Better Turnstile response handling

Author: hhvrc

API/Controller/Account/LoginV2.cs

@@ -38,7 +38,14 @@ public async Task<IActionResult> LoginV2(
         var remoteIP = HttpContext.GetRemoteIP();
 
         var turnStile = await turnstileService.VerifyUserResponseToken(body.TurnstileResponse, remoteIP, cancellationToken);
-        if (!turnStile.IsT0) return Problem(TurnstileError.InvalidTurnstile);
+        if (!turnStile.IsT0)
+        {
+            var cfErrors = turnStile.AsT1.Value!;
+            if (cfErrors.All(err => err == CloduflareTurnstileError.InvalidResponse))
+                return Problem(TurnstileError.InvalidTurnstile);
+
+            return Problem(new OpenShockProblem("InternalServerError", "Internal Server Error", HttpStatusCode.InternalServerError));
+        }
 
         var loginAction = await _accountService.Login(body.UsernameOrEmail, body.Password, new LoginContext
         {

Common/Services/Turnstile/CloduflareTurnstileError.cs

@@ -0,0 +1,12 @@
+namespace OpenShock.Common.Services.Turnstile;
+
+public enum CloduflareTurnstileError
+{
+    MissingSecret,
+    InvalidSecret,
+    MissingResponse,
+    InvalidResponse,
+    BadRequest,
+    TimeoutOrDuplicate,
+    InternalServerError,
+}

Common/Services/Turnstile/CloudflareTurnstileService.cs

@@ -23,11 +23,31 @@ public CloudflareTurnstileService(HttpClient httpClient, IOptions<CloudflareTurn
         _logger = logger;
     }
 
+    private static Error<CloduflareTurnstileError[]> CreateError(params ReadOnlySpan<CloduflareTurnstileError> errors)
+    {
+        return new Error<CloduflareTurnstileError[]>(errors.ToArray());
+    }
+
+    private static CloduflareTurnstileError MapCfError(string error)
+    {
+        return error switch
+        {
+            "missing-input-secret" => CloduflareTurnstileError.MissingSecret,
+            "invalid-input-secret" => CloduflareTurnstileError.InvalidSecret,
+            "missing-input-response" => CloduflareTurnstileError.MissingResponse,
+            "invalid-input-response" => CloduflareTurnstileError.InvalidResponse,
+            "bad-request" => CloduflareTurnstileError.BadRequest,
+            "timeout-or-duplicate" => CloduflareTurnstileError.TimeoutOrDuplicate,
+            "internal-error" => CloduflareTurnstileError.InternalServerError,
+            _ => throw new ArgumentOutOfRangeException(nameof(error), error, null)
+        };
+    }
+
     /// <inheritdoc />
-    public async Task<OneOf<Success, MissingInput, Error, Error<IReadOnlyList<string>>>> VerifyUserResponseToken(
+    public async Task<OneOf<Success, Error<CloduflareTurnstileError[]>>> VerifyUserResponseToken(
         string responseToken, IPAddress? remoteIpAddress, CancellationToken cancellationToken = default)
     {
-        if (string.IsNullOrEmpty(responseToken)) return new MissingInput();
+        if (string.IsNullOrEmpty(responseToken)) return CreateError(CloduflareTurnstileError.MissingResponse);
 
 #if DEBUG
         if (responseToken == "dev-bypass") return new Success();
@@ -46,18 +66,23 @@ public async Task<OneOf<Success, MissingInput, Error, Error<IReadOnlyList<string
         using var httpResponse = await _httpClient.PostAsync(SiteVerifyEndpoint, httpContent, cancellationToken);
         if (!httpResponse.IsSuccessStatusCode)
         {
-            _logger.LogWarning("Turnstile error: {StatusCode} {ReasonPhrase}", httpResponse.StatusCode,
-                httpResponse.ReasonPhrase);
-            return new Error();
+            _logger.LogError("Turnstile error: {StatusCode} {ReasonPhrase}", httpResponse.StatusCode, httpResponse.ReasonPhrase);
+            
+            return CreateError(httpResponse.StatusCode == HttpStatusCode.BadRequest ? CloduflareTurnstileError.BadRequest : CloduflareTurnstileError.InternalServerError);
         }
 
-        var response =
-            await httpResponse.Content.ReadFromJsonAsync<CloudflareTurnstileVerifyResponseDto>(
-                cancellationToken: cancellationToken);
+        var response =  await httpResponse.Content.ReadFromJsonAsync<CloudflareTurnstileVerifyResponseDto>(cancellationToken);
 
         if (response.Success) return new Success();
+        
+        var errors = response.ErrorCodes.Select(MapCfError).ToArray();
+
+        if (errors.All(err => err != CloduflareTurnstileError.InvalidResponse))
+        {
+            _logger.LogError("Turnstile error: {StatusCode} {ReasonPhrase}", httpResponse.StatusCode, string.Join(" ", errors.Select(err => err.ToString())));
+        }
 
-        return new Error<IReadOnlyList<string>>(response.ErrorCodes);
+        return CreateError(errors);
     }
 }
 

Common/Services/Turnstile/ICloudflareTurnstileService.cs

@@ -12,6 +12,6 @@ public interface ICloudflareTurnstileService
     /// <param name="remoteIpAddress"></param>
     /// <param name="cancellationToken"></param>
     /// <returns>Success, No response token was supplied, internal error in cloudflare turnstile, business logic error on turnstile validation</returns>
-    public Task<OneOf.OneOf<Success, MissingInput, Error, Error<IReadOnlyList<string>>>> VerifyUserResponseToken(
+    public Task<OneOf.OneOf<Success, Error<CloduflareTurnstileError[]>>> VerifyUserResponseToken(
         string responseToken, IPAddress? remoteIpAddress, CancellationToken cancellationToken = default);
 }