Cloudflare Developers•2y ago

I would go: 1. User requests form 2. Form is returned with the `idempotency_key` pre-set by the bac

I would go:

User requests form
Form is returned with the
```
idempotency_key
```
idempotency_key
```
idempotency_key
```
idempotency_key
pre-set by the backend
User submits form
Site Verify with
```
idempotency_key
```
idempotency_key
```
idempotency_key
```
idempotency_key
from form returns sucess
Later...
Site Verify same form with changed data, but same Turnstile token and
```
idempotency_key
```
idempotency_key
```
idempotency_key
```
idempotency_key
returns sucess

HHello, I’m Allie!I would go: 1. User requests form 2. Form is returned with the `idempotency_key...

Victor•6/19/24, 3:52 PM

Continuing this train of thought, when would it make sense to have a new

idempotency_key

idempotency_key

? Different form on the same page? Different form on a different page? Or a whole new user session?

VVictor Continuing this train of thought, when would it make sense to have a new `idempo...

Hello, I’m Allie!OP•6/19/24, 8:37 PM

Ok so this is how I understand it. I am not on the #

turnstile, so take what I say with a grain of salt.

The

idempotency_key

idempotency_key

is there for when submission of the form/action can fail, even if the Turnstile check succeeds. For example, say you have a form with the following fields:

Name
Email Address
Profile Picture
Turnstile Check
The Name and Email are saved to a database, but the PfP is uploaded to object storage. You experience that the PUT to object storage fails intermittently, so you want to be able to retry the upload by resubmitting the form.

You have a problem though. By default, you would have to have the user redo the Turnstile check for every retry, which could be a pain if the error is not the users fault. If you add an

idempotency_key

idempotency_key

to the form(in a hidden field), that persists on retry, then once the Turnstile Check is completed once, it can be reused(without failing) when a submission is retried

Hello, I’m Allie!OP•6/19/24, 8:47 PM

Should be done now

Original message was deleted

Hello, I’m Allie!OP•6/19/24, 9:02 PM

Yeah, I was just highlighting why you might want to retry a request

HHello, I’m Allie!Ok so this is how I understand it. I am not on the #🤖turnstile, so take what I ...

Victor•6/19/24, 11:46 PM

The reason I was asking was for a chat situation where people send message, where turnstile (in invisible mode) is inside the <form><form> (that contains text box + content + submit button), each submit is technically a POST form submit, but SPA intercepted and processed (accordingly). Should each message submit contain a new turnstile challenge (as it is currently), or keep it the same challenge with the same

idempotency_key

idempotency_key

(as a sort of per active session key or challenge expires - whichever comes first)?

terrox•6/20/24, 6:36 AM

Is there a way maybe using API to get a list of URLs deleted from a turnstile widget id? Somehow a bunch got deleted when I added another and I don't know what they were. This is for multiple URLs in the one widget

VVictor The reason I was asking was for a chat situation where people send message, wher...

Hello, I’m Allie!OP•6/20/24, 7:05 AM

I would probably do like the WAF instead, present Turnstile once, then on subsequent requests have it completely disabled by serving a cookie

Original message was deleted

terrox•6/20/24, 7:16 AM

Might be a plan. Hopefully it's got some details or maybe I can go backwards to see what was added in the past

Erisa•6/20/24, 10:15 AM

Also please dont crosspost across channels general-discussions

Burak ER•6/20/24, 11:06 AM

I have a problem that I could not overcome. I have a checkout page where people login and register accordingly. I have the script which removes the elements including the turnstile widget from login div by clicking a radio button named "register". The same script reloads login div with the initial content including turnstile widget once the "login" radio button clicked. My problem is that when it inserts the elements turnstile widget is not re-initalized. How can I re-initialize the turnstile in this situation? I know it is better to hide the content of login instead of removing the elements when register radio is pressed but it is not the way how the script works and I could not be able to edit the script since it is minified.

Burak ER•6/20/24, 11:20 AM

thank you. now I recieve Uncaught TurnstileError: [Cloudflare Turnstile] Invalid type for "container", expected "selector" or an implementation of "HTMLElement", got "#cf-turnstile" .error when I tried to render the widget on a div with the id "cf-turnstile"

Burak ER•6/20/24, 11:24 AM

It is already there.

Burak ER•6/20/24, 11:30 AM

with page onload callback it works. but with the turnstile.ready it gives the error.

Burak ER•6/20/24, 11:31 AM

sorry window.onloadTurnstileCallback works

similardisaster•6/21/24, 1:03 PM

are there additional logs and/or analytics for Turnstile besides the one analytics dashboard showing Solve Rate, Widget Traffic, and Top Actions?

similardisaster•6/21/24, 1:05 PM

I am seeing a Visitor Solve Rate of 85% and I'm trying to figure out how to triage this. Based on the group we rolled out to I would expect to see 100% solve rate.

similardisaster•6/21/24, 1:08 PM

yea, I'm not convinced anyone is actually failing the challenge in the real sense - but before we move forward I need to at least be able to explain the number

Original message was deleted

similardisaster•6/21/24, 1:09 PM

gotcha, thanks, that's what I figured - there would be no indications on the server-side of a failed challenge right? was hoping I could check some request logs

similardisaster•6/21/24, 1:10 PM

thanks, Leo - really appreciate it. Makes sense to measure errors vs. non-completes seperatley

Akanksha Nichrelay•6/21/24, 8:24 PM

Hi! I am setting up Turnstile for the first time. I am curious how is Turnstile token generated? Are they unique in for an IP / time window or can over time two different requests have the same token?

Original message was deleted

Akanksha Nichrelay•6/21/24, 8:27 PM

Cool! So can I use these tokens to identify each request uniquely? I have an endpoint which is called after Turnstile token verification, can I use the Turnstile token to issue a JWT token?

Akanksha Nichrelay•6/21/24, 8:30 PM

I want to add a JWT token to the said API endpoint which does not have any identifier at the moment. I was hoping I can sign a JWT using the Turnstile token.

Akanksha Nichrelay•6/21/24, 8:31 PM

I guess I am just trying to figure out how to assign some unique identifier to a valid request

Akanksha Nichrelay•6/21/24, 8:38 PM

So on our webapp's landing page, there is a register endpoint which we do not have any way to generate a JWT token for since there is no user associated with the request yet. We want to prevent bots /malicious actors from just calling the register endpoint so we are adding the Turnstile widget on the landing page. Once the Turnstile token is validated successfully, the "Register now" button will be enabled. Now I was thinking that while I am validating the Turnstile token, I could issue a JWT token for the register endpoint so that we can make sure we can prevent any scripts from just directly hitting the register endpoint as it will ask for a JWT token that we signed.

Akanksha Nichrelay•6/21/24, 8:39 PM

The whole point is to not have the register API be unauthenticated which is the case now.

Akanksha Nichrelay•6/21/24, 8:40 PM

Turnstile would help prevent any attack on the landing page but a script might not land on our app UI and just try to hit the Register API directly.

Akanksha Nichrelay•6/21/24, 8:54 PM

I will be calling the siteverify endpoint in the backend to validate the turnstile token

Akanksha Nichrelay•6/21/24, 8:59 PM

do what?

Original message was deleted

Akanksha Nichrelay•6/22/24, 2:24 AM

That would have been ideal but we can't do that as it is calling a graphql endpoint at the backend and the graphql endpoint requires JWT auth for most use-cases except this /register call. Our frontend engineer want a single endpoint to work with the React app so I cannot create two different endpoints, one with auth and other with no-auth. So let's just say this option of using turnstile verifyToken request to generate the JWT token is one of the quickest way to make it work with our current requirements it seems.

Akanksha Nichrelay•6/26/24, 5:46 PM

Hello folks, is widget id tied to a sitekey and secretkey like an identifier for a widget? Or is a new widget id created per session?

Akanksha Nichrelay•6/26/24, 5:53 PM

so one of the error messages from siteverify url is: https://developers.cloudflare.com/turnstile/get-started/server-side-validation/#error-codes

invalid-widget-id The widget ID extracted from the parsed site secret key was invalid or did not exist. invalid-widget-id The widget ID extracted from the parsed site secret key was invalid or did not exist.
this sounds like widget id is unique to individual widget as it can be parsed from secret key itself

Cloudflare Docs

Server-side validation · Cloudflare Turnstile docs

Turnstile needs to be verified using siteverify because it is a front-end widget that creates a token which is cryptographically secured. To ensure …

Akanksha Nichrelay•6/26/24, 5:54 PM

how can siteverify get the widget id from the site secret key if it is randomly generated on turnstile.render?

Akanksha Nichrelay•6/26/24, 6:09 PM

thanks for clarifying!

Akanksha Nichrelay•6/26/24, 9:02 PM

Hi again, how do I set "cf-connecting-ip"?

Akanksha Nichrelay•6/26/24, 9:02 PM

I thought turnstile will return this automatically along with token

Akanksha Nichrelay•6/26/24, 9:03 PM

not sure how reliable is http remote addresshttp remote address or x-forwarded-forx-forwarded-for

Akanksha Nichrelay•6/26/24, 9:27 PM

I don't know what would X be in this situation if my question is Y. The field cf-connecting-ipcf-connecting-ip exists and I am trying to understand how it is set. Maybe X could be my lack of frontend experience here.

Akanksha Nichrelay•6/26/24, 9:36 PM

didn't get your first why. So the response would be "why what?" and then pretending you asked "why" again, I'd say due to lack of context what is it referring to.

Joking aside, I got what you are saying, that answered my question. Thank you. Good night!

Elwyen•6/30/24, 3:22 AM

Hello, as a user I have been trying to log in to nexusmods.com through a CEF(chromium embedded framework) and every time the captcha fails instantly with 600*( turnstile failed). I have tried multiple vpns, mobile data through USB tether, wifi tether, Ethernet, it's enabled through firewall, entire folder allowed through anti-virus, reinstalled multiple times and couldn't pinpoint what could cause it. Logging in on nexusmods.com work in 4 browsers on the same pc, but not in this embedded environment because of the captcha fail.

I would like to ask for some assistance regarding this.
captcha details:
Error Code: 600010
RayId: 89bf8afcd9725d96

App specific log message I got that might be relevant:

[0630/043637.184:ERROR:CefAppUnmanagedWrapper.cpp(329)] Failed to identify BrowserWrapper in OnContextCreated BrowserId:1

[0630/043020.813:ERROR:ssl_client_socket_impl.cc(975)] handshake failed; returned -1, SSL error code 1, net_error -101

Thank you in advance

Bakri•6/30/24, 11:39 AM

i have login page how can I implement invisible captcha

Original message was deleted

Bakri•7/1/24, 6:37 AM

I implemented the invisible captcha but sometimes the user login before the captcha is solved and its causing errors

BBakri I implemented the invisible captcha but sometimes the user login before the capt...

Hello, I’m Allie!OP•7/1/24, 7:39 AM

Maybe disable the login button until it passes?

Hello, I’m Allie!OP•7/1/24, 7:39 AM

Though you might still want a message saying that it is running the verification if it is taking a while

I would go: 1. User requests form 2. Form is returned with the `idempotency_key` pre-set by the bac

Similar Threads

Similar Threads

Similar Threads