27 lines
1.4 KiB
YAML
27 lines
1.4 KiB
YAML
id: SEC-001
|
|
title: Turnstile CAPTCHA for Public Workspace Bootstrap
|
|
status: backlog
|
|
priority: P0
|
|
effort: M
|
|
depends_on:
|
|
- PORT-004
|
|
tags:
|
|
- security
|
|
- public-exposure
|
|
- workspace
|
|
summary: >
|
|
Require Cloudflare Turnstile verification before creating a workspace from the
|
|
public welcome page on lombard.uncloud.tech.
|
|
acceptance_criteria:
|
|
- Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
|
|
- Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
|
|
- Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
|
|
- UI shows a clear user-facing retry path when CAPTCHA verification fails.
|
|
- Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
|
|
- Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
|
|
technical_notes:
|
|
- Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
|
|
- Keep verification in a focused server-side seam such as app/services/turnstile.py.
|
|
- Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
|
|
- This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
|