versaorigin / cloudflare-turnstile
A Cloudflare Turnstile Validator for Laravel
Fund package maintenance!
versaorigin
Requires
- php: ^8.2
- illuminate/contracts: ^10.0||^11.0||^12.0
- spatie/laravel-package-tools: ^1.16
Requires (Dev)
- larastan/larastan: ^2.9
- laravel/pint: ^1.14
- nunomaduro/collision: ^8.1.1||^7.10.0
- orchestra/testbench: ^9.0.0||^8.22.0
- pestphp/pest: ^2.34
- pestphp/pest-plugin-arch: ^2.7
- pestphp/pest-plugin-laravel: ^2.3
- phpstan/extension-installer: ^1.3
- phpstan/phpstan-deprecation-rules: ^1.1
- phpstan/phpstan-phpunit: ^1.3
README
This package provides a validator for Laravel to validate Cloudflare Turnstile responses. It is useful when you want to validate a reCAPTCHA response from a form.
Requirements
- PHP 8.3 or higher
- Laravel 11.0 or higher
- Cloudflare Turnstile API key and secret
Installation
You can install the package via composer:
composer require versaorigin/cloudflare-turnstile
You can publish the config file with:
php artisan vendor:publish --tag="cloudflare-turnstile-config"
or, you can publish the config file with:
php artisan cloudflare-turnstile:install
This is the contents of the published config file:
return [ 'enabled' => env('CLOUDFLARE_TURNSTILE_ENABLED', true), 'key' => env('CLOUDFLARE_TURNSTILE_KEY', ''), 'secret' => env('CLOUDFLARE_TURNSTILE_SECRET', ''), 'timeout' => env('CLOUDFLARE_TURNSTILE_TIMEOUT', 30), 'connect_timeout' => env('CLOUDFLARE_TURNSTILE_CONNECT_TIMEOUT', 10), 'retry' => [ 'times' => env('CLOUDFLARE_TURNSTILE_RETRY_TIMES', 3), 'sleep' => env('CLOUDFLARE_TURNSTILE_RETRY_SLEEP', 1000), ], 'cache' => [ 'enabled' => env('CLOUDFLARE_TURNSTILE_CACHE_ENABLED', true), 'ttl' => env('CLOUDFLARE_TURNSTILE_CACHE_TTL', 300), ], ];
Usage
Basic Validation
$request->validate([ "cf-turnstile-response" => ["required", "string", "cloudflare_turnstile"], ]);
Using the Validation Rule Class
use VersaOrigin\CloudflareTurnstile\Rules\CloudflareTurnstileRule; $request->validate([ "cf-turnstile-response" => ["required", "string", new CloudflareTurnstileRule], ]);
Blade Directive
Add the Turnstile widget to your forms easily:
<form method="POST" action="/submit"> @csrf <!-- Your form fields --> @turnstile <button type="submit">Submit</button> </form>
Middleware Protection
Protect entire routes with the Turnstile middleware:
use VersaOrigin\CloudflareTurnstile\Middleware\CloudflareTurnstileMiddleware; Route::post('/api/protected', function () { // Your protected logic })->middleware(CloudflareTurnstileMiddleware::class);
Programmatic Validation
use VersaOrigin\CloudflareTurnstile\Facades\CloudflareTurnstile; $token = $request->input('cf-turnstile-response'); $ip = $request->ip(); if (CloudflareTurnstile::validate($token, $ip)) { // Valid response } else { // Invalid response $errorMessage = CloudflareTurnstile::getErrorMessage(); }
Configuration Options
- Retry Logic: Automatically retries failed requests with configurable attempts and delays
- Caching: Prevents token replay attacks by caching successful validations
- Logging: Failed validations are logged for debugging
- Timeout Control: Configure connection and request timeouts
Testing
composer test
Changelog
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security Vulnerabilities
Please review our security policy on how to report security vulnerabilities.
Credits
License
The MIT License (MIT). Please see License File for more information.