CAPTCHA support with Cloudflare Turnstile
Cloudflare Turnstile is a friendly, free CAPTCHA replacement, and it works seamlessly with Supabase Edge Functions to protect your forms. View on GitHub.
Setup#
- Follow these steps to set up a new site: https://developers.cloudflare.com/turnstile/get-started/
- Add the Cloudflare Turnstile widget to your site: https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/
Code#
Create a new function in your project:
1supabase functions new cloudflare-turnstileAnd add the code to the index.ts file:
1import { withSupabase } from 'npm:@supabase/server@^1'23console.log('Hello from Cloudflare Trunstile!')45function ips(req: Request) {6 return req.headers.get('x-forwarded-for')?.split(/\s*,\s*/)7}89// `withSupabase` handles CORS and preflight requests for you.10export default {11 fetch: withSupabase({ auth: 'none' }, async (req) => {12 const { token } = await req.json()13 const clientIps = ips(req) || ['']14 const ip = clientIps[0]1516 // Validate the token by calling the17 // "/siteverify" API endpoint.18 let formData = new FormData()19 formData.append('secret', Deno.env.get('CLOUDFLARE_SECRET_KEY') ?? '')20 formData.append('response', token)21 formData.append('remoteip', ip)2223 const url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'24 const result = await fetch(url, {25 body: formData,26 method: 'POST',27 })2829 const outcome = await result.json()30 console.log(outcome)31 if (outcome.success) {32 return new Response('success')33 }34 return new Response('failure')35 }),36}Deploy the server-side validation Edge Functions#
1supabase functions deploy cloudflare-turnstile --no-verify-jwt2supabase secrets set CLOUDFLARE_SECRET_KEY=your_secret_keyInvoke the function from your site#
1const { data, error } = await supabase.functions.invoke('cloudflare-turnstile', {2 body: { token },3})