Add reCAPTCHA and Cloudflare Turnstile verification to proxy backend

[Copilot]

Implements bot protection via reCAPTCHA v3 and Cloudflare Turnstile for all proxy routing modes and transports.

Changes

Core Integration

• Added verification config types (VerificationType, VerificationConfig) to support none/reCAPTCHA/Turnstile modes
• Extended SW class with verification methods: getVerificationConfig(), setVerificationConfig(), getVerificationHeaders(), refreshVerificationToken()
• Modified setTransport() to inject verification headers into Wisp/Bare routing and Epoxy/Libcurl transports

Settings UI

• Added verification type dropdown and site key input to proxy settings page
• Implemented validation and state management for verification configuration
• Persists settings to localStorage alongside existing proxy configuration

Backend

• Added verifyRequest() middleware to log verification attempts
• Passes X-Recaptcha-Token/X-Turnstile-Token headers through to proxy backend for server-side validation

Example Usage

// In proxy.ts - verification headers automatically attached
await this.#baremuxConn!.setTransport("/epoxy/index.mjs", [
    { 
        wisp: wispServer(),
        ...this.getVerificationHeaders(verificationConfig)  // Adds X-Recaptcha-Token or X-Turnstile-Token
    }
]);

Backend services can validate tokens via provider APIs:

# reCAPTCHA validation
curl -X POST "https://www.google.com/recaptcha/api/siteverify" \
  -d "secret=SECRET_KEY&response=${X-Recaptcha-Token}"

# Turnstile validation  
curl -X POST "https://challenges.cloudflare.com/turnstile/v0/siteverify" \
  -d "secret=SECRET_KEY&response=${X-Turnstile-Token}"

Documentation added to VERIFICATION.md with setup instructions for both providers.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: node /home/REDACTED/work/Radius/Radius/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

add recapa and cloudflare varifacation support to the proxy backend for all configuration options. potentialy in updated routeing and backend fetching

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

• Start Development Server
• Start Production Server