AGGRESSIVE TOKEN FILTERING: Remove all hidden fields, enhance filtering, add debugging

athNdev · athNdev · commit fe780c7b16d6 · 2025-07-15T03:29:30.000+10:00
diff --git a/index.html b/index.html
@@ -649,8 +649,6 @@ <h3>Contact Me</h3>
       <span class="close">&times;</span>
     </div>
     <form id="contact-form" action="https://athn.netlify.app/.netlify/functions/turnstile" method="POST">
-      <input type="hidden" name="_next" value="https://athn.dev#contact-sent">
-      <input type="hidden" name="_subject" value="New contact form submission">
       <div class="form-group">
         <label for="name">Name</label>
         <input type="text" id="name" name="name" required placeholder="Your name">
diff --git a/netlify/functions/turnstile.mjs b/netlify/functions/turnstile.mjs
@@ -57,22 +57,30 @@ export default async (req, context) => {
 
     // If verification successful, forward the form data to Web3Forms
     console.log('Forwarding to Web3Forms...');
+    console.log('All received form data:', Array.from(formData.entries()).map(([key, value]) => `${key}: ${value.substring(0, 50)}${value.length > 50 ? '...' : ''}`));
     
     // Create clean form data for Web3Forms (only include form fields, not tokens)
     const cleanFormData = new URLSearchParams();
     
     // Add Web3Forms access key
     cleanFormData.append('access_key', process.env.WEB3FORMS_ACCESS_KEY);
     
-    // Add only the form fields we want (exclude Turnstile and other hidden tokens)
-    const allowedFields = ['name', 'email', 'message', '_next', '_subject'];
+    // Add custom subject line
+    cleanFormData.append('subject', 'New contact form submission from athn.dev');
+    
+    // Add only the core form fields (exclude ALL Turnstile and token-related fields)
+    const allowedFields = ['name', 'email', 'message'];
     for (const [key, value] of formData.entries()) {
-      if (allowedFields.includes(key)) {
+      // Only allow specific form fields, reject anything that looks like a token
+      if (allowedFields.includes(key) && !key.includes('turnstile') && !key.includes('token') && !key.includes('response')) {
         cleanFormData.append(key, value);
+        console.log(`Including field: ${key} = ${value}`);
+      } else {
+        console.log(`Filtering out field: ${key} (${value.length} chars)`);
       }
     }
     
-    console.log('Clean form data keys:', Array.from(cleanFormData.keys()));
+    console.log('Final clean form data keys:', Array.from(cleanFormData.keys()));
     
     const web3formsResponse = await fetch('https://api.web3forms.com/submit', {
       method: 'POST',
