From eb262189cf3650d773a4dea75321e3b705273bf9 Mon Sep 17 00:00:00 2001
From: Bu5hm4nn <bu5hm4nn@users.noreply.github.com>
Date: Wed, 8 Apr 2026 16:47:37 +0200
Subject: [PATCH] test: force Turnstile test mode in CI

---
 .gitea/workflows/ci.yaml  |  2 ++
 app/services/turnstile.py | 15 +++++++++++++--
 tests/test_turnstile.py   | 15 +++++++++++++++
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 342c962..ccea4fb 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -56,6 +56,8 @@ jobs:
     runs-on: [linux, docker]
     container:
       image: mcr.microsoft.com/playwright:v1.58.0-noble
+    env:
+      APP_ENV: test
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
diff --git a/app/services/turnstile.py b/app/services/turnstile.py
index b3b486f..1745f8a 100644
--- a/app/services/turnstile.py
+++ b/app/services/turnstile.py
@@ -33,8 +33,19 @@ def load_turnstile_settings() -> TurnstileSettings:
     enabled = os.getenv("TURNSTILE_ENABLED", "true").lower() not in {"0", "false", "no"}
     env = _environment()
 
-    if not site_key or not secret_key:
-        if env in {"development", "test"}:
+    known_test_pairs = {
+        (DEFAULT_TURNSTILE_TEST_SITE_KEY, DEFAULT_TURNSTILE_TEST_SECRET_KEY),
+        (ALWAYS_FAIL_TURNSTILE_TEST_SITE_KEY, ALWAYS_FAIL_TURNSTILE_TEST_SECRET_KEY),
+    }
+
+    if env == "test":
+        if (site_key, secret_key) not in known_test_pairs:
+            if site_key or secret_key:
+                logger.info("Ignoring configured Turnstile credentials in test environment and using test keys")
+            site_key = DEFAULT_TURNSTILE_TEST_SITE_KEY
+            secret_key = DEFAULT_TURNSTILE_TEST_SECRET_KEY
+    elif not site_key or not secret_key:
+        if env == "development":
             site_key = site_key or DEFAULT_TURNSTILE_TEST_SITE_KEY
             secret_key = secret_key or DEFAULT_TURNSTILE_TEST_SECRET_KEY
         else:
diff --git a/tests/test_turnstile.py b/tests/test_turnstile.py
index 9d2b903..f5d47ad 100644
--- a/tests/test_turnstile.py
+++ b/tests/test_turnstile.py
@@ -114,6 +114,21 @@ def test_turnstile_verification_returns_false_on_transport_error(monkeypatch) ->
     assert turnstile_module.verify_turnstile_token("token") is False
 
 
+def test_turnstile_settings_ignore_real_credentials_in_test_environment(monkeypatch) -> None:
+    from app.services import turnstile as turnstile_module
+
+    monkeypatch.setenv("APP_ENV", "test")
+    monkeypatch.setenv("TURNSTILE_SITE_KEY", "real-site-key")
+    monkeypatch.setenv("TURNSTILE_SECRET_KEY", "real-secret-key")
+
+    settings = turnstile_module.load_turnstile_settings()
+
+    assert settings.site_key == turnstile_module.DEFAULT_TURNSTILE_TEST_SITE_KEY
+    assert settings.secret_key == turnstile_module.DEFAULT_TURNSTILE_TEST_SECRET_KEY
+    assert settings.enabled is True
+    assert settings.uses_test_keys is True
+
+
 def test_turnstile_settings_support_always_fail_test_keys(monkeypatch) -> None:
     from app.services import turnstile as turnstile_module