From 7177b0b0a4af86fe8a49f82c00f9186bb4d87e6e Mon Sep 17 00:00:00 2001
From: Jason Maurer <jsonmaur@fastmail.com>
Date: Mon, 24 Apr 2023 20:50:30 -0600
Subject: [PATCH] v1 release

---
 .github/workflows/test.yml                    |   2 +-
 CHANGELOG.md                                  |   3 +
 README.md                                     | 204 ++++++++++++++++++
 lib/phoenix_turnstile.ex                      |   3 -
 lib/turnstile.ex                              | 165 ++++++++++++++
 lib/turnstile/behaviour.ex                    |  13 ++
 mix.exs                                       |  10 +-
 mix.lock                                      |  19 ++
 package.json                                  |   3 +
 priv/static/phoenix_turnstile.js              |  25 +++
 .../custom_cassettes/turnstile_error.json     |  15 ++
 .../custom_cassettes/turnstile_failure.json   |  15 ++
 .../custom_cassettes/turnstile_success.json   |  15 ++
 test/test_helper.exs                          |   2 +-
 test/turnstile_test.exs                       | 131 +++++++++++
 15 files changed, 617 insertions(+), 8 deletions(-)
 create mode 100644 CHANGELOG.md
 delete mode 100644 lib/phoenix_turnstile.ex
 create mode 100644 lib/turnstile.ex
 create mode 100644 lib/turnstile/behaviour.ex
 create mode 100644 package.json
 create mode 100644 priv/static/phoenix_turnstile.js
 create mode 100644 test/fixtures/custom_cassettes/turnstile_error.json
 create mode 100644 test/fixtures/custom_cassettes/turnstile_failure.json
 create mode 100644 test/fixtures/custom_cassettes/turnstile_success.json
 create mode 100644 test/turnstile_test.exs

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d1222b7..d1f5a75 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,4 +39,4 @@ jobs:
           mix-build-${{ runner.os }}-
 
     - run: mix deps.get
-    - run: mix test
+    - run: mix test --include external
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..acd2eef
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,3 @@
+## v1.0.0
+
+- Initial release 🎉
diff --git a/README.md b/README.md
index fb4e692..6a4c0b2 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 <a href="https://github.com/jsonmaur/phoenix-turnstile/actions/workflows/test.yml"><img alt="Test Status" src="https://img.shields.io/github/actions/workflow/status/jsonmaur/phoenix-turnstile/test.yml?label=&style=for-the-badge&logo=github"></a> <a href="https://hexdocs.pm/phoenix_turnstile/"><img alt="Hex Version" src="https://img.shields.io/hexpm/v/phoenix_turnstile?style=for-the-badge&label=&logo=elixir" /></a>
 
+Components and helpers for using [Cloudflare Turnstile CAPTCHAs](https://www.cloudflare.com/products/turnstile/) in Phoenix apps. To get started, log into the Cloudflare dashboard and visit the Turnstile tab. Add a new site with your domain name (no need to add `localhost` if using the default test keys), and take note of your site key and secret key. You'll need these values later.
+
 ## Getting Started
 
 ```elixir
@@ -9,3 +11,205 @@ def deps do
   ]
 end
 ```
+
+Now add the site key and secret key to your environment variables, and configure them in `config/runtime.exs`:
+
+```elixir
+config :phoenix_turnstile,
+  site_key: System.fetch_env!("TURNSTILE_SITE_KEY"),
+  secret_key: System.fetch_env!("TURNSTILE_SECRET_KEY")
+```
+
+You don't need to add a site key or secret key for dev/test environments. This library will use the Turnstile test keys by default.
+
+## With Live View
+
+To use CAPTCHAs in a Live View app, start out by adding the script component in your root layout:
+
+```heex
+<head>
+  <!-- ... -->
+
+  <Turnstile.script />
+</head>
+```
+
+Next, install the hook in `app.js` or wherever your live socket is being defined (make sure you're setting `NODE_PATH` in your [esbuild config](https://github.com/phoenixframework/esbuild#adding-to-phoenix) and including the `deps` folder):
+
+```javascript
+import { TurnstileHook } from "phoenix_turnstile"
+
+const liveSocket = new LiveSocket("/live", Socket, {
+  /* ... */
+  hooks: {
+    Turnstile: TurnstileHook
+  }
+})
+```
+
+Now you can use the Turnstile widget component in any of your forms. For example:
+
+```heex
+<.form for={@form} phx-submit="submit">
+  <Turnstile.widget theme="light" />
+
+  <button type="submit">Submit</button>
+</.form>
+```
+
+To customize the widget, pass any of the render parameters [specificed here](https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/#configurations) (without the `data-` prefix).
+
+### Verification
+
+The widget by itself won't actually complete the verification. It works by generating a token which gets injected into your form as a hidden input named `cf-turnstile-response`. The token needs to be sent to the Cloudflare API for final verification before continuing with the form submission. This should be done in your submit event using `Turnstile.verify/2`:
+
+```elixir
+def handle_event("submit", values, socket) do
+  case Turnstile.verify(values) do
+    {:ok, _} ->
+      # Verification passed!
+
+      {:noreply, socket}
+
+    {:error, _} ->
+      socket =
+        socket
+        |> put_flash(:error, "Please try submitting again")
+        |> Turnstile.refresh()
+
+      {:noreply, socket}
+  end
+end
+```
+
+To be extra sure the user is not a robot, you also have the option of passing their IP address to the verification API. **This step is optional.** To get the user's IP address in Live View, add `:peer_data` to the connect info for your socket in `endpoint.ex`:
+
+```elixir
+socket "/live", Phoenix.LiveView.Socket,
+  websocket: [
+    connect_info: [:peer_data, ...]
+  ]
+```
+
+and pass it as the second argument to `Turnstile.verify/2`:
+
+```elixir
+def mount(_params, session, socket) do
+  remote_ip = get_connect_info(socket, :peer_data).address
+
+  {:ok, assign(socket, :remote_ip, remote_ip)}
+end
+
+def handle_event("submit", values, socket) do
+  case Turnstile.verify(values, socket.assigns.remote_ip) do
+    # ...
+  end
+end
+```
+
+### Multiple Widgets
+
+If you want to have multiple widgets on the same page, pass a unique ID to `Turnstile.widget/1`, `Turnstile.refresh/1`, and `Turnstile.remove/1`.
+
+## Without Live View
+
+`Turnstile.script/1` and `Turnstile.widget/1` both rely on [client hooks](https://hexdocs.pm/phoenix_live_view/js-interop.html#client-hooks-via-phx-hook), and should work in non-Live View pages as long as `app.js` is opening a live socket (which it should by default). Simply call `Turnstile.verify/2` in the controller:
+
+```elixir
+def create(conn, params) do
+  case Turnstile.verify(params, conn.remote_ip) do
+    {:ok, _} ->
+      # Verification passed!
+
+      redirect(conn, to: ~p"/success")
+
+    {:error, _} ->
+      conn
+      |> put_flash(:error, "Please try submitting again")
+      |> redirect(to: ~p"/new")
+  end
+end
+```
+
+If your page doesn't open a live socket or your're not using HEEx, you can still run Turnstile verifications by building your own client-side widget following the [documentation](https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/) and using `Turnstile.site_key/0` to get your site key in the template:
+
+```elixir
+def new(conn, _params) do
+  conn
+  |> assign(:site_key, Turnstile.site_key())
+  |> render("new.html")
+end
+```
+
+```html
+<form action="/create" method="POST">
+  <!-- ... -->
+
+  <div class="cf-turnstile" data-sitekey="<%= @site_key %>"></div>
+  <button type="submit">Submit</button>
+</form>
+```
+
+## Content Security Policies
+
+If your site uses a content security policy, you'll need to add `https://challenges.cloudflare.com` to your `script-src` and `frame-src` directives. You can also add attributes to the script component such as `nonce`, and they will be passed through to the script tag:
+
+```heex
+<head>
+  <!-- ... -->
+
+  <Turnstile.script nonce={@script_src_nonce} />
+</head>
+```
+
+## Writing Tests
+
+When testing forms that use Turnstile verification, you may or may not want to call the live API.
+
+Although we use the test keys by default, you should consider using mocks during testing. An excellent library to consider is [mox](https://github.com/dashbitco/mox). Phoenix Turnstile exposes a behaviour that you can use to make writing your tests much easier.
+
+To start using Mox with Phoenix Turnstile, add this to your `test/test_helper.ex`:
+
+```elixir
+Mox.defmock(TurnstileMock, for: Turnstile.Behaviour)
+```
+
+Then in your `config/test.exs`:
+
+```elixir
+config :phoenix_turnstile, adapter: TurnstileMock
+```
+
+To make sure you're using `TurnstileMock` during testing, use the adapter from the config rather than using `Turnstile` directly:
+
+```elixir
+@turnstile Application.compile_env(:phoenix_turnstile, :adapter, Turnstile)
+
+def handle_event("submit", values, socket) do
+  case @turnstile.verify(values) do
+    {:ok, _} ->
+      # Verification passed!
+
+      {:noreply, socket}
+
+    {:error, _} ->
+      socket =
+        socket
+        |> put_flash(:error, "Please try submitting again")
+        |> @turnstile.refresh()
+
+      {:noreply, socket}
+  end
+end
+```
+
+Now you can easily mock or stub any Turnstile function in your tests and they won't make any real API calls:
+
+```elixir
+import Mox
+
+setup do
+  stub(TurnstileMock, :refresh, fn socket -> socket end)
+  stub(TurnstileMock, :verify, fn _values, _remoteip -> {:ok, %{}} end)
+end
+```
diff --git a/lib/phoenix_turnstile.ex b/lib/phoenix_turnstile.ex
deleted file mode 100644
index afd2769..0000000
--- a/lib/phoenix_turnstile.ex
+++ /dev/null
@@ -1,3 +0,0 @@
-defmodule PhoenixTurnstile do
-  @moduledoc false
-end
diff --git a/lib/turnstile.ex b/lib/turnstile.ex
new file mode 100644
index 0000000..9ef7511
--- /dev/null
+++ b/lib/turnstile.ex
@@ -0,0 +1,165 @@
+defmodule Turnstile do
+  @behaviour Turnstile.Behaviour
+  @moduledoc """
+  Use Cloudflare Turnstile in Phoenix apps
+  """
+
+  import Phoenix.Component
+
+  alias Phoenix.LiveView
+
+  @script_url "https://challenges.cloudflare.com/turnstile/v0/api.js"
+  @verify_url "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+
+  @impl true
+  @doc """
+  Returns the configured site key.
+  """
+  def site_key, do: Application.get_env(:phoenix_turnstile, :site_key, "1x00000000000000000000AA")
+
+  @impl true
+  @doc """
+  Returns the configured secret key.
+  """
+  def secret_key, do: Application.get_env(:phoenix_turnstile, :secret_key, "1x0000000000000000000000000000000AA")
+
+  @doc """
+  Renders the Turnstile script tag.
+
+  Uses explicit rendering so it works with hooks. Additional attributes will be passed through to
+  the script tag.
+  """
+  def script(assigns) do
+    assigns =
+      assigns
+      |> assign(:url, @script_url)
+      |> assign(:rest, assigns_to_attributes(assigns, [:noHook]))
+
+    ~H"""
+    <script defer src={"#{@url}?render=explicit"} {@rest} />
+    """
+  end
+
+  @doc """
+  Renders the Turnstile widget.
+
+  ## Attributes
+
+    * `:id` - The ID of the element. Defaults to `"cf-turnstile"`.
+    * `:class` - The class name passed to the element. Defaults to `nil`.
+    * `:hook` - The phx-hook used. Defaults to `"Turnstile"`.
+    * `:sitekey` - The Turnstile site key. Defaults to the `:site_key` config value.
+
+  All other attributes will be passed through to the element as `data-*` attributes so the widget
+  can be customized. See the [Turnstile docs](https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/#configurations)
+  for a list of available attributes.
+  """
+  def widget(assigns) do
+    rest =
+      assigns
+      |> assigns_to_attributes([:id, :class, :hook, :sitekey])
+      |> Enum.map(fn {k, v} -> {"data-#{k}", v} end)
+      |> Keyword.put(:class, assigns[:class])
+
+    assigns =
+      assigns
+      |> assign_new(:id, fn -> "cf-turnstile" end)
+      |> assign_new(:hook, fn -> "Turnstile" end)
+      |> assign_new(:sitekey, &site_key/0)
+      |> assign(:rest, rest)
+
+    ~H"""
+    <div
+      id={@id}
+      phx-hook={@hook}
+      phx-update="ignore"
+      data-sitekey={@sitekey}
+      {@rest}
+    />
+    """
+  end
+
+  @impl true
+  @doc """
+  Refreshes the Turnstile widget in a LiveView.
+
+  Since the widget uses `phx-update="ignore"`, this function can be used if the widget needs to be
+  re-mounted in the DOM, such as when the verification fails. If there are multiple Turnstile
+  widgets on the page and you only want to refresh one of them, pass a DOM ID as the second
+  argument. Otherwise they will all be refreshed.
+  """
+  def refresh(%LiveView.Socket{} = socket, id \\ nil) do
+    LiveView.push_event(socket, "turnstile:refresh", %{id: id})
+  end
+
+  @impl true
+  @doc """
+  Removes the Turnstile widget from a LiveView.
+
+  Since the widget uses `phx-update="ignore"`, this function can be used if the widget needs to be
+  removed from the DOM. If there are multiple Turnstile widgets on the page and you only want to
+  refresh one of them, pass a DOM ID as the second argument. Otherwise they will all be removed.
+  """
+  def remove(%LiveView.Socket{} = socket, id \\ nil) do
+    LiveView.push_event(socket, "turnstile:remove", %{id: id})
+  end
+
+  @impl true
+  @doc """
+  Calls the Turnstile verify endpoint with a response token.
+
+  Expects a map with string keys that contains a value for `"cf-response-token"` (see
+  [verification](readme.html#verification) for more info). The remote IP can be passed for extra
+  security when running the verification, but is optional. Returns `{:ok, response}` if the
+  verification succeeded, or `{:error, reason}` if the verification failed.
+  """
+  def verify(%{"cf-turnstile-response" => turnstile_response}, remoteip \\ nil) do
+    body = encode_body!(turnstile_response, remoteip)
+    headers = [{to_charlist("accept"), to_charlist("application/json")}]
+    request = {to_charlist(@verify_url), headers, to_charlist("application/json"), body}
+
+    case :httpc.request(:post, request, [ssl: ssl_opts()], []) do
+      {:ok, {{_, 200, _}, _, body}} ->
+        body = Jason.decode!(body)
+
+        if body["success"] do
+          {:ok, body}
+        else
+          {:error, body}
+        end
+
+      {:ok, {_, _, body}} ->
+        {:error, body}
+
+      {:error, error} ->
+        {:error, error}
+    end
+  end
+
+  defp encode_body!(response, remoteip) when is_tuple(remoteip) do
+    encode_body!(response, :inet_parse.ntoa(remoteip) |> to_string())
+  end
+
+  defp encode_body!(response, remoteip) when is_list(remoteip) do
+    encode_body!(response, to_string(remoteip))
+  end
+
+  defp encode_body!(response, remoteip) do
+    %{response: response, remoteip: remoteip, secret: secret_key()}
+    |> Enum.reject(fn {_, v} -> is_nil(v) end)
+    |> Enum.into(%{})
+    |> Jason.encode!()
+    |> to_charlist()
+  end
+
+  defp ssl_opts do
+    [
+      depth: 99,
+      verify: :verify_peer,
+      cacerts: :certifi.cacerts(),
+      customize_hostname_check: [
+        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+      ]
+    ]
+  end
+end
diff --git a/lib/turnstile/behaviour.ex b/lib/turnstile/behaviour.ex
new file mode 100644
index 0000000..eb3380f
--- /dev/null
+++ b/lib/turnstile/behaviour.ex
@@ -0,0 +1,13 @@
+defmodule Turnstile.Behaviour do
+  @callback site_key :: binary()
+  @callback secret_key :: binary()
+
+  @callback refresh(map()) :: map()
+  @callback refresh(map(), binary()) :: map()
+
+  @callback remove(map()) :: map()
+  @callback remove(map(), binary()) :: map()
+
+  @callback verify(%{binary() => binary()}) :: {:ok, term()} | {:error, term()}
+  @callback verify(%{binary() => binary()}, tuple() | binary()) :: {:ok, term()} | {:error, term()}
+end
diff --git a/mix.exs b/mix.exs
index 40d9037..9092ccc 100644
--- a/mix.exs
+++ b/mix.exs
@@ -14,7 +14,7 @@ defmodule PhoenixTurnstile.MixProject do
       aliases: aliases(),
       source_url: @url,
       homepage_url: "#{@url}#readme",
-      description: "",
+      description: "Use Cloudflare Turnstile in Phoenix apps",
       authors: ["Jason Maurer"],
       package: [
         licenses: ["MIT"],
@@ -29,13 +29,17 @@ defmodule PhoenixTurnstile.MixProject do
 
   def application do
     [
-      extra_applications: [:logger]
+      extra_applications: [:logger, :inets, :ssl]
     ]
   end
 
   defp deps do
     [
-      {:ex_doc, "~> 0.27", only: :dev, runtime: false}
+      {:certifi, "~> 2.0"},
+      {:ex_doc, "~> 0.27", only: :dev, runtime: false},
+      {:exvcr, "~> 0.11", only: :test, runtime: false},
+      {:jason, "~> 1.0"},
+      {:phoenix_live_view, "~> 0.17", optional: true}
     ]
   end
 
diff --git a/mix.lock b/mix.lock
index 1de09fc..2c8c6ae 100644
--- a/mix.lock
+++ b/mix.lock
@@ -1,8 +1,27 @@
 %{
+  "castore": {:hex, :castore, "1.0.1", "240b9edb4e9e94f8f56ab39d8d2d0a57f49e46c56aced8f873892df8ff64ff5a", [:mix], [], "hexpm", "b4951de93c224d44fac71614beabd88b71932d0b1dea80d2f80fb9044e01bbb3"},
+  "certifi": {:hex, :certifi, "2.11.0", "5adfe37ceb8569d019f836944aeaf27f8ac391dacaf3707f570c155b7e03aaa8", [:rebar3], [], "hexpm", "9e37e0542ec3fabaa19a0734b3900dc095797fac48c40a2a9741d8ad5e3c9bb7"},
   "earmark_parser": {:hex, :earmark_parser, "1.4.31", "a93921cdc6b9b869f519213d5bc79d9e218ba768d7270d46fdcf1c01bacff9e2", [:mix], [], "hexpm", "317d367ee0335ef037a87e46c91a2269fef6306413f731e8ec11fc45a7efd059"},
   "ex_doc": {:hex, :ex_doc, "0.29.4", "6257ecbb20c7396b1fe5accd55b7b0d23f44b6aa18017b415cb4c2b91d997729", [:mix], [{:earmark_parser, "~> 1.4.31", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1", [hex: :makeup_erlang, repo: "hexpm", optional: false]}], "hexpm", "2c6699a737ae46cb61e4ed012af931b57b699643b24dabe2400a8168414bc4f5"},
+  "exactor": {:hex, :exactor, "2.2.4", "5efb4ddeb2c48d9a1d7c9b465a6fffdd82300eb9618ece5d34c3334d5d7245b1", [:mix], [], "hexpm", "1222419f706e01bfa1095aec9acf6421367dcfab798a6f67c54cf784733cd6b5"},
+  "exjsx": {:hex, :exjsx, "4.0.0", "60548841e0212df401e38e63c0078ec57b33e7ea49b032c796ccad8cde794b5c", [:mix], [{:jsx, "~> 2.8.0", [hex: :jsx, repo: "hexpm", optional: false]}], "hexpm", "32e95820a97cffea67830e91514a2ad53b888850442d6d395f53a1ac60c82e07"},
+  "exvcr": {:hex, :exvcr, "0.13.5", "3cb058c3a360bd0ff45d5e9f061723fad25e3a56157b76c0bbf20e8990470b14", [:mix], [{:exactor, "~> 2.2", [hex: :exactor, repo: "hexpm", optional: false]}, {:exjsx, "~> 4.0", [hex: :exjsx, repo: "hexpm", optional: false]}, {:finch, "~> 0.8", [hex: :finch, repo: "hexpm", optional: true]}, {:httpoison, "~> 1.0 or ~> 2.0", [hex: :httpoison, repo: "hexpm", optional: true]}, {:httpotion, "~> 3.1", [hex: :httpotion, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:meck, "~> 0.8", [hex: :meck, repo: "hexpm", optional: false]}], "hexpm", "89a7b951dd93ef735fbf2c83a552c962f2bdc9e1954fe355ac95c3128f285e8c"},
+  "jason": {:hex, :jason, "1.4.0", "e855647bc964a44e2f67df589ccf49105ae039d4179db7f6271dfd3843dc27e6", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "79a3791085b2a0f743ca04cec0f7be26443738779d09302e01318f97bdb82121"},
+  "jsx": {:hex, :jsx, "2.8.3", "a05252d381885240744d955fbe3cf810504eb2567164824e19303ea59eef62cf", [:mix, :rebar3], [], "hexpm", "fc3499fed7a726995aa659143a248534adc754ebd16ccd437cd93b649a95091f"},
   "makeup": {:hex, :makeup, "1.1.0", "6b67c8bc2882a6b6a445859952a602afc1a41c2e08379ca057c0f525366fc3ca", [:mix], [{:nimble_parsec, "~> 1.2.2 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "0a45ed501f4a8897f580eabf99a2e5234ea3e75a4373c8a52824f6e873be57a6"},
   "makeup_elixir": {:hex, :makeup_elixir, "0.16.1", "cc9e3ca312f1cfeccc572b37a09980287e243648108384b97ff2b76e505c3555", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "e127a341ad1b209bd80f7bd1620a15693a9908ed780c3b763bccf7d200c767c6"},
   "makeup_erlang": {:hex, :makeup_erlang, "0.1.1", "3fcb7f09eb9d98dc4d208f49cc955a34218fc41ff6b84df7c75b3e6e533cc65f", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "174d0809e98a4ef0b3309256cbf97101c6ec01c4ab0b23e926a9e17df2077cbb"},
+  "meck": {:hex, :meck, "0.9.2", "85ccbab053f1db86c7ca240e9fc718170ee5bda03810a6292b5306bf31bae5f5", [:rebar3], [], "hexpm", "81344f561357dc40a8344afa53767c32669153355b626ea9fcbc8da6b3045826"},
+  "mime": {:hex, :mime, "2.0.3", "3676436d3d1f7b81b5a2d2bd8405f412c677558c81b1c92be58c00562bb59095", [:mix], [], "hexpm", "27a30bf0db44d25eecba73755acf4068cbfe26a4372f9eb3e4ea3a45956bff6b"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.3.0", "9e18a119d9efc3370a3ef2a937bf0b24c088d9c4bf0ba9d7c3751d49d347d035", [:mix], [], "hexpm", "7977f183127a7cbe9346981e2f480dc04c55ffddaef746bd58debd566070eef8"},
+  "phoenix": {:hex, :phoenix, "1.7.2", "c375ffb482beb4e3d20894f84dd7920442884f5f5b70b9f4528cbe0cedefec63", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:phoenix_template, "~> 1.0", [hex: :phoenix_template, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: true]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.6", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:websock_adapter, "~> 0.4", [hex: :websock_adapter, repo: "hexpm", optional: false]}], "hexpm", "1ebca94b32b4d0e097ab2444a9742ed8ff3361acad17365e4e6b2e79b4792159"},
+  "phoenix_html": {:hex, :phoenix_html, "3.3.1", "4788757e804a30baac6b3fc9695bf5562465dd3f1da8eb8460ad5b404d9a2178", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "bed1906edd4906a15fd7b412b85b05e521e1f67c9a85418c55999277e553d0d3"},
+  "phoenix_live_view": {:hex, :phoenix_live_view, "0.18.18", "1f38fbd7c363723f19aad1a04b5490ff3a178e37daaf6999594d5f34796c47fc", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix, "~> 1.6.15 or ~> 1.7.0", [hex: :phoenix, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 3.3", [hex: :phoenix_html, repo: "hexpm", optional: false]}, {:phoenix_template, "~> 1.0", [hex: :phoenix_template, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a5810d0472f3189ede6d2a95bda7f31c6113156b91784a3426cb0ab6a6d85214"},
+  "phoenix_pubsub": {:hex, :phoenix_pubsub, "2.1.1", "ba04e489ef03763bf28a17eb2eaddc2c20c6d217e2150a61e3298b0f4c2012b5", [:mix], [], "hexpm", "81367c6d1eea5878ad726be80808eb5a787a23dee699f96e72b1109c57cdd8d9"},
+  "phoenix_template": {:hex, :phoenix_template, "1.0.1", "85f79e3ad1b0180abb43f9725973e3b8c2c3354a87245f91431eec60553ed3ef", [:mix], [{:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}], "hexpm", "157dc078f6226334c91cb32c1865bf3911686f8bcd6bcff86736f6253e6993ee"},
+  "plug": {:hex, :plug, "1.14.2", "cff7d4ec45b4ae176a227acd94a7ab536d9b37b942c8e8fa6dfc0fff98ff4d80", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "842fc50187e13cf4ac3b253d47d9474ed6c296a8732752835ce4a86acdf68d13"},
+  "plug_crypto": {:hex, :plug_crypto, "1.2.5", "918772575e48e81e455818229bf719d4ab4181fcbf7f85b68a35620f78d89ced", [:mix], [], "hexpm", "26549a1d6345e2172eb1c233866756ae44a9609bd33ee6f99147ab3fd87fd842"},
+  "telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"},
+  "websock": {:hex, :websock, "0.5.1", "c496036ce95bc26d08ba086b2a827b212c67e7cabaa1c06473cd26b40ed8cf10", [:mix], [], "hexpm", "b9f785108b81cd457b06e5f5dabe5f65453d86a99118b2c0a515e1e296dc2d2c"},
+  "websock_adapter": {:hex, :websock_adapter, "0.5.1", "292e6c56724e3457e808e525af0e9bcfa088cc7b9c798218e78658c7f9b85066", [:mix], [{:bandit, ">= 0.6.0", [hex: :bandit, repo: "hexpm", optional: true]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.6", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "8e2e1544bfde5f9d0442f9cec2f5235398b224f75c9e06b60557debf64248ec1"},
 }
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..1ceac04
--- /dev/null
+++ b/package.json
@@ -0,0 +1,3 @@
+{
+  "main": "priv/static/phoenix_turnstile.js"
+}
diff --git a/priv/static/phoenix_turnstile.js b/priv/static/phoenix_turnstile.js
new file mode 100644
index 0000000..7c1a4ab
--- /dev/null
+++ b/priv/static/phoenix_turnstile.js
@@ -0,0 +1,25 @@
+export const TurnstileHook = {
+  mounted() {
+    turnstile.render(this.el)
+
+    this.handleEvent("turnstile:refresh", (event) => {
+      if (!event.id || event.id === this.el.id) {
+        this.updated()
+      }
+    })
+
+    this.handleEvent("turnstile:remove", (event) => {
+      if (!event.id || event.id === this.el.id) {
+        this.destroyed()
+      }
+    })
+  },
+
+  updated() {
+    turnstile.reset(this.el)
+  },
+
+  destroyed() {
+    turnstile.remove(this.el)
+  }
+}
diff --git a/test/fixtures/custom_cassettes/turnstile_error.json b/test/fixtures/custom_cassettes/turnstile_error.json
new file mode 100644
index 0000000..bbe1d0e
--- /dev/null
+++ b/test/fixtures/custom_cassettes/turnstile_error.json
@@ -0,0 +1,15 @@
+[
+  {
+    "request": {
+      "method": "post",
+      "url": "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+    },
+    "response": {
+      "status_code": ["HTTP/1.1", 500, "Bad Request"],
+      "headers": {
+        "content-type": "text/plain"
+      },
+      "body": "everything broke"
+    }
+  }
+]
diff --git a/test/fixtures/custom_cassettes/turnstile_failure.json b/test/fixtures/custom_cassettes/turnstile_failure.json
new file mode 100644
index 0000000..2d16e6b
--- /dev/null
+++ b/test/fixtures/custom_cassettes/turnstile_failure.json
@@ -0,0 +1,15 @@
+[
+  {
+    "request": {
+      "method": "post",
+      "url": "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+    },
+    "response": {
+      "status_code": ["HTTP/1.1", 200, "OK"],
+      "headers": {
+        "content-type": "application/json"
+      },
+      "body": "{\"success\": false}"
+    }
+  }
+]
diff --git a/test/fixtures/custom_cassettes/turnstile_success.json b/test/fixtures/custom_cassettes/turnstile_success.json
new file mode 100644
index 0000000..6e1753c
--- /dev/null
+++ b/test/fixtures/custom_cassettes/turnstile_success.json
@@ -0,0 +1,15 @@
+[
+  {
+    "request": {
+      "method": "post",
+      "url": "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+    },
+    "response": {
+      "status_code": ["HTTP/1.1", 200, "OK"],
+      "headers": {
+        "content-type": "application/json"
+      },
+      "body": "{\"success\": true}"
+    }
+  }
+]
diff --git a/test/test_helper.exs b/test/test_helper.exs
index 869559e..ec9036f 100644
--- a/test/test_helper.exs
+++ b/test/test_helper.exs
@@ -1 +1 @@
-ExUnit.start()
+ExUnit.start(exclude: [:external])
diff --git a/test/turnstile_test.exs b/test/turnstile_test.exs
new file mode 100644
index 0000000..9c5d0c5
--- /dev/null
+++ b/test/turnstile_test.exs
@@ -0,0 +1,131 @@
+defmodule TurnstileTest do
+  use ExUnit.Case, async: true
+  use ExVCR.Mock, adapter: ExVCR.Adapter.Httpc
+
+  import Phoenix.LiveViewTest
+
+  alias Phoenix.LiveView
+  alias Turnstile
+
+  setup do
+    ExVCR.Config.cassette_library_dir("test/fixtures/vcr_cassettes", "test/fixtures/custom_cassettes")
+    :ok
+  end
+
+  test "site_key/0" do
+    assert Turnstile.site_key() == "1x00000000000000000000AA"
+  end
+
+  test "secret_key/0" do
+    assert Turnstile.secret_key() == "1x0000000000000000000000000000000AA"
+  end
+
+  describe "script/1" do
+    test "should render component with defaults" do
+      assert render_component(&Turnstile.script/1) ==
+               "<script defer src=\"https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit\"></script>"
+    end
+
+    test "should render component with custom attributes" do
+      assert render_component(&Turnstile.script/1, foo: "bar") ==
+               "<script defer src=\"https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit\" foo=\"bar\"></script>"
+    end
+  end
+
+  describe "widget/1" do
+    test "should render component with defaults" do
+      assert render_component(&Turnstile.widget/1) ==
+               "<div id=\"cf-turnstile\" phx-hook=\"Turnstile\" phx-update=\"ignore\" data-sitekey=\"1x00000000000000000000AA\"></div>"
+    end
+
+    test "should render component with a class" do
+      assert render_component(&Turnstile.widget/1, class: "foo") ==
+               "<div id=\"cf-turnstile\" phx-hook=\"Turnstile\" phx-update=\"ignore\" data-sitekey=\"1x00000000000000000000AA\" class=\"foo\"></div>"
+    end
+
+    test "should render component with a custom id and hook" do
+      assert render_component(&Turnstile.widget/1, id: "1", hook: "Foo") ==
+               "<div id=\"1\" phx-hook=\"Foo\" phx-update=\"ignore\" data-sitekey=\"1x00000000000000000000AA\"></div>"
+    end
+
+    test "should render component with a custom site key" do
+      assert render_component(&Turnstile.widget/1, sitekey: "123") ==
+               "<div id=\"cf-turnstile\" phx-hook=\"Turnstile\" phx-update=\"ignore\" data-sitekey=\"123\"></div>"
+    end
+
+    test "should render component with custom data attribute" do
+      assert render_component(&Turnstile.widget/1, theme: "dark") ==
+               "<div id=\"cf-turnstile\" phx-hook=\"Turnstile\" phx-update=\"ignore\" data-sitekey=\"1x00000000000000000000AA\" data-theme=\"dark\"></div>"
+    end
+  end
+
+  test "refresh/2" do
+    assert %LiveView.Socket{} = Turnstile.refresh(%LiveView.Socket{})
+  end
+
+  test "remove/2" do
+    assert %LiveView.Socket{} = Turnstile.remove(%LiveView.Socket{})
+  end
+
+  describe "verify/2" do
+    test "should return successful status" do
+      use_cassette "turnstile_success", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}) == {:ok, %{"success" => true}}
+      end
+    end
+
+    test "should return successful status with ip" do
+      use_cassette "turnstile_success", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}, "127.0.0.1") == {:ok, %{"success" => true}}
+      end
+    end
+
+    test "should return successful status with charlist ip" do
+      use_cassette "turnstile_success", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}, '127.0.0.1') == {:ok, %{"success" => true}}
+      end
+    end
+
+    test "should return successful status with tuple ip" do
+      use_cassette "turnstile_success", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}, {127, 0, 0, 1}) == {:ok, %{"success" => true}}
+      end
+    end
+
+    test "should return unsuccessful status" do
+      use_cassette "turnstile_failure", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}) == {:error, %{"success" => false}}
+      end
+    end
+
+    test "should return any other errors" do
+      use_cassette "turnstile_error", custom: true do
+        assert Turnstile.verify(%{"cf-turnstile-response" => "foo"}) == {:error, "everything broke"}
+      end
+    end
+
+    @tag :external
+    test "should return a successful response" do
+      assert {:ok, res} = Turnstile.verify(%{"cf-turnstile-response" => "abc123"})
+      assert res["success"] == true
+      assert res["error-codes"] == []
+    end
+
+    @tag :external
+    test "should return a successful response with ip address" do
+      assert {:ok, res} = Turnstile.verify(%{"cf-turnstile-response" => "abc123"}, "127.0.0.1")
+      assert res["success"] == true
+      assert res["error-codes"] == []
+    end
+
+    @tag :external
+    test "should return an error response" do
+      Application.put_env(:phoenix_turnstile, :secret_key, "2x0000000000000000000000000000000AA")
+      on_exit(fn -> Application.put_env(:phoenix_turnstile, :secret_key, "1x0000000000000000000000000000000AA") end)
+
+      assert {:error, res} = Turnstile.verify(%{"cf-turnstile-response" => "abc123"}, "127.0.0.1")
+      assert res["success"] == false
+      assert res["error-codes"] == ["invalid-input-response"]
+    end
+  end
+end