Filter
uncanny-learndash-toolkit
uo_toolkit_frontend_login_turnstile_validate_token_value
Filters the Turnstile token value before validation occurs on the frontend login form.
add_filter( 'uo_toolkit_frontend_login_turnstile_validate_token_value', $callback, 10, 1 );
Description
Filters the Turnstile token value before validation. Developers can modify or sanitize the token, for example, to handle specific input formats or to perform custom validation logic before the token is sent to Cloudflare's API for verification. This hook fires just before the token is checked for emptiness or the string 'false'.
Usage
add_filter( 'uo_toolkit_frontend_login_turnstile_validate_token_value', 'your_function_name', 10, 1 );Parameters
-
$token(mixed) - This parameter holds the Turnstile token value that needs to be validated.
Return Value
The filtered value.
Examples
<?php
/**
* Example: Sanitize and validate the Turnstile token before it's sent for verification.
*
* This filter allows you to intercept the Turnstile token value and perform
* additional sanitization or validation before it's sent to the Cloudflare API.
* For instance, you might want to ensure it's a non-empty string or meets
* certain length requirements.
*
* @param mixed $token The raw Turnstile token received from the frontend.
* @return string|false The sanitized or validated token, or false if it should be considered invalid at this stage.
*/
add_filter( 'uo_toolkit_frontend_login_turnstile_validate_token_value', function( $token ) {
// Ensure the token is a string and is not excessively long, which might indicate tampering.
if ( is_string( $token ) && strlen( $token ) > 1000 ) {
// Log an error or trigger a warning if needed for debugging.
// error_log( 'Turnstile token appears to be excessively long: ' . substr( $token, 0, 50 ) . '...' );
return false; // Treat as invalid.
}
// Basic sanitization: remove any non-alphanumeric characters except hyphens and underscores
// (Turnstile tokens are typically alphanumeric with hyphens).
$sanitized_token = preg_replace( '/[^a-zA-Z0-9_-]/', '', $token );
// Ensure the sanitized token is still a valid length after sanitization.
if ( empty( $sanitized_token ) || strlen( $sanitized_token ) < 20 ) { // Turnstile tokens are usually longer
return false; // Treat as invalid if sanitization removed too much or it's too short.
}
// Return the sanitized token for further processing.
return $sanitized_token;
}, 10, 1 );Placement
This code should be placed in the functions.php file of your active theme, a custom plugin, or using a code snippets plugin.
Source Code
src/classes/frontend-login/turnstile-support.php:254
public static function validate_token( $token ) {
$token = apply_filters( 'uo_toolkit_frontend_login_turnstile_validate_token_value', $token );
if ( empty( $token ) || 'false' === $token ) { // Token is getting cast as string.
throw new Exception( self::get_error_message_unchecked(), 400 );
}
$url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
// Data to be sent
$data = array(
'secret' => self::get_site_secret(),
'response' => $token,
);
// Send POST request
$response = wp_remote_post(
$url,
array(
'body' => $data,
)
);
// Check for errors
if ( is_wp_error( $response ) ) {
// Throw 422 errors for WordPress specific errors.
throw new Exception( $response->get_error_message(), 422 );
}
// Success.
$body = wp_remote_retrieve_body( $response );
$data = json_decode( $body, true );
if ( $data['success'] ) {
return true;
}
// Throw 400 error message if nothing else.
throw new Exception( self::get_error_message(), 400 );
}