Merge pull request #1665 from ClearlyClaire/glitch-soc/features/hcaptcha

Add optional hCaptcha support
This commit is contained in:
Claire 2022-01-26 00:13:24 +01:00 committed by GitHub
commit 129bc42979
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 144 additions and 1 deletions

View file

@ -285,3 +285,7 @@ MAX_POLL_OPTION_CHARS=100
# Units are in bytes # Units are in bytes
MAX_EMOJI_SIZE=51200 MAX_EMOJI_SIZE=51200
MAX_REMOTE_EMOJI_SIZE=204800 MAX_REMOTE_EMOJI_SIZE=204800
# Optional hCaptcha support
# HCAPTCHA_SECRET_KEY=
# HCAPTCHA_SITE_KEY=

View file

@ -156,3 +156,5 @@ gem 'concurrent-ruby', require: false
gem 'connection_pool', require: false gem 'connection_pool', require: false
gem 'xorcist', '~> 1.1' gem 'xorcist', '~> 1.1'
gem 'hcaptcha', '~> 7.1'

View file

@ -271,6 +271,8 @@ GEM
railties (>= 4.0.1) railties (>= 4.0.1)
hashdiff (1.0.1) hashdiff (1.0.1)
hashie (4.1.0) hashie (4.1.0)
hcaptcha (7.1.0)
json
highline (2.0.3) highline (2.0.3)
hiredis (0.6.3) hiredis (0.6.3)
hkdf (0.3.0) hkdf (0.3.0)
@ -719,6 +721,7 @@ DEPENDENCIES
fog-openstack (~> 0.3) fog-openstack (~> 0.3)
fuubar (~> 2.5) fuubar (~> 2.5)
hamlit-rails (~> 0.2) hamlit-rails (~> 0.2)
hcaptcha (~> 7.1)
hiredis (~> 0.6) hiredis (~> 0.6)
htmlentities (~> 4.3) htmlentities (~> 4.3)
http (~> 5.0) http (~> 5.0)

View file

@ -1,12 +1,18 @@
# frozen_string_literal: true # frozen_string_literal: true
class Auth::ConfirmationsController < Devise::ConfirmationsController class Auth::ConfirmationsController < Devise::ConfirmationsController
include CaptchaConcern
layout 'auth' layout 'auth'
before_action :set_body_classes before_action :set_body_classes
before_action :set_pack before_action :set_pack
before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
before_action :require_unconfirmed! before_action :require_unconfirmed!
before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
before_action :require_captcha_if_needed!, only: [:show]
skip_before_action :require_functional! skip_before_action :require_functional!
def new def new
@ -15,8 +21,46 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in? resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
end end
def show
old_session_values = session.to_hash
reset_session
session.update old_session_values.except('session_id')
super
end
def confirm_captcha
check_captcha! do |message|
flash.now[:alert] = message
render :captcha
return
end
show
end
private private
def require_captcha_if_needed!
render :captcha if captcha_required?
end
def set_confirmation_user!
# We need to reimplement looking up the user because
# Devise::ConfirmationsController#show looks up and confirms in one
# step.
confirmation_token = params[:confirmation_token]
return if confirmation_token.nil?
@confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
end
def captcha_user_bypass?
return true if @confirmation_user.nil? || @confirmation_user.confirmed?
invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
invite.present? && !invite.max_uses.nil?
end
def set_pack def set_pack
use_pack 'auth' use_pack 'auth'
end end

View file

@ -0,0 +1,59 @@
# frozen_string_literal: true
module CaptchaConcern
extend ActiveSupport::Concern
include Hcaptcha::Adapters::ViewMethods
included do
helper_method :render_captcha
end
def captcha_available?
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
end
def captcha_enabled?
captcha_available? && Setting.captcha_enabled
end
def captcha_user_bypass?
false
end
def captcha_required?
captcha_enabled? && !captcha_user_bypass?
end
def check_captcha!
return true unless captcha_required?
if verify_hcaptcha
true
else
if block_given?
message = flash[:hcaptcha_error]
flash.delete(:hcaptcha_error)
yield message
end
false
end
end
def extend_csp_for_captcha!
policy = request.content_security_policy
return unless captcha_required? && policy.present?
%w(script_src frame_src style_src connect_src).each do |directive|
values = policy.send(directive)
values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
policy.send(directive, *values)
end
end
def render_captcha
return unless captcha_required?
hcaptcha_tags
end
end

View file

@ -8,4 +8,8 @@ module Admin::SettingsHelper
link = link_to t('admin.site_uploads.delete'), admin_site_upload_path(upload), data: { method: :delete } link = link_to t('admin.site_uploads.delete'), admin_site_upload_path(upload), data: { method: :delete }
safe_join([hint, link], '<br/>'.html_safe) safe_join([hint, link], '<br/>'.html_safe)
end end
def captcha_available?
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
end
end end

View file

@ -1058,3 +1058,7 @@ code {
display: none; display: none;
} }
} }
.simple_form .h-captcha {
text-align: center;
}

View file

@ -40,6 +40,7 @@ class Form::AdminSettings
noindex noindex
outgoing_spoilers outgoing_spoilers
require_invite_text require_invite_text
captcha_enabled
).freeze ).freeze
BOOLEAN_KEYS = %i( BOOLEAN_KEYS = %i(
@ -58,6 +59,7 @@ class Form::AdminSettings
trendable_by_default trendable_by_default
noindex noindex
require_invite_text require_invite_text
captcha_enabled
).freeze ).freeze
UPLOAD_KEYS = %i( UPLOAD_KEYS = %i(

View file

@ -42,7 +42,10 @@
.fields-group .fields-group
= f.input :require_invite_text, as: :boolean, wrapper: :with_label, label: t('admin.settings.registrations.require_invite_text.title'), hint: t('admin.settings.registrations.require_invite_text.desc_html'), disabled: !approved_registrations? = f.input :require_invite_text, as: :boolean, wrapper: :with_label, label: t('admin.settings.registrations.require_invite_text.title'), hint: t('admin.settings.registrations.require_invite_text.desc_html'), disabled: !approved_registrations?
- if captcha_available?
.fields-group .fields-group
= f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
%hr.spacer/ %hr.spacer/

View file

@ -0,0 +1,11 @@
- content_for :page_title do
= t('auth.confirm_captcha')
= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
= hidden_field_tag :confirmation_token, params[:confirmation_token]
.field-group
= render_captcha
.actions
%button.button= t('challenge.continue')

View file

@ -2,6 +2,9 @@
en: en:
admin: admin:
settings: settings:
captcha_enabled:
desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when confirming their email address. This requires third-party scripts from hCaptcha to be embedded in the email verification page, which may have security and privacy concerns. Users that have been invited through a limited-use invite will not need to solve a CAPTCHA challenge.
title: Require new users to go through a CAPTCHA to confirm their account
enable_keybase: enable_keybase:
desc_html: Allow your users to prove their identity via keybase desc_html: Allow your users to prove their identity via keybase
title: Enable keybase integration title: Enable keybase integration
@ -17,6 +20,8 @@ en:
show_replies_in_public_timelines: show_replies_in_public_timelines:
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines. desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
title: Show replies in public timelines title: Show replies in public timelines
auth:
confirm_captcha: User verification
generic: generic:
use_this: Use this use_this: Use this
settings: settings:

View file

@ -44,6 +44,7 @@ Rails.application.routes.draw do
resource :setup, only: [:show, :update], controller: :setup resource :setup, only: [:show, :update], controller: :setup
resource :challenge, only: [:create], controller: :challenges resource :challenge, only: [:create], controller: :challenges
get 'sessions/security_key_options', to: 'sessions#webauthn_options' get 'sessions/security_key_options', to: 'sessions#webauthn_options'
post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
end end
end end

View file

@ -77,6 +77,7 @@ defaults: &defaults
show_domain_blocks_rationale: 'disabled' show_domain_blocks_rationale: 'disabled'
outgoing_spoilers: '' outgoing_spoilers: ''
require_invite_text: false require_invite_text: false
captcha_enabled: false
development: development:
<<: *defaults <<: *defaults