33 lines
1.8 KiB
YAML
33 lines
1.8 KiB
YAML
id: SEC-001
|
|
title: Turnstile CAPTCHA for Public Workspace Bootstrap
|
|
status: done
|
|
priority: P0
|
|
effort: M
|
|
depends_on:
|
|
- PORT-004
|
|
tags:
|
|
- security
|
|
- public-exposure
|
|
- workspace
|
|
summary: >
|
|
Require Cloudflare Turnstile verification before creating a workspace from the
|
|
public welcome page on lombard.uncloud.tech.
|
|
acceptance_criteria:
|
|
- Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
|
|
- Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
|
|
- Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
|
|
- UI shows a clear user-facing retry path when CAPTCHA verification fails.
|
|
- Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
|
|
- Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
|
|
technical_notes:
|
|
- Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
|
|
- Keep verification in a focused server-side seam such as app/services/turnstile.py.
|
|
- Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
|
|
- This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
|
|
completed_notes:
|
|
- Added server-side Turnstile verification seam in app/services/turnstile.py.
|
|
- Changed workspace bootstrap to POST-only and redirected failures to /?captcha_error=1.
|
|
- Added welcome-page Turnstile widget markup and retry UX.
|
|
- Preserved a safe compatibility redirect for legacy GET /workspaces/bootstrap -> /.
|
|
- Added browser and route tests covering protected bootstrap flow and invalid fake workspace paths.
|