Skip to content

docs: Document Turnstile fraud protection and new sign-up rule conditions#1278

Open
promptless[bot] wants to merge 1 commit intodevfrom
promptless/turnstile-fraud-protection
Open

docs: Document Turnstile fraud protection and new sign-up rule conditions#1278
promptless[bot] wants to merge 1 commit intodevfrom
promptless/turnstile-fraud-protection

Conversation

@promptless
Copy link
Copy Markdown
Contributor

@promptless promptless bot commented Mar 23, 2026

Open this suggestion in Promptless to view citations and reasoning process

Documents the new Turnstile integration for fraud protection from PR #1239. Adds countryCode and riskScores (bot, free_trial_abuse) to sign-up rules conditions with example use cases. Documents new countryCode and riskScores properties in ServerUser SDK reference. Adds Turnstile configuration section for self-hosted deployments.

Trigger Events

stack-auth/stack-auth commit (dev): e59a707 Turnstile integration for fraud protection (#1239)

Promptless Research (6 files, 1 GitHub PR)

  • Reviewed stack-auth/stack-auth#1239
  • Viewed .long_term_context/product_knowledge/product_overview.md
  • Viewed .long_term_context/doc_workflow/client_instructions.md
  • Viewed .long_term_context/style/client_style_guide.md
  • Viewed docs/content/docs/(guides)/concepts/sign-up-rules.mdx
  • Viewed docs/content/docs/sdk/types/user.mdx
  • Viewed docs/content/docs/(guides)/others/self-host.mdx

Agent Response

I've completed documenting the Turnstile fraud protection integration from PR #1239. Here's a summary of the changes:

Documentation Updates

1. Sign-up Rules (sign-up-rules.mdx)

  • Added three new condition variables to the "Available conditions" table:
    • countryCode - ISO 3166-1 alpha-2 country code detected at sign-up
    • riskScores.bot - Bot risk score (0-100)
    • riskScores.free_trial_abuse - Free trial abuse risk score (0-100)
  • Added in operator documentation for list membership checks
  • Added note about numeric comparison operators (>, >=, <, <=) for risk scores
  • Added three new use case examples:
    • Block high-risk bot sign-ups
    • Restrict sign-ups from specific countries
    • Combined fraud signals

2. User SDK Reference (user.mdx)

  • Added countryCode and riskScores properties to the ServerUser type definition
  • Added documentation sections explaining these new server-side properties

3. Self-Host Documentation (self-host.mdx)

  • Added new "Bot protection (Turnstile)" section documenting environment variables for configuring Cloudflare Turnstile:
    • Required keys: NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY, NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY, STACK_TURNSTILE_SECRET_KEY
    • Optional settings: STACK_DISABLE_BOT_CHALLENGE, STACK_ALLOW_SIGN_UP_ON_VISIBLE_BOT_CHALLENGE_FAILURE, STACK_TRUSTED_PROXY

The suggestion is available for review at: https://app.gopromptless.ai/suggestions/cc7c771b-50d5-46e3-84e1-c5e18895d1c8

Tip: Leave inline comments with @Promptless on suggestion diffs in the Promptless dashboard for targeted refinements 💬

promptless[bot]
promptless bot commented Mar 23, 2026
View reviewed changes
docs/content/docs/(guides)/concepts/sign-up-rules.mdx
| `emailDomain` | string | The domain part of the email (after @) |
| `authMethod` | string | The authentication method: `password`, `otp`, `oauth`, or `passkey` |
| `oauthProvider` | string | The OAuth provider ID if using OAuth (e.g., `google`, `github`), empty string otherwise |
| `countryCode` | string | ISO 3166-1 alpha-2 country code detected at sign-up (e.g., `US`, `DE`, `JP`). Empty string if unavailable. |
Copy link
Copy Markdown
Contributor Author

@promptless promptless bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Citation: Added countryCode and riskScores conditions based on the new SignUpRuleContext type in apps/backend/src/lib/cel-evaluator.ts which now includes countryCode, riskScores.bot, and riskScores.free_trial_abuse fields for fraud protection rule evaluation.
View source

promptless[bot]
promptless bot commented Mar 23, 2026
View reviewed changes
docs/content/docs/(guides)/others/self-host.mdx

Now, create a new project for your app and follow the [normal setup process](../getting-started/setup.mdx). Add `NEXT_PUBLIC_STACK_API_URL=https://your-backend-url.com` to your app's environment variables so that it connects to your API backend instead of the default Stack Auth API backend (https://api.stack-auth.com).

## Bot protection (Turnstile)
Copy link
Copy Markdown
Contributor Author

@promptless promptless bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Citation: Turnstile environment variables documented based on apps/backend/.env.development which shows the new Turnstile configuration options: NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY, NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY, STACK_TURNSTILE_SECRET_KEY, STACK_DISABLE_BOT_CHALLENGE, STACK_ALLOW_SIGN_UP_ON_VISIBLE_BOT_CHALLENGE_FAILURE, and STACK_TRUSTED_PROXY.
View source

promptless[bot]
promptless bot commented Mar 23, 2026
View reviewed changes
docs/content/docs/sdk/types/user.mdx
</MethodLayout>
</CollapsibleTypesSection>

<CollapsibleTypesSection type="serverUser" property="countryCode" defaultOpen={false}>
Copy link
Copy Markdown
Contributor Author

@promptless promptless bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Citation: New countryCode and riskScores properties on ServerUser based on changes to apps/backend/src/app/api/latest/users/crud.tsx which adds country_code and risk_scores to the user CRUD response, derived from the new signUpCountryCode, signUpRiskScoreBot, and signUpRiskScoreFreeTrialAbuse database fields.
View source

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
stack-auth-hosted-components Ready Ready Preview, Comment Mar 23, 2026 3:04pm
stack-backend Ready Ready Preview, Comment Mar 23, 2026 3:04pm
stack-dashboard Ready Ready Preview, Comment Mar 23, 2026 3:04pm
stack-demo Ready Ready Preview, Comment Mar 23, 2026 3:04pm
stack-docs Ready Ready Preview, Comment Mar 23, 2026 3:04pm

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 23, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 23, 2026
edited
Loading

Greptile Summary

This documentation PR covers the Turnstile fraud protection integration shipped in #1239, touching three files: sign-up rules, the ServerUser SDK reference, and the self-host guide.

  • sign-up-rules.mdx: Adds countryCode, riskScores.bot, and riskScores.free_trial_abuse to the available conditions table with accurate types and descriptions. Documents the in list-membership operator and numeric comparison operators. Adds three practical use-case examples (block high-risk bots, restrict by country, combined fraud signals). The condition variable names and CEL syntax are verified against the backend CEL evaluator. However, the tester's "Test inputs" and "Normalized context" subsections were not updated to mention the new countryCode and risk-score fields that the dashboard tester now accepts.
  • user.mdx: Adds countryCode: string | null and riskScores: { signUp: { bot: number; freeTrialAbuse: number } } to the ServerUser type TOC and adds corresponding CollapsibleTypesSection entries. TypeScript types match the SDK implementation exactly.
  • self-host.mdx: Adds a "Bot protection (Turnstile)" section documenting the three required Turnstile env vars plus three optional ones. All names and accepted values are verified against the backend source.

Confidence Score: 5/5

  • Safe to merge; all documented field names, types, and env var values match the implementation. The only gap is the tester subsection not mentioning new inputs, which is a minor follow-up.
  • All three files contain accurate information verified against the backend CEL evaluator, SDK types, and backend env-var handling. The single P2 comment (tester docs not updated for new inputs) is a polish item that doesn't affect correctness of the core documentation.
  • No files require special attention.

Important Files Changed

Filename Overview
docs/content/docs/(guides)/concepts/sign-up-rules.mdx Adds three new condition variables (countryCode, riskScores.bot, riskScores.free_trial_abuse) and the in operator to the conditions table, plus three new use-case examples. Condition field names and CEL syntax are accurate per the implementation, but the "Test inputs" and "Normalized context" sections in the tester documentation are not updated to reflect the new countryCode/riskScores inputs available in the dashboard tester.
docs/content/docs/(guides)/others/self-host.mdx Adds a new "Bot protection (Turnstile)" section with required and optional environment variables. All env var names, accepted values, and descriptions match the implementation in the backend source.
docs/content/docs/sdk/types/user.mdx Adds countryCode and riskScores properties to the ServerUser type definition and CollapsibleTypesSection entries. TypeScript types (string

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Sign-up attempt] --> B[Cloudflare Turnstile challenge]
    B --> C{Challenge result}
    C -->|ok| D[Compute risk scores\nbot, free_trial_abuse]
    C -->|invalid / error| E{STACK_ALLOW_SIGN_UP_ON_\nVISIBLE_BOT_CHALLENGE_FAILURE?}
    E -->|true| D
    E -->|false| REJECT[Reject sign-up]

    D --> F[Detect country code\nvia proxy headers\nSTACK_TRUSTED_PROXY]
    F --> G[Build CEL context\nemail, emailDomain, authMethod,\noauthProvider, countryCode,\nriskScores.bot, riskScores.free_trial_abuse]
    G --> H[Evaluate sign-up rules\nin priority order]
    H --> I{First matching rule}
    I -->|Allow| ALLOW[Allow sign-up\nStore countryCode + riskScores\non ServerUser]
    I -->|Reject| REJECT
    I -->|Restrict| RESTRICT[Allow sign-up\nbut mark as restricted]
    I -->|Log| LOG[Log and continue\nto default action]
    I -->|No match| DEFAULT[Apply default action]
Loading

Comments Outside Diff (1)

  1. docs/content/docs/(guides)/concepts/sign-up-rules.mdx, line 141-157 (link)

    P2 Testing section not updated for new inputs

    The "Test inputs" and "Understanding the results" sections still only reference email, emailDomain, authMethod, and oauthProvider. However, the dashboard rule tester now also supports countryCode, bot risk score, and free trial abuse risk score inputs (confirmed in apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sign-up-rules/page-client.tsx).

    Since this PR adds documentation for the new countryCode and riskScores conditions, the tester description should also be updated to reflect the new inputs users can set when simulating a sign-up, and to mention that the "Normalized context" output now includes countryCode and riskScores.

Reviews (1): Last reviewed commit: "Document Turnstile fraud protection and ..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@promptless promptless[bot]

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant