fix: ensures turnstile is completely disabled when NEXT_PUBLIC_TURNSTILE_ENABLED is false

[stalniy]

Why

To fix local development flow and fix memory leak

Summary by CodeRabbit

• Bug Fixes

  • Turnstile now returns a disabled token and skips rendering when disabled; event listeners cleaned up reliably to avoid leaks.

• Tests

  • Added coverage for the Turnstile disabled-state scenario.

• Documentation

  • Updated deprecation notices/comments to reference current public/server config names.

• Chores

  • Revised env sample values: replaced demo keys with test placeholders and removed hard-coded defaults.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Turnstile now short-circuits when disabled to return a fixed disabled token, refactors renderAndWaitResponse to use explicit success/error listeners with mutual cleanup, updates the imperative handle dependency, adds a test for the disabled path, and updates non-functional env/config comments and samples.

Changes

Cohort / File(s)	Summary
Turnstile component & tests apps/deploy-web/src/components/turnstile/Turnstile.tsx, apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx	Adds early-return { token: "disabled-turnstile-token" } when enabled is false; replaces per-call listeners with explicit successListener/errorListener that unregister both on invoke; adds enabled to imperative handle deps; adds test asserting disabled behavior.
Environment samples apps/deploy-web/.env.local.sample, apps/deploy-web/env/.env.sample	Replaced dummy Turnstile site key with a test key and added TURNSTILE_SECRET_KEY and E2E_TESTING_CLIENT_TOKEN in .env.local.sample; cleared default Turnstile/testing values in env/.env.sample.
Config deprecation notes apps/deploy-web/src/config/browser-env.config.ts, apps/deploy-web/src/config/server-env.config.ts	Updated deprecation comments to reference publicConfig and services.privateConfig respectively; no API/signature changes.

Sequence Diagram(s)

(omitted — changes are localized to a single component and tests; no multi-component sequence requiring visualization)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• refactor: refactors turnstile and add tests #1421: Modifies Turnstile render/await-response and listener handling; closely related to listener/refactor changes.
• refactor: fetches turnstile sitekey from api #1318: Alters Turnstile enabled/siteKey handling and early-return patterns; relevant to disabled-state control flow.
• chore: adds snyk code test via gha #1544: Touches related API error/response handling that may interact with Turnstile usage paths.

Suggested reviewers

• baktun14
• ygrishajev

Poem

🐇 I hopped through the code with a twitch of my nose,

"Disabled? Return quick!" — so the short-circuit goes.
Listeners all tidy, no leftover crumbs found,
Tests give a nod, and the build hops around. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: ensuring Turnstile is completely disabled when NEXT_PUBLIC_TURNSTILE_ENABLED is false, which aligns with the core modifications across the component, test, config files, and environment samples.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.98%. Comparing base (d9b213d) to head (e40abab).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2434      +/-   ##
==========================================
- Coverage   51.25%   50.98%   -0.28%     
==========================================
  Files        1072     1062      -10     
  Lines       29398    29055     -343     
  Branches     6476     6416      -60     
==========================================
- Hits        15069    14813     -256     
+ Misses      13934    13847      -87     
  Partials      395      395              

Flag	Coverage Δ		*Carryforward flag
api	80.07% <ø> (ø)		Carriedforward from d9b213d
deploy-web	31.41% <100.00%> (+0.02%)	⬆️
log-collector	?
notifications	87.94% <ø> (ø)		Carriedforward from d9b213d
provider-console	81.48% <ø> (ø)		Carriedforward from d9b213d
provider-proxy	84.35% <ø> (ø)		Carriedforward from d9b213d

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
.../deploy-web/src/components/turnstile/Turnstile.tsx	92.85% <100.00%> (+0.66%)	⬆️
apps/deploy-web/src/config/browser-env.config.ts	100.00% <ø> (ø)
apps/deploy-web/src/config/server-env.config.ts	0.00% <ø> (ø)

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

apps/deploy-web/env/.env.sample (1)

49-52: Reorder environment variables alphabetically.

The static analysis tool flagged that E2E_TESTING_CLIENT_TOKEN (line 52) should come before NEXT_PUBLIC_TURNSTILE_ENABLED (line 49) to maintain alphabetical key ordering. While this has no functional impact, sorting them will improve consistency with linter expectations.

🔎 Proposed fix

-NEXT_PUBLIC_TURNSTILE_ENABLED=
-NEXT_PUBLIC_TURNSTILE_SITE_KEY=
-TURNSTILE_SECRET_KEY=
-E2E_TESTING_CLIENT_TOKEN=
+E2E_TESTING_CLIENT_TOKEN=
+NEXT_PUBLIC_TURNSTILE_ENABLED=
+NEXT_PUBLIC_TURNSTILE_SITE_KEY=
+TURNSTILE_SECRET_KEY=

apps/deploy-web/src/components/turnstile/Turnstile.tsx (1)

75-88: Good refactor for memory leak fix.

The explicit listener cleanup pattern correctly removes both listeners when either event fires, addressing the memory leak.

However, the status variable captured in errorListener (line 84) reflects the state when renderAndWaitResponse was called, not when the error occurs. If the status changes between the call and the error event, the rejected object will contain stale state.

🔎 Proposed fix to capture status from the error event context

If the current status at error time is needed, consider dispatching it as part of the event detail from onError/onExpire handlers, rather than relying on the closure:

 const errorListener = (event: Event) => {
   eventBus.current.removeEventListener("success", successListener);
   eventBus.current.removeEventListener("error", errorListener);
   const details = (event as CustomEvent<{ reason: string; error?: string }>).detail;
-  reject({ status, ...details });
+  reject(details);
 };

Alternatively, if status context is valuable, ensure the dispatching handlers include it in the event detail.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1571842 and 82b0abb.

📒 Files selected for processing (6)

• apps/deploy-web/.env.local.sample
• apps/deploy-web/env/.env.sample
• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx
• apps/deploy-web/src/components/turnstile/Turnstile.tsx
• apps/deploy-web/src/config/browser-env.config.ts
• apps/deploy-web/src/config/server-env.config.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/deploy-web/src/config/server-env.config.ts
• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/deploy-web/src/components/turnstile/Turnstile.tsx
• apps/deploy-web/src/config/browser-env.config.ts

🧠 Learnings (4)

📚 Learning: 2025-08-12T13:52:38.708Z

Learnt from: stalniy
Repo: akash-network/console PR: 1800
File: apps/deploy-web/next.config.js:163-165
Timestamp: 2025-08-12T13:52:38.708Z
Learning: In the Akash Console project, akashnetwork/env-loader is used at the top of next.config.js files to automatically load environment variables from env/.env files into process.env. SENTRY_ORG and SENTRY_PROJECT are stored as public configuration values in apps/deploy-web/env/.env and are loaded this way, while only SENTRY_AUTH_TOKEN is handled as a GitHub secret in workflows.

Applied to files:

• apps/deploy-web/.env.local.sample
• apps/deploy-web/env/.env.sample

📚 Learning: 2025-08-12T13:52:38.708Z

Learnt from: stalniy
Repo: akash-network/console PR: 1800
File: apps/deploy-web/next.config.js:163-165
Timestamp: 2025-08-12T13:52:38.708Z
Learning: In the Akash Console project, SENTRY_ORG and SENTRY_PROJECT are stored as public configuration values in apps/deploy-web/env/.env file and loaded by akashnetwork/env-loader, not as GitHub secrets. Only SENTRY_AUTH_TOKEN should be handled as a secret.

Applied to files:

• apps/deploy-web/env/.env.sample

📚 Learning: 2025-11-25T17:45:39.561Z

Learnt from: CR
Repo: akash-network/console PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2025-11-25T17:45:39.561Z
Learning: Applies to **/*.{ts,tsx,js} : Don't add unnecessary comments to the code.

Applied to files:

• apps/deploy-web/src/config/browser-env.config.ts

📚 Learning: 2025-11-25T17:45:39.561Z

Learnt from: CR
Repo: akash-network/console PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2025-11-25T17:45:39.561Z
Learning: Applies to **/*.{ts,tsx,js} : Never use deprecated methods from libraries.

Applied to files:

• apps/deploy-web/src/config/browser-env.config.ts

🪛 dotenv-linter (4.0.0)

apps/deploy-web/env/.env.sample

[warning] 52-52: [UnorderedKey] The E2E_TESTING_CLIENT_TOKEN key should go before the NEXT_PUBLIC_TURNSTILE_ENABLED key

(UnorderedKey)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (6)

apps/deploy-web/env/.env.sample (1)

49-52: Good security practice: empty template values.

Using empty values in the sample file (rather than dummy credentials) is the right approach—it ensures developers must explicitly provide their own values and avoids accidentally committing test credentials.

apps/deploy-web/.env.local.sample (2)

41-43: Excellent use of Cloudflare's documented dummy test keys.

The dummy test keys (1x00000000000000000000AA, 1x0000000000000000000AA) are the official Cloudflare test values, and the documentation link provides helpful context for local development. This is the correct approach for sample configuration files.

---

54-54: E2E testing token added appropriately.

The new E2E_TESTING_CLIENT_TOKEN with a placeholder value aligns with the test infrastructure and mirrors the addition to .env.sample. The placeholder is suitable for local development.

apps/deploy-web/src/config/browser-env.config.ts (1)

3-3: LGTM!

The deprecation notice update aligns with the broader config naming migration from appConfig to publicConfig.

apps/deploy-web/src/components/turnstile/Turnstile.tsx (2)

69-71: LGTM!

The early return correctly bypasses the widget when disabled and returns a consistent disabled token. This satisfies the PR objective.

---

92-97: LGTM!

The dependency array correctly includes enabled since it's now used in the imperative handle. The early return at line 95-97 prevents unnecessary rendering when disabled, completing the fix.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/deploy-web/env/.env.sample (1)

49-52: Consider reordering keys per linter suggestion.

The dotenv-linter suggests E2E_TESTING_CLIENT_TOKEN should come before NEXT_PUBLIC_TURNSTILE_ENABLED for alphabetical consistency. However, the current grouping of Turnstile-related variables is also logical.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82b0abb and e40abab.

📒 Files selected for processing (6)

• apps/deploy-web/.env.local.sample
• apps/deploy-web/env/.env.sample
• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx
• apps/deploy-web/src/components/turnstile/Turnstile.tsx
• apps/deploy-web/src/config/browser-env.config.ts
• apps/deploy-web/src/config/server-env.config.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/deploy-web/src/config/browser-env.config.ts
• apps/deploy-web/.env.local.sample

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx
• apps/deploy-web/src/config/server-env.config.ts
• apps/deploy-web/src/components/turnstile/Turnstile.tsx

**/*.spec.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/no-jest-mock.mdc)

Don't use jest.mock() in test files. Instead, use jest-mock-extended to create mocks and pass mocks as dependencies to the service under test

Use setup function instead of beforeEach in test files. The setup function must be at the bottom of the root describe block, should create an object under test and return it, accept a single parameter with inline type definition, avoid shared state, and not have a specified return type.

**/*.spec.{ts,tsx}: Use <Subject>.name in the root describe suite description instead of hardcoded class/service name strings to enable automated refactoring tools to find all references
Use either a method name or a condition starting with 'when' for nested suite descriptions in tests
Use present simple, 3rd person singular for test descriptions without prepending 'should'

Files:

• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx

{apps/deploy-web,apps/provider-console}/**/*.spec.tsx

📄 CodeRabbit inference engine (.cursor/rules/query-by-in-tests.mdc)

Use queryBy methods instead of getBy methods in test expectations

Files:

• apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx

🧠 Learnings (2)

📚 Learning: 2025-08-12T13:52:38.708Z

Learnt from: stalniy
Repo: akash-network/console PR: 1800
File: apps/deploy-web/next.config.js:163-165
Timestamp: 2025-08-12T13:52:38.708Z
Learning: In the Akash Console project, akashnetwork/env-loader is used at the top of next.config.js files to automatically load environment variables from env/.env files into process.env. SENTRY_ORG and SENTRY_PROJECT are stored as public configuration values in apps/deploy-web/env/.env and are loaded this way, while only SENTRY_AUTH_TOKEN is handled as a GitHub secret in workflows.

Applied to files:

• apps/deploy-web/env/.env.sample

📚 Learning: 2025-11-25T17:45:39.561Z

Learnt from: CR
Repo: akash-network/console PR: 0
File: .cursor/rules/general.mdc:0-0
Timestamp: 2025-11-25T17:45:39.561Z
Learning: Applies to **/*.{ts,tsx,js} : Never use deprecated methods from libraries.

Applied to files:

• apps/deploy-web/src/config/server-env.config.ts

🧬 Code graph analysis (1)

apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx (1)

apps/deploy-web/tests/ui/fixture/base-test.ts (1)

• expect (13-13)

🪛 dotenv-linter (4.0.0)

apps/deploy-web/env/.env.sample

[warning] 52-52: [UnorderedKey] The E2E_TESTING_CLIENT_TOKEN key should go before the NEXT_PUBLIC_TURNSTILE_ENABLED key

(UnorderedKey)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (6)

apps/deploy-web/src/config/server-env.config.ts (1)

5-5: LGTM!

The deprecation notice update correctly guides developers to the new import path.

apps/deploy-web/src/components/turnstile/Turnstile.tsx (4)

69-71: LGTM! Clean short-circuit for disabled state.

The early return with a fixed disabled token elegantly bypasses widget interaction when Turnstile is disabled, addressing the PR's goal to restore local development flow.

---

75-88: Excellent refactor of event listener pattern.

The explicit successListener and errorListener functions with mutual cleanup prevent memory leaks by ensuring both listeners are removed regardless of which event fires first. This directly addresses the memory leak mentioned in the PR objectives.

---

92-92: Correct dependency array update.

Adding enabled to the dependency array ensures the imperative handle closure captures the current enabled state, which is necessary given the early return behavior at lines 69-71.

---

95-97: No action needed. Version 1.1.0 of @marsidev/react-turnstile is not deprecated and is compatible with current React versions. The methods used in this file (remove, render, execute) are standard ref methods with no deprecations between versions 1.1.0 and the latest stable releases. The lines specified (95-97) contain no library method calls—only a conditional early return.

apps/deploy-web/src/components/turnstile/Turnstile.spec.tsx (1)

154-159: LGTM! Test coverage for disabled path.

The test correctly verifies that renderAndWaitResponse resolves with the disabled token when Turnstile is disabled, providing coverage for the new short-circuit behavior. The test follows all coding guidelines including proper naming conventions and the use of the setup function.