From 1f4dbb8a4566d53562a561d6de0466e91a4358f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arnau=20V=C3=A0zquez=20Palma?= Date: Fri, 23 Sep 2022 15:14:31 +0200 Subject: [PATCH 1/5] First attempt --- frontend/_includes/footer.html | 7 +-- frontend/_includes/friendly_captcha_deps.html | 2 + .../_includes/friendly_captcha_input.html | 1 + frontend/email_invite.html | 7 ++- htdocs/process_email_invite.php | 54 +++++++++++++++---- 5 files changed, 56 insertions(+), 15 deletions(-) create mode 100644 frontend/_includes/friendly_captcha_deps.html create mode 100644 frontend/_includes/friendly_captcha_input.html diff --git a/frontend/_includes/footer.html b/frontend/_includes/footer.html index 6b816e7..a2db5a4 100644 --- a/frontend/_includes/footer.html +++ b/frontend/_includes/footer.html @@ -1,8 +1,9 @@ \ No newline at end of file + +{% include friendly_captcha_deps.html %} diff --git a/frontend/_includes/friendly_captcha_deps.html b/frontend/_includes/friendly_captcha_deps.html new file mode 100644 index 0000000..8edf706 --- /dev/null +++ b/frontend/_includes/friendly_captcha_deps.html @@ -0,0 +1,2 @@ + + diff --git a/frontend/_includes/friendly_captcha_input.html b/frontend/_includes/friendly_captcha_input.html new file mode 100644 index 0000000..295e1b2 --- /dev/null +++ b/frontend/_includes/friendly_captcha_input.html @@ -0,0 +1 @@ +
diff --git a/frontend/email_invite.html b/frontend/email_invite.html index 88d7525..b1830db 100644 --- a/frontend/email_invite.html +++ b/frontend/email_invite.html @@ -67,9 +67,12 @@ flags:
-
+ {% include friendly_captcha_input.html %} + {% comment%} +
Code -
+
+ {% endcomment%}
diff --git a/htdocs/process_email_invite.php b/htdocs/process_email_invite.php index b753233..0f2ea1c 100644 --- a/htdocs/process_email_invite.php +++ b/htdocs/process_email_invite.php @@ -192,18 +192,52 @@ function captcha_check($email, $from_easy_installer) respond_with_json($ret); } } else { - $result = new \stdClass(); - $secure = isset($_POST['secure']) ? $_POST['secure'] : ''; - $secure = is_string($secure) ? strtolower($secure) : ''; - $isSessionCodeSet = isset($_SESSION['securecode']); - $isSecureCodeRight = $secure == $_SESSION['securecode']; + $friendlyCaptchaSiteKey = getenv("FRIENDLY_CAPTCHA_SITE_KEY"); + $friendlyCaptchaAPIKey = getenv("FRIENDLY_CAPTCHA_API_KEY"); + $result = new \stdClass(); - if (!($isSessionCodeSet && $isSecureCodeRight)) { - unset($_SESSION['securecode']); - $result->type = "secure_code"; - $result->key = "error_secure_code"; - respond_with_message(400, $result, false, $email); + if (isset($friendlyCaptchaAPIKey) && isset($friendlyCaptchaSiteKey)) { + // FriendlyCaptcha enabled + $solution = $_POST['frc-captcha-solution'] ?? ''; + $friendlyCaptchaResponse = curlPostJSON( + 'https://eu-api.friendlycaptcha.eu/api/v1/puzzle', + array( + 'solution' => $solution, + 'secret' => $friendlyCaptchaAPIKey, + 'sitekey' => $friendlyCaptchaSiteKey + ) + ); + if ($friendlyCaptchaResponse->statusCode === 200) { + if ($friendlyCaptchaResponse->output->success) { + error_log('Friendly Captcha PASSED!'); + } else { + // captcha puzzle was not solved, reason will be + // invalid or timeout/duplicate + error_log('Friendly Captcha check failed ' . print_r($friendlyCaptchaResponse->output)); + $result->type = "secure_code"; + $result->key = "error_secure_code"; + respond_with_message(400, $result, false, $email); + } + } else{ + error_log('WARNING, non-200 response from Friendly Captcha ' . $friendlyCaptchaResponse->statusCode); + // They recommend proceeding but for now we validate the implementation is good + $result->type = "secure_code"; + $result->key = "error_secure_code"; + respond_with_message(400, $result, false, $email); + } + } else { + // Use local captcha solution - selfhost? + $solution = isset($_POST['secure']) ? $_POST['secure'] : ''; + $solution = is_string($solution) ? strtolower($solution) : ''; + $isSessionCodeSet = isset($_SESSION['securecode']); + $isSecureCodeRight = ($solution == $_SESSION['securecode']); + if (!($isSessionCodeSet && $isSecureCodeRight)) { + unset($_SESSION['securecode']); + $result->type = "secure_code"; + $result->key = "error_secure_code"; + respond_with_message(400, $result, false, $email); + } } } } -- GitLab From 48f671cca166ac103376e7304a869eacbc529d32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arnau=20V=C3=A0zquez=20Palma?= Date: Fri, 23 Sep 2022 16:05:45 +0200 Subject: [PATCH 2/5] Woops, wrong URL for verification --- htdocs/process_email_invite.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/process_email_invite.php b/htdocs/process_email_invite.php index 0f2ea1c..07c5197 100644 --- a/htdocs/process_email_invite.php +++ b/htdocs/process_email_invite.php @@ -201,7 +201,7 @@ function captcha_check($email, $from_easy_installer) // FriendlyCaptcha enabled $solution = $_POST['frc-captcha-solution'] ?? ''; $friendlyCaptchaResponse = curlPostJSON( - 'https://eu-api.friendlycaptcha.eu/api/v1/puzzle', + 'https://eu-api.friendlycaptcha.eu/api/v1/siteverify', array( 'solution' => $solution, 'secret' => $friendlyCaptchaAPIKey, -- GitLab From 516c42827fd33e9e021486b29297033e1804d5f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arnau=20V=C3=A0zquez=20Palma?= Date: Fri, 23 Sep 2022 16:15:46 +0200 Subject: [PATCH 3/5] Remove previous captcha input field --- frontend/email_invite.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/frontend/email_invite.html b/frontend/email_invite.html index b1830db..53be0b4 100644 --- a/frontend/email_invite.html +++ b/frontend/email_invite.html @@ -55,6 +55,8 @@ flags:
+ {% include friendly_captcha_input.html %} + {% comment%} + {% endcomment%}
+ {% comment%}
- {% include friendly_captcha_input.html %} - {% comment%}
Code
- {% endcomment%}
+ {% endcomment%} Date: Fri, 23 Sep 2022 16:34:16 +0200 Subject: [PATCH 4/5] Multilang input --- frontend/_includes/friendly_captcha_input.html | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frontend/_includes/friendly_captcha_input.html b/frontend/_includes/friendly_captcha_input.html index 295e1b2..b210e26 100644 --- a/frontend/_includes/friendly_captcha_input.html +++ b/frontend/_includes/friendly_captcha_input.html @@ -1 +1,4 @@ -
+
+
-- GitLab From 1c8e8af01cdb58e379dcce7ae9f610f66ed383dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arnau=20V=C3=A0zquez?= Date: Fri, 23 Sep 2022 14:52:06 +0000 Subject: [PATCH 5/5] PROD sitekey for tagging --- frontend/_includes/friendly_captcha_input.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/_includes/friendly_captcha_input.html b/frontend/_includes/friendly_captcha_input.html index b210e26..e2ffa63 100644 --- a/frontend/_includes/friendly_captcha_input.html +++ b/frontend/_includes/friendly_captcha_input.html @@ -1,4 +1,4 @@ -
-- GitLab