from being used simultaneously
- Adding UI hints to help users choose between the two options
- Documenting the differences and use cases for each
Would you like me to help implement these UX improvements or create an issue to track them?
87-106: Consider adding documentation for the Turnstile integration.While the implementation is solid, it would be helpful to add:
- PHPDoc comments explaining the Turnstile field's purpose and configuration requirements
- Code examples in the class documentation showing how to properly configure and use the Turnstile field
Example documentation to add above the
register_field_types()method:/** * Register the field types * * Available fields: * - Post fields (title, content, tags) * - Custom fields (text, textarea, etc.) * - Security fields: * - reCAPTCHA: Google's CAPTCHA solution * - Cloudflare Turnstile: Alternative to reCAPTCHA with better privacy * * @since x.x.x Added Cloudflare Turnstile field * @return void */assets/less/admin.less (1)
1172-1223: LGTM! Well-implemented toggle switch component.The toggle switch implementation follows best practices with:
- Proper accessibility support via focus states
- Smooth transitions for better UX
- Consistent WordPress admin theme colors
- Clean and maintainable LESS structure
Consider adding these minor enhancements:
.wpuf-toggle-switch { // Add disabled state styling + &.disabled { + opacity: 0.5; + cursor: not-allowed; + + .slider { + cursor: not-allowed; + } + } // Add RTL support + [dir="rtl"] & { + .slider::before { + left: auto; + right: 3px; + } + + input:checked + .slider:before { + transform: translateX(-26px); + } + } }includes/functions/settings-options.php (1)
Line range hint
162-467: Consider adding validation for API keys.While the implementation is solid, consider adding validation for the Turnstile API keys to ensure they are properly formatted before saving.
// Add this to the beginning of the file after the function declaration function validate_turnstile_keys($input) { if (!empty($input['turnstile_site_key']) && !preg_match('/^[0-9A-Za-z_-]+$/', $input['turnstile_site_key'])) { add_settings_error('wpuf_settings', 'invalid_site_key', __('Invalid Turnstile Site Key format', 'wp-user-frontend')); } if (!empty($input['turnstile_secret_key']) && !preg_match('/^[0-9A-Za-z_-]+$/', $input['turnstile_secret_key'])) { add_settings_error('wpuf_settings', 'invalid_secret_key', __('Invalid Turnstile Secret Key format', 'wp-user-frontend')); } return $input; }assets/js-templates/form-components.php (1)
441-454: The Cloudflare Turnstile template implementation looks good, but needs accessibility improvements.The template structure and conditional rendering are well implemented. However, consider the following improvements:
Apply these changes to enhance accessibility and error handling:
<template v-else> <img class="wpuf-turnstile-placeholder" :src="turnstile_image" - alt=""> + :alt="<?php esc_attr_e('Cloudflare Turnstile verification', 'wp-user-frontend'); ?>" + @error="handleImageError" + role="img" + aria-label="<?php esc_attr_e('Cloudflare Turnstile verification widget', 'wp-user-frontend'); ?>"> </template>assets/css/frontend-forms.css (1)
Line range hint
87-93: Consider enhancing error message accessibility and consistency.The error message styling could be improved for better accessibility and user experience:
- Increase color contrast for better readability
- Add support for error icons
- Ensure consistent spacing across all message types (error, success, info)
Consider applying these improvements:
body .wpuf-error { background-color: #f2dede; color: #a94442; border: 1px solid #ebccd1; margin: 10px 0 20px 0; padding: 10px; + /* Improve contrast ratio */ + background-color: #fde8e8; + color: #842029; + /* Add icon support */ + padding-left: 35px; + background-image: url('../images/error-icon.svg'); + background-repeat: no-repeat; + background-position: 10px center; + background-size: 16px; -webkit-border-radius: 3px; -moz-border-radius: 3px; border-radius: 3px; font-size: 13px; }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
⛔ Files ignored due to path filters (4)
assets/images/cloudflare-placeholder-dark-compact.pngis excluded by!**/*.pngassets/images/cloudflare-placeholder-dark.pngis excluded by!**/*.pngassets/images/cloudflare-placeholder-light-compact.pngis excluded by!**/*.pngassets/images/cloudflare-placeholder-light.pngis excluded by!**/*.png
📒 Files selected for processing (20)
Lib/WeDevs_Settings_API.php(4 hunks)admin/form-builder/assets/js/components/form-cloudflare_turnstile/index.js(1 hunks)admin/form-builder/assets/js/components/form-cloudflare_turnstile/template.php(1 hunks)admin/form-builder/assets/js/mixins/global.js(1 hunks)assets/css/admin.css(1 hunks)assets/css/admin/wpuf-module.css(0 hunks)assets/css/frontend-forms.css(1 hunks)assets/js-templates/form-components.php(1 hunks)assets/js/wpuf-form-builder-components.js(1 hunks)assets/js/wpuf-form-builder-mixins.js(1 hunks)assets/less/admin.less(1 hunks)assets/less/frontend-forms.less(1 hunks)includes/Admin/Forms/Admin_Form_Builder.php(2 hunks)includes/Admin/Forms/Field_Manager.php(3 hunks)includes/Admin/Plugin_Upgrade_Notice.php(1 hunks)includes/Assets.php(2 hunks)includes/Fields/Form_Field_Cloudflare_Turnstile.php(1 hunks)includes/Free/Simple_Login.php(5 hunks)includes/functions/settings-options.php(2 hunks)templates/login-form.php(2 hunks)
💤 Files with no reviewable changes (1)
- assets/css/admin/wpuf-module.css
✅ Files skipped from review due to trivial changes (1)
- includes/Admin/Plugin_Upgrade_Notice.php
🔇 Additional comments (19)
admin/form-builder/assets/js/components/form-cloudflare_turnstile/template.php (2)
1-12: Verify Turnstile integration security measures.
The template appears to be part of a security feature implementation. We should ensure proper integration with Cloudflare Turnstile.
Run this script to verify the security implementation:
#!/bin/bash
# Description: Verify the Turnstile security implementation
# Expected: Proper validation and error handling should be in place
# Check for AJAX endpoints handling Turnstile verification
rg -l "turnstile.*verify"
# Check for nonce implementation
rg -l "wp_nonce.*turnstile"
# Check for error handling
rg -l "turnstile.*error"Architecture recommendations:
- Ensure server-side validation is implemented for Turnstile responses
- Implement rate limiting for verification attempts
- Add proper error handling for network failures or invalid responses
- Consider implementing a fallback mechanism when Turnstile is unavailable
2-4: Verify error message content and styling.
The template uses v-html which could potentially expose XSS vulnerabilities if the message contains user input. Additionally, the error message should be styled appropriately to catch user attention.
Run this script to check the message content and any associated styles:
✅ Verification successful
Based on the search results, I can now provide a final response:
The use of v-html is safe in this context since the error message comes from a trusted source
The error message content (no_api_keys_msg) is sourced from wpuf_form_builder.field_settings.turnstile.validator.msg, which is a server-side defined message and not user input. This is a trusted source controlled by the application, eliminating XSS risk.
The error styling is handled through the application's CSS framework, with proper error/alert styling classes available in the CSS files.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Verify the error message content and styling
# Expected: The message should be a hardcoded string without user input
# and have appropriate error styling
# Check for message definition
rg -A 5 "no_api_keys_msg"
# Check for any associated CSS styles
rg -t css "wpuf-fields.*error"
Length of output: 115
Script:
#!/bin/bash
# Let's try different search patterns and check the component definition
# Search for the component file containing turnstile
fd -e js -e vue turnstile
# Search for the component definition and data properties
rg -A 10 "no_api_keys_msg" --type js --type vue --type php
# Search specifically in the form-builder directory
fd . admin/form-builder -t f -e js -e vue -e php | xargs cat
# Check for any error styling in CSS files within form-builder
fd . admin/form-builder -t f -e css | xargs cat
Length of output: 141627
Script:
#!/bin/bash
# Let's search for the component definition and error message content
rg -A 5 "no_api_keys_msg" admin/form-builder/assets/js/components/form-cloudflare_turnstile/
# Search for any error styling in the main CSS files
fd -e css . | xargs rg "error|alert|warning"
# Search for turnstile validator message definition
rg -A 5 "turnstile.*validator" admin/form-builder/assets/js/
Length of output: 124362
admin/form-builder/assets/js/components/form-cloudflare_turnstile/index.js (1)
4-9: Verify template existence and mixin compatibility
The component setup looks good, following Vue.js best practices.
Let's verify the template existence and mixin compatibility:
✅ Verification successful
Let me verify the template content to ensure it's properly defined.
Component setup is properly configured and integrated
The verification confirms:
- Template exists in
assets/js-templates/form-components.phpwith correct structure and conditional rendering - Component correctly uses
form_field_mixinwhich is well-defined with expected props and computed properties - The implementation follows Vue.js best practices for component architecture
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Verify template existence and mixin compatibility
# Test 1: Check if template exists in PHP files
echo "Checking for template definition..."
rg -l "tmpl-wpuf-form-cloudflare_turnstile" --type php
# Test 2: Verify form_field_mixin properties usage
echo "Checking mixin property usage..."
rg "form_field_mixin" --type js
Length of output: 4282
Script:
#!/bin/bash
# Check the template content in the PHP file
echo "Checking template content..."
rg -A 10 "tmpl-wpuf-form-cloudflare_turnstile" assets/js-templates/form-components.php
# Check form_field_mixin definition
echo "Checking form_field_mixin definition..."
rg -A 10 "form_field_mixin = {" admin/form-builder/assets/js/mixins/form-field.js
Length of output: 770
Script:
#!/bin/bash
# Check form_field_mixin definition with fixed regex
echo "Checking form_field_mixin definition..."
rg -A 10 "wpuf_mixins.form_field_mixin =" admin/form-builder/assets/js/mixins/form-field.js
# Get more template context
echo "Getting more template context..."
rg -B 2 -A 15 'tmpl-wpuf-form-cloudflare_turnstile' assets/js-templates/form-components.php
Length of output: 1023
templates/login-form.php (1)
33-38: LGTM! Clean and consistent option retrieval.
The code follows a consistent pattern for retrieving both reCAPTCHA and Turnstile configuration options.
includes/Fields/Form_Field_Cloudflare_Turnstile.php (1)
1-168: Verify integration with WooCommerce Multivendor Marketplace plugin.
The code doesn't show direct handling of the mentioned conflict with WooCommerce Multivendor Marketplace plugin where the User Frontend menu disappears.
includes/Admin/Forms/Field_Manager.php (2)
8-8: LGTM! Import statement is properly placed.
The import for the new Cloudflare Turnstile field class follows the existing code style and maintains alphabetical ordering.
105-105: Verify the Cloudflare Turnstile field class implementation.
The field registration looks good, but let's ensure the class exists and implements the required contract.
✅ Verification successful
Let me verify the field contract implementation further to ensure all required methods are present.
Let me check the parent contract class to verify the required methods.
Let me verify if the remaining required method is implemented.
Field class implementation verified successfully
The Form_Field_Cloudflare_Turnstile class properly extends Field_Contract and implements all required abstract methods:
render()get_field_props()get_options_settings()
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Verify the Cloudflare Turnstile field class implementation
# Test 1: Check if the class file exists
echo "Checking for field class file..."
fd "Form_Field_Cloudflare_Turnstile.php" --type f
# Test 2: Verify class extends Field_Contract
echo "Verifying class implementation..."
rg -A 2 "class Form_Field_Cloudflare_Turnstile" --type php
Length of output: 647
Script:
#!/bin/bash
# Check for required contract methods implementation
echo "Checking required contract methods..."
rg "function (get_field|render|get_js_settings|sanitize|validate)" includes/Fields/Form_Field_Cloudflare_Turnstile.php
Length of output: 336
Script:
#!/bin/bash
# Check the Field_Contract class for required methods
echo "Checking Field_Contract class..."
fd "Field_Contract.php" --type f
echo "Checking abstract methods in Field_Contract..."
rg "abstract.*function" --type php $(fd "Field_Contract.php" --type f)
Length of output: 551
Script:
#!/bin/bash
# Check for get_options_settings implementation
echo "Checking get_options_settings implementation..."
rg -A 5 "function get_options_settings" includes/Fields/Form_Field_Cloudflare_Turnstile.php
Length of output: 436
includes/Admin/Forms/Admin_Form_Builder.php (1)
127-127: LGTM: Turnstile field type registration
The addition of 'cloudflare_turnstile' to the single objects array follows the established pattern for registering new form field types.
includes/Assets.php (1)
377-379: 🛠️ Refactor suggestion
Consider improving the Turnstile script integration.
While adding Cloudflare Turnstile support is good, there are several improvements to consider:
- The script references
onloadTurnstilecallback but this callback needs to be defined before the script loads. - Consider conditionally loading the script only when needed (e.g., when a form with Turnstile is present).
- Add version parameter and error handling for better maintenance and reliability.
Let's verify the callback implementation:
Consider implementing the script registration like this:
'turnstile' => [
- 'src' => 'https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback',
+ 'src' => 'https://challenges.cloudflare.com/turnstile/v0/api.js',
+ 'version' => WPUF_VERSION,
+ 'in_footer' => true,
+ 'deps' => ['jquery'],
],Then handle the initialization in your form field JavaScript:
// Example initialization code
window.onloadTurnstileCallback = function () {
// Initialize Turnstile widgets
};✅ Verification successful
The Turnstile integration appears to be properly implemented
The verification shows that:
- The
onloadTurnstileCallbackis correctly defined in bothtemplates/login-form.phpandincludes/Fields/Form_Field_Cloudflare_Turnstile.php - The script is conditionally loaded based on settings (
enable_turnstileoption) - Proper error handling and verification are implemented in
Simple_Login.php - The integration includes configuration options for theme, size, and type
- The callback is properly implemented to initialize Turnstile widgets with site-specific configuration
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Search for the onloadTurnstileCallback definition
echo "Searching for callback definition..."
rg "onloadTurnstileCallback"
# Search for Turnstile-related code
echo "Searching for Turnstile-related code..."
rg -i "turnstile" --type php
Length of output: 9722
includes/functions/settings-options.php (3)
162-184: LGTM! Well-structured Turnstile configuration.
The implementation follows WordPress settings API best practices:
- Toggle field for enabling/disabling the feature
- Proper dependency management for API keys
- Clear documentation link to Cloudflare Turnstile
457-467: LGTM! Well-implemented login form integration.
The Turnstile login form toggle is properly:
- Dependent on the main Turnstile enable setting
- Using consistent naming convention
- Including clear description for configuration requirements
Line range hint 162-467: Verify Turnstile integration in templates.
Let's verify that the corresponding template files have been updated to include the Turnstile widget when enabled.
✅ Verification successful
Let me check the actual implementation of Turnstile in the login form template.
Let me verify the Turnstile script loading implementation.
Let me check the Simple_Login class to verify the Turnstile validation implementation.
Based on the code analysis, I can now provide a final response:
Turnstile integration is properly implemented in the login template and validation logic.
- Login form template (
templates/login-form.php) correctly includes the Turnstile widget with proper site key and callback - Assets class (
includes/Assets.php) registers the required Turnstile script - Simple_Login class (
includes/Free/Simple_Login.php) implements proper server-side validation with error handling
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Search for Turnstile widget integration in template files
rg -l "turnstile" --type php
Length of output: 398
Script:
#!/bin/bash
# Check login form template for Turnstile implementation
cat templates/login-form.php
Length of output: 4290
Script:
#!/bin/bash
# Check Assets.php for Turnstile script loading
cat includes/Assets.php
Length of output: 15231
Script:
#!/bin/bash
# Check Simple_Login class for Turnstile validation
cat includes/Free/Simple_Login.php
Length of output: 42243
assets/css/admin.css (1)
947-990: LGTM! Well-implemented toggle switch component.
The toggle switch implementation follows best practices with:
- Clean structure and proper positioning
- Smooth transitions and animations
- Accessible focus states
- Proper state management
assets/js-templates/form-components.php (1)
441-454: Verify Turnstile integration and potential conflicts.
Let's ensure the component is properly integrated and doesn't conflict with existing security measures.
✅ Verification successful
Let me gather more specific information about the implementation to ensure there are no conflicts in the security components.
Let me check one more aspect to verify how the Turnstile and reCAPTCHA fields are handled in the form builder and validation logic.
Based on the gathered information, I can now provide a final response about the Turnstile integration.
Turnstile integration appears properly implemented with separate concerns
The component is correctly integrated with proper separation from other security components:
- Vue component is properly registered in the form builder
- Turnstile field is implemented as a separate class with its own asset loading
- Template implementation follows the same pattern as other form components
- No direct conflicts found with reCAPTCHA implementation as they are handled as separate field types
The only suggestion would be to ensure proper documentation of the API keys setup since the template includes a conditional for has_turnstile_api_keys.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check Turnstile integration and potential conflicts
# Check if the component is registered
echo "Checking component registration..."
rg -l "Vue\.component.*form-cloudflare_turnstile"
# Check for potential conflicts with other security components
echo "Checking for potential conflicts..."
rg -l "recaptcha|hcaptcha|turnstile" --type php
# Check if required assets are properly enqueued
echo "Checking asset loading..."
rg -l "wp_enqueue.*turnstile" --type php
Length of output: 1464
Script:
#!/bin/bash
# Check the actual implementation of Turnstile and reCAPTCHA to verify they don't interfere
# Check Turnstile field implementation
echo "=== Turnstile Field Implementation ==="
rg -A 10 "class Form_Field_Cloudflare_Turnstile" includes/Fields/Form_Field_Cloudflare_Turnstile.php
# Check if there's any conditional loading or mutual exclusion
echo -e "\n=== Checking for conditional loading ==="
rg "turnstile.*recaptcha|recaptcha.*turnstile" -A 5
# Check component registration to verify proper initialization
echo -e "\n=== Component Registration Details ==="
rg "Vue\.component.*form-cloudflare_turnstile" -A 5 assets/js/wpuf-form-builder-components.js
# Check form rendering logic
echo -e "\n=== Form Rendering Logic ==="
rg "render.*turnstile" includes/class-frontend-render-form.php
Length of output: 1190
Script:
#!/bin/bash
# Check form validation and field handling
# Check field registration and validation
echo "=== Field Registration ==="
rg -A 10 "register_field_type.*cloudflare_turnstile|register_field_type.*recaptcha" includes/
# Check template handling
echo -e "\n=== Template Handling ==="
cat admin/form-builder/assets/js/components/form-cloudflare_turnstile/template.php
# Check if there are any validation conflicts
echo -e "\n=== Validation Logic ==="
rg "validate.*turnstile|validate.*recaptcha" includes/
# Check asset dependencies
echo -e "\n=== Asset Dependencies ==="
rg "wp_enqueue_script.*turnstile" -A 3 includes/
Length of output: 1376
assets/less/frontend-forms.less (1)
119-119: LGTM! Margin adjustment improves consistency.
The change from margin: 10px 10px 20px; to margin: 10px 0 20px 0; standardizes the vertical spacing while removing horizontal margins, which improves the alignment consistency of error messages.
assets/js/wpuf-form-builder-components.js (1)
768-803: Implementation looks good with some security considerations.
The Cloudflare Turnstile component is well-structured and follows Vue.js best practices. A few observations:
- The component correctly validates API keys before rendering
- The image URL generation is properly handled with theme/size variations
- The error messaging for missing API keys is user-friendly
Let's verify the Turnstile API key configuration:
Consider implementing the following enhancements:
- Add error handling for API key validation failures
- Consider caching the validation result to avoid repeated checks
- Add loading states for when the Turnstile widget is initializing
✅ Verification successful
Turnstile configuration is properly implemented and secure
The verification confirms that the Cloudflare Turnstile integration is well-implemented:
- Site and secret keys are properly managed through WordPress options system (
wpuf_get_option) - Keys are correctly passed to the form builder via
wpuf_form_builderobject - Implementation includes proper escaping (
esc_attr,esc_js) when outputting keys - Keys are validated both server-side and client-side before rendering
- The component's computed property correctly checks for both keys
The initial review suggestions for enhancements, while good practices, are not critical as the core implementation is secure and follows best practices.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check if Turnstile configuration is properly defined in settings
# Test: Search for Turnstile configuration. Expect: Configuration in settings files
rg -A 2 "turnstile_site|turnstile_secret"
Length of output: 3502
assets/css/frontend-forms.css (1)
87-87: LGTM: Error message margin adjustment improves alignment.
The change to remove horizontal margins while maintaining vertical spacing creates better alignment with other form elements.
includes/Free/Simple_Login.php (2)
22-28: Addition of $cf_messages property is appropriate
The new private property $cf_messages is properly declared and documented, which will help store Cloudflare Turnstile messages effectively.
404-408: Conditionally enqueue Turnstile script based on settings
The Turnstile script is correctly enqueued when the enable_turnstile option is set to 'on', ensuring that the script is only loaded when necessary.
| <img | ||
| class="wpuf-turnstile-placeholder" | ||
| :src="turnstile_image" | ||
| alt=""> | ||
| </template> |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Enhance image accessibility and loading behavior.
The image element could be improved for better accessibility and user experience.
<img
class="wpuf-turnstile-placeholder"
:src="turnstile_image"
- alt="">
+ :alt="'Cloudflare Turnstile verification widget'"
+ loading="lazy"
+ @error="handleImageLoadError">Consider adding:
- A meaningful alt text for screen readers
- Lazy loading for better performance
- Error handling for failed image loads
Committable suggestion was skipped due to low confidence.
| no_api_keys_msg: function () { | ||
| return wpuf_form_builder.field_settings.turnstile.validator.msg; | ||
| }, |
There was a problem hiding this comment.
Add null check for field settings access
Similar to the previous issue, add defensive checks for accessing nested properties.
Apply this diff to prevent potential undefined errors:
no_api_keys_msg: function () {
- return wpuf_form_builder.field_settings.turnstile.validator.msg;
+ return wpuf_form_builder?.field_settings?.turnstile?.validator?.msg || 'API keys are required';
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| no_api_keys_msg: function () { | |
| return wpuf_form_builder.field_settings.turnstile.validator.msg; | |
| }, | |
| no_api_keys_msg: function () { | |
| return wpuf_form_builder?.field_settings?.turnstile?.validator?.msg || 'API keys are required'; | |
| }, |
| has_turnstile_api_keys: function () { | ||
| return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; | ||
| }, |
There was a problem hiding this comment.
Add defensive checks for global object access
The code assumes wpuf_form_builder is always defined. Consider adding defensive checks to prevent runtime errors.
Apply this diff to add defensive checks:
has_turnstile_api_keys: function () {
- return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret;
+ return typeof wpuf_form_builder !== 'undefined'
+ && wpuf_form_builder.turnstile_site
+ && wpuf_form_builder.turnstile_secret;
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| has_turnstile_api_keys: function () { | |
| return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; | |
| }, | |
| has_turnstile_api_keys: function () { | |
| return typeof wpuf_form_builder !== 'undefined' | |
| && wpuf_form_builder.turnstile_site | |
| && wpuf_form_builder.turnstile_secret; | |
| }, |
| turnstile_image: function () { | ||
| var base_url = wpuf_form_builder.asset_url + '/images/cloudflare-placeholder-'; | ||
|
|
||
| if (this.field.turnstile_theme === 'dark') { | ||
| base_url += 'dark'; | ||
| } else { | ||
| base_url += 'light'; | ||
| } | ||
|
|
||
| if (this.field.turnstile_size === 'compact') { | ||
| base_url += '-compact'; | ||
| } | ||
|
|
||
| return base_url + '.png'; | ||
| } |
There was a problem hiding this comment.
Enhance input validation for theme and size properties
The function should validate the theme and size values before using them in URL construction. Also, consider using a constant for the base URL.
Apply this diff to improve the implementation:
+ const VALID_THEMES = ['dark', 'light'];
+ const VALID_SIZES = ['normal', 'compact'];
+ const BASE_PLACEHOLDER_PATH = '/images/cloudflare-placeholder-';
turnstile_image: function () {
- var base_url = wpuf_form_builder.asset_url + '/images/cloudflare-placeholder-';
+ if (typeof wpuf_form_builder === 'undefined' || !wpuf_form_builder.asset_url) {
+ console.error('Asset URL is not defined');
+ return '';
+ }
+
+ const theme = VALID_THEMES.includes(this.field.turnstile_theme)
+ ? this.field.turnstile_theme
+ : 'light';
+
+ const size = VALID_SIZES.includes(this.field.turnstile_size)
+ ? this.field.turnstile_size
+ : 'normal';
+
+ let imagePath = BASE_PLACEHOLDER_PATH + theme;
+ if (size === 'compact') {
+ imagePath += '-compact';
+ }
+
+ return wpuf_form_builder.asset_url + imagePath + '.png';
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| turnstile_image: function () { | |
| var base_url = wpuf_form_builder.asset_url + '/images/cloudflare-placeholder-'; | |
| if (this.field.turnstile_theme === 'dark') { | |
| base_url += 'dark'; | |
| } else { | |
| base_url += 'light'; | |
| } | |
| if (this.field.turnstile_size === 'compact') { | |
| base_url += '-compact'; | |
| } | |
| return base_url + '.png'; | |
| } | |
| const VALID_THEMES = ['dark', 'light']; | |
| const VALID_SIZES = ['normal', 'compact']; | |
| const BASE_PLACEHOLDER_PATH = '/images/cloudflare-placeholder-'; | |
| turnstile_image: function () { | |
| if (typeof wpuf_form_builder === 'undefined' || !wpuf_form_builder.asset_url) { | |
| console.error('Asset URL is not defined'); | |
| return ''; | |
| } | |
| const theme = VALID_THEMES.includes(this.field.turnstile_theme) | |
| ? this.field.turnstile_theme | |
| : 'light'; | |
| const size = VALID_SIZES.includes(this.field.turnstile_size) | |
| ? this.field.turnstile_size | |
| : 'normal'; | |
| let imagePath = BASE_PLACEHOLDER_PATH + theme; | |
| if (size === 'compact') { | |
| imagePath += '-compact'; | |
| } | |
| return wpuf_form_builder.asset_url + imagePath + '.png'; | |
| } |
| has_turnstile_api_keys: function () { | ||
| return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; | ||
| }, |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Add defensive programming for global object access.
Consider adding a safety check for the wpuf_form_builder global object to prevent potential runtime errors.
has_turnstile_api_keys: function () {
- return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret;
+ return typeof wpuf_form_builder !== 'undefined'
+ && wpuf_form_builder.turnstile_site
+ && wpuf_form_builder.turnstile_secret;
},📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| has_turnstile_api_keys: function () { | |
| return wpuf_form_builder.turnstile_site && wpuf_form_builder.turnstile_secret; | |
| }, | |
| has_turnstile_api_keys: function () { | |
| return typeof wpuf_form_builder !== 'undefined' | |
| && wpuf_form_builder.turnstile_site | |
| && wpuf_form_builder.turnstile_secret; | |
| }, |
| $depends_on.on('keyup change', function() { | ||
| if ($(this).val() === $this.data('depends-on-value')) { | ||
| $this.closest('tr').show(); | ||
| } else { | ||
| $this.closest('tr').hide(); | ||
| } | ||
| }); | ||
| } |
There was a problem hiding this comment.
💡 Codebase verification
The data-depends-on-value attribute is missing from the HTML generation
The code shows that while data-depends-on is properly set in the HTML generation (data-depends-on="%8$s"), there is no corresponding code that sets the data-depends-on-value attribute which is being read by the JavaScript code. This will cause the dependency check to fail.
- In
Lib/WeDevs_Settings_API.php, add thedata-depends-on-valueattribute to the input HTML generation:
sprintf(
'<input type="%1$s" class="%2$s-text" id="%3$s[%4$s]" name="%3$s[%4$s]" value="%5$s"%6$s %7$s data-depends-on="%8$s" data-depends-on-value="%9$s" />',
$type, $size, $args['section'], $args['id'], $value, $placeholder, $disabled, $depends_on, $depends_on_value
)🔗 Analysis chain
Verify the existence of 'data-depends-on-value' attribute in HTML
The JavaScript code references $this.data('depends-on-value'), but it's unclear if the data-depends-on-value attribute is set in the corresponding HTML elements. Please ensure that this attribute is properly defined where necessary to avoid unexpected behavior.
Run the following script to search for the usage of data-depends-on-value in the codebase:
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Search the codebase for occurrences of 'data-depends-on-value'
# Test: Expect to find all HTML elements that use 'data-depends-on-value' attribute.
rg 'data-depends-on-value'
Length of output: 26
Script:
#!/bin/bash
# Let's search for where this data attribute might be set in PHP code
# Search for variations of setting data-depends-on-value
rg -i "data.*depends.*value" -A 3
# Also search for the method that might be setting up these dependencies
ast-grep --pattern 'function $_ ($$$) {
$$$
depends
$$$
}'
Length of output: 21224
Script:
#!/bin/bash
# Let's search for where this dependency functionality is set up
rg -i "depends.*on" -B 3 -A 3 Lib/WeDevs_Settings_API.php
# Also search for any data attribute setting in the PHP code
ast-grep --pattern 'data($$$)' Lib/WeDevs_Settings_API.php
Length of output: 2970
| $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url( | ||
| wp_unslash( $_SERVER['REMOTE_ADDR'] ) | ||
| ) : ''; | ||
|
|
There was a problem hiding this comment.
Use appropriate sanitization for IP addresses
The function sanitize_url() is being used to sanitize the IP address from $_SERVER['REMOTE_ADDR']. This function is intended for URLs and may not correctly handle IP addresses. Consider using sanitize_text_field() or a dedicated IP address validation function instead.
Apply this diff to use sanitize_text_field():
- $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url(
+ $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field(
wp_unslash( $_SERVER['REMOTE_ADDR'] )
) : '';Alternatively, for stricter validation, you could use filter_var with FILTER_VALIDATE_IP:
$remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? filter_var( wp_unslash( $_SERVER['REMOTE_ADDR'] ), FILTER_VALIDATE_IP ) : '';| $log = isset( $_POST['log'] ) ? sanitize_text_field( wp_unslash( $_POST['log'] ) ) : ''; | ||
| $pwd = isset( $_POST['pwd'] ) ? sanitize_text_field( ( wp_unslash( $_POST['pwd'] ) ) ) : ''; |
There was a problem hiding this comment.
Avoid sanitizing passwords with sanitize_text_field()
Using sanitize_text_field() on passwords can strip out certain characters, potentially causing login failures for users with special characters in their passwords. It's safer to only wp_unslash() the password without additional sanitization.
Apply this diff to remove unnecessary sanitization:
$log = isset( $_POST['log'] ) ? sanitize_text_field( wp_unslash( $_POST['log'] ) ) : '';
- $pwd = isset( $_POST['pwd'] ) ? sanitize_text_field( ( wp_unslash( $_POST['pwd'] ) ) ) : '';
+ $pwd = isset( $_POST['pwd'] ) ? wp_unslash( $_POST['pwd'] ) : '';Ensure that you handle the password securely elsewhere without altering its contents.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| $log = isset( $_POST['log'] ) ? sanitize_text_field( wp_unslash( $_POST['log'] ) ) : ''; | |
| $pwd = isset( $_POST['pwd'] ) ? sanitize_text_field( ( wp_unslash( $_POST['pwd'] ) ) ) : ''; | |
| $log = isset( $_POST['log'] ) ? sanitize_text_field( wp_unslash( $_POST['log'] ) ) : ''; | |
| $pwd = isset( $_POST['pwd'] ) ? wp_unslash( $_POST['pwd'] ) : ''; |
| if ( ! $this->verify_cloudflare_turnstile_on_login() ) { | ||
| $errors = ! empty( $this->cf_messages[0] ) ? $this->cf_messages[0] : ''; | ||
| $errors = implode( ', ', $errors ); | ||
| $this->login_errors[] = | ||
| sprintf( | ||
| // translators: %1$s and %2$s are strong tags, %3$s is the error message | ||
| __( '%1$sError%2$s: Cloudflare Turnstile verification failed. Reasons: [%3$s]', 'wp-user-frontend' ), | ||
| '<strong>', | ||
| '</strong>', | ||
| $errors | ||
| ); | ||
| '<strong>' . __( 'Error', 'wp-user-frontend' ) . ':</strong> ' . __( 'Cloudflare Turnstile verification failed. Reasons: [', 'wp-user-frontend' ); | ||
| } | ||
|
|
There was a problem hiding this comment.
Remove redundant code and correct error message formatting
There is a redundant line at 523 that seems to be left over from a previous implementation. Additionally, the error message formatting can be improved for clarity.
Apply this diff to remove the redundant line and ensure the error message is correctly constructed:
$this->login_errors[] =
sprintf(
// translators: %1$s and %2$s are strong tags, %3$s is the error message
__( '%1$sError%2$s: Cloudflare Turnstile verification failed. Reasons: [%3$s]', 'wp-user-frontend' ),
'<strong>',
'</strong>',
$errors
);
- '<strong>' . __( 'Error', 'wp-user-frontend' ) . ':</strong> ' . __( 'Cloudflare Turnstile verification failed. Reasons: [', 'wp-user-frontend' );Make sure the error message is displayed correctly to the user without any extraneous text.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if ( ! $this->verify_cloudflare_turnstile_on_login() ) { | |
| $errors = ! empty( $this->cf_messages[0] ) ? $this->cf_messages[0] : ''; | |
| $errors = implode( ', ', $errors ); | |
| $this->login_errors[] = | |
| sprintf( | |
| // translators: %1$s and %2$s are strong tags, %3$s is the error message | |
| __( '%1$sError%2$s: Cloudflare Turnstile verification failed. Reasons: [%3$s]', 'wp-user-frontend' ), | |
| '<strong>', | |
| '</strong>', | |
| $errors | |
| ); | |
| '<strong>' . __( 'Error', 'wp-user-frontend' ) . ':</strong> ' . __( 'Cloudflare Turnstile verification failed. Reasons: [', 'wp-user-frontend' ); | |
| } | |
| if ( ! $this->verify_cloudflare_turnstile_on_login() ) { | |
| $errors = ! empty( $this->cf_messages[0] ) ? $this->cf_messages[0] : ''; | |
| $errors = implode( ', ', $errors ); | |
| $this->login_errors[] = | |
| sprintf( | |
| // translators: %1$s and %2$s are strong tags, %3$s is the error message | |
| __( '%1$sError%2$s: Cloudflare Turnstile verification failed. Reasons: [%3$s]', 'wp-user-frontend' ), | |
| '<strong>', | |
| '</strong>', | |
| $errors | |
| ); | |
| } |
| /** | ||
| * Verify if cloudflare turnstile request is successful | ||
| * | ||
| * @since WPUF_SINCE | ||
| * | ||
| * @return bool | ||
| */ | ||
| private function verify_cloudflare_turnstile_on_login() { | ||
| $nonce = isset( $_POST['wpuf-login-nonce'] ) ? sanitize_key( wp_unslash( $_POST['wpuf-login-nonce'] ) ) : ''; | ||
|
|
||
| if ( isset( $nonce ) && ! wp_verify_nonce( $nonce, 'wpuf_login_action' ) ) { | ||
| return false; | ||
| } | ||
|
|
||
| $secret = wpuf_get_option( 'turnstile_secret_key', 'wpuf_general', '' ); | ||
|
|
||
| if ( empty( $secret ) ) { | ||
| return false; | ||
| } | ||
|
|
||
| $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url( | ||
| wp_unslash( $_SERVER['REMOTE_ADDR'] ) | ||
| ) : ''; | ||
|
|
||
| $cf_url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'; | ||
| $token = ! empty( $_POST['cf-turnstile-response'] ) ? sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ) : ''; | ||
|
|
||
| // Request data | ||
| $data = [ | ||
| 'secret' => $secret, | ||
| 'response' => $token, | ||
| 'remoteip' => $remote_addr, | ||
| ]; | ||
|
|
||
| $response = wp_remote_post( $cf_url, [ 'body' => $data ] ); | ||
| $body = json_decode( wp_remote_retrieve_body( $response ), true ); | ||
|
|
||
| if ( ! empty( $body['success'] ) ) { | ||
| return true; | ||
| } else { | ||
| $this->cf_messages[] = ! empty( $body['error-codes'] ) ? $body['error-codes'] : ''; | ||
|
|
||
| return false; | ||
| } | ||
| } |
There was a problem hiding this comment.
Handle errors from wp_remote_post() and json_decode() functions
The verify_cloudflare_turnstile_on_login() function does not handle potential errors from wp_remote_post() or json_decode(). If wp_remote_post() returns a WP_Error, or if json_decode() fails (e.g., due to a malformed response), the code may produce unexpected results or PHP notices. It's important to handle these cases to ensure reliability.
Apply this diff to add error handling:
$response = wp_remote_post( $cf_url, [ 'body' => $data ] );
+ if ( is_wp_error( $response ) ) {
+ $this->cf_messages[] = $response->get_error_message();
+ return false;
+ }
$body = json_decode( wp_remote_retrieve_body( $response ), true );
+ if ( null === $body ) {
+ $this->cf_messages[] = 'Invalid JSON response from Cloudflare Turnstile API.';
+ return false;
+ }
if ( ! empty( $body['success'] ) ) {
return true;
} else {
$this->cf_messages[] = ! empty( $body['error-codes'] ) ? $body['error-codes'] : '';
return false;
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| /** | |
| * Verify if cloudflare turnstile request is successful | |
| * | |
| * @since WPUF_SINCE | |
| * | |
| * @return bool | |
| */ | |
| private function verify_cloudflare_turnstile_on_login() { | |
| $nonce = isset( $_POST['wpuf-login-nonce'] ) ? sanitize_key( wp_unslash( $_POST['wpuf-login-nonce'] ) ) : ''; | |
| if ( isset( $nonce ) && ! wp_verify_nonce( $nonce, 'wpuf_login_action' ) ) { | |
| return false; | |
| } | |
| $secret = wpuf_get_option( 'turnstile_secret_key', 'wpuf_general', '' ); | |
| if ( empty( $secret ) ) { | |
| return false; | |
| } | |
| $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url( | |
| wp_unslash( $_SERVER['REMOTE_ADDR'] ) | |
| ) : ''; | |
| $cf_url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'; | |
| $token = ! empty( $_POST['cf-turnstile-response'] ) ? sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ) : ''; | |
| // Request data | |
| $data = [ | |
| 'secret' => $secret, | |
| 'response' => $token, | |
| 'remoteip' => $remote_addr, | |
| ]; | |
| $response = wp_remote_post( $cf_url, [ 'body' => $data ] ); | |
| $body = json_decode( wp_remote_retrieve_body( $response ), true ); | |
| if ( ! empty( $body['success'] ) ) { | |
| return true; | |
| } else { | |
| $this->cf_messages[] = ! empty( $body['error-codes'] ) ? $body['error-codes'] : ''; | |
| return false; | |
| } | |
| } | |
| /** | |
| * Verify if cloudflare turnstile request is successful | |
| * | |
| * @since WPUF_SINCE | |
| * | |
| * @return bool | |
| */ | |
| private function verify_cloudflare_turnstile_on_login() { | |
| $nonce = isset( $_POST['wpuf-login-nonce'] ) ? sanitize_key( wp_unslash( $_POST['wpuf-login-nonce'] ) ) : ''; | |
| if ( isset( $nonce ) && ! wp_verify_nonce( $nonce, 'wpuf_login_action' ) ) { | |
| return false; | |
| } | |
| $secret = wpuf_get_option( 'turnstile_secret_key', 'wpuf_general', '' ); | |
| if ( empty( $secret ) ) { | |
| return false; | |
| } | |
| $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url( | |
| wp_unslash( $_SERVER['REMOTE_ADDR'] ) | |
| ) : ''; | |
| $cf_url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'; | |
| $token = ! empty( $_POST['cf-turnstile-response'] ) ? sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ) : ''; | |
| // Request data | |
| $data = [ | |
| 'secret' => $secret, | |
| 'response' => $token, | |
| 'remoteip' => $remote_addr, | |
| ]; | |
| $response = wp_remote_post( $cf_url, [ 'body' => $data ] ); | |
| if ( is_wp_error( $response ) ) { | |
| $this->cf_messages[] = $response->get_error_message(); | |
| return false; | |
| } | |
| $body = json_decode( wp_remote_retrieve_body( $response ), true ); | |
| if ( null === $body ) { | |
| $this->cf_messages[] = 'Invalid JSON response from Cloudflare Turnstile API.'; | |
| return false; | |
| } | |
| if ( ! empty( $body['success'] ) ) { | |
| return true; | |
| } else { | |
| $this->cf_messages[] = ! empty( $body['error-codes'] ) ? $body['error-codes'] : ''; | |
| return false; | |
| } | |
| } |
Rubaiyat-E-Mohammad
added
QA In Progress
QA Approved
fixes #646
form field in form builder part for Cloudflare Turnstile integration.
images for preview:
Summary by CodeRabbit
Release Notes
New Features
Improvements
Bug Fixes
Documentation