feat: verify captcha

src/env.d.ts

@@ -19,6 +19,8 @@ export type Environment = {
   OAUTH_TENANT: string
   EMAIL_OAUTH_AUDIENCE: string
   EMAIL_OAUTH_SCOPE: string
+  HCAPTCHA_SECRET: string
+  HCAPTCHA_SITEKEY: string
 }
 
 type Runtime = import("@astrojs/cloudflare").Runtime<Environment>

src/pages/message.ts

@@ -3,12 +3,33 @@ import { json } from "@utils"
 
 export async function POST(context: APIContext) {
   const data = await context.request.json<any>()
-  if (!data["h-captcha-response"]) return json({
+  const token = data["h-captcha-response"]
+  if (!token) return json({
     ok: false,
-    message: "No robots allowed!"
+    message: "You skipped the captcha..."
   })
 
-  // Do h-captcha verification
+  const response = await fetch("https://api.hcaptcha.com/siteverify", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: new URLSearchParams({
+      response: token,
+      secret: context.locals.runtime.env.HCAPTCHA_SECRET,
+      sitekey: context.locals.runtime.env.HCAPTCHA_SITEKEY,
+    })
+  })
+  const body = await response.json<{
+    success: boolean
+    challenge_ts: string
+    hostname: string
+    "error-codes": string[]
+  }>()
+  if (!body.success) return json({
+    ok: false,
+    message: "No robots allowed!"
+  })
 
   return json({
     ok: true,

terraform/main.tf

@@ -46,6 +46,7 @@ module "page" {
   production_secrets = {
     RSA_PRIVATE_KEY     = var.RSA_PRIVATE_KEY
     OAUTH_CLIENT_SECRET = module.client.client_secret
+    HCAPTCHA_SECRET     = var.HCAPTCHA_SECRET
   }
 
   production_buckets = {

terraform/variables.tf

@@ -6,6 +6,9 @@ variable "pages_hostname" {}
 
 # Environment Variables
 variable "HCAPTCHA_SITEKEY" {}
+variable "HCAPTCHA_SECRET" {
+  sensitive = true
+}
 variable "RSA_PUBLIC_KEY" {}
 variable "RSA_PRIVATE_KEY" {
   sensitive = true