From 648246c05393b261253b52ae164876f26db2498f Mon Sep 17 00:00:00 2001
From: Oliver Payne <olipayne@users.noreply.github.com>
Date: Fri, 30 May 2025 13:39:46 +0200
Subject: [PATCH] Update login-pages.mdx

only enable submit button after Turnstile has completed
---
 .../docs/turnstile/tutorials/login-pages.mdx  | 55 +++++++++++--------
 1 file changed, 32 insertions(+), 23 deletions(-)

diff --git a/src/content/docs/turnstile/tutorials/login-pages.mdx b/src/content/docs/turnstile/tutorials/login-pages.mdx
index 03b1b4dec39f479..b150ba67579ab34 100644
--- a/src/content/docs/turnstile/tutorials/login-pages.mdx
+++ b/src/content/docs/turnstile/tutorials/login-pages.mdx
@@ -1,7 +1,7 @@
 ---
-title: Protect your login pages
+title: Protect your forms
 pcx_content_type: tutorial
-updated: 2024-07-09
+updated: 2025-05-30
 difficulty: Beginner
 languages:
   - JavaScript
@@ -12,12 +12,12 @@ sidebar:
 
 ---
 
-This tutorial will guide you through integrating Cloudflare Turnstile to protect your login page. Learn how to implement the Turnstile widget on the client side and verify the Turnstile token via the siteverify API on the server side.
+This tutorial will guide you through integrating Cloudflare Turnstile to protect your web forms, such as login, signup, or contact forms. Learn how to implement the Turnstile widget on the client side and verify the Turnstile token via the siteverify API on the server side.
 
 ## Before you begin
 
 - You must have a Cloudflare account.
-- You must have a web application with a login or signup page.
+- You must have a web application with a form you want to protect.
 - You must have basic knowledge of HTML and your server-side language of choice, such as Node.js or Python.
 
 ## Get Your Turnstile sitekey and secret key
@@ -28,26 +28,34 @@ This tutorial will guide you through integrating Cloudflare Turnstile to protect
 
 ## Add the Turnstile widget to your HTML form
 
-1. Add the Turnstile widget to your login form.
+1. Add the Turnstile widget to your form.
 2. Replace `YOUR-SITE-KEY` with the sitekey from Cloudflare.
+3. Add a `data-callback` attribute to the Turnstile widget div. This JavaScript function will be called when the challenge is successful.
+4. Ensure your submit button is initially disabled.
 
-```html title="Example" {13-14}
+```html title="Example" {14-15,17}
 <!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>Login Page</title>
+    <title>Contact Form</title>
     <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
+    <script>
+        function enableSubmit() {
+            document.getElementById("submit-button").disabled = false;
+        }
+    </script>
 </head>
 <body>
-    <form id="login-form" action="/login" method="POST">
-        <input type="text" name="username" placeholder="Username" required>
-        <input type="password" name="password" placeholder="Password" required>
+    <form id="contact-form" action="/submit" method="POST">
+        <input type="text" name="name" placeholder="Name" required>
+        <input type="email" name="email" placeholder="Email" required>
+        <textarea name="message" placeholder="Message" required></textarea>
 
         <!-- Turnstile widget -->
-        <div class="cf-turnstile" data-sitekey="YOUR-SITE-KEY"></div>
+        <div class="cf-turnstile" data-sitekey="YOUR-SITE-KEY" data-callback="enableSubmit"></div>
 
-        <button type="submit">Log in</button>
+        <button type="submit" id="submit-button" disabled>Submit</button>
     </form>
 </body>
 </html>
@@ -65,7 +73,7 @@ const app = express();
 
 app.use(bodyParser.urlencoded({ extended: true }));
 
-app.post('/login', async (req, res) => {
+app.post('/submit', async (req, res) => {
     const turnstileToken = req.body['cf-turnstile-response'];
     const secretKey = 'your-secret-key';
 
@@ -78,11 +86,12 @@ app.post('/login', async (req, res) => {
         });
 
         if (response.data.success) {
-            // Token is valid, proceed with login
-            const username = req.body.username;
-            const password = req.body.password;
-            // Your login logic here
-            res.send('Login successful');
+            // Token is valid, proceed with form submission
+            const name = req.body.name;
+            const email = req.body.email;
+            const message = req.body.message;
+            // Your form processing logic here
+            res.send('Form submission successful');
         } else {
             res.status(400).send('Turnstile verification failed');
         }
@@ -100,13 +109,13 @@ app.listen(3000, () => {
 
 It is crucial to handle the verification of the Turnstile token correctly. This section covers some key points to keep in mind.
 
-### Verify the token after credentials input
+### Verify the token after form input
 
-- Ensure that you verify the Turnstile token after the user has put in their credentials and selected **log in** to your website or application.
-- If you verify the token before the user inputs their credentials, a malicious visitor could bypass the protection by reentering the login credentials.
+- Ensure that you verify the Turnstile token after the user has filled out the form and selected **submit**.
+- If you verify the token before the user inputs their data, a malicious actor could potentially bypass the protection by manipulating the form submission after obtaining a valid token.
 
 ### Proper flow implementation
 
-- When the user submits the login form, send both the login credentials and the Turnstile token to your server.
+- When the user submits the form, send both the form data and the Turnstile token to your server.
 - On the server side, verify the Turnstile token first.
-- Based on the verification response, decide whether to proceed with checking the login credentials.
+- Based on the verification response, decide whether to proceed with processing the form data.