Merge pull request #243 from simple-login/hcaptcha

Ask for Hcaptcha on sign up page if enabled

app/auth/templates/auth/register.html

@@ -31,6 +31,11 @@
       </div>
       -->
 
+      {% if HCAPTCHA_SITEKEY %}
+        <div class="h-captcha" data-sitekey="{{ HCAPTCHA_SITEKEY }}"></div>
+        <script src="https://hcaptcha.com/1/api.js" async defer></script>
+      {% endif %}
+
       <small class="text-center mt-3">
         By clicking Create Account, you agree to abide by
         <a href="https://simplelogin.io/terms">SimpleLogin's Terms and Conditions.</a>

app/auth/views/register.py

@@ -1,3 +1,4 @@
+import requests
 from flask import request, flash, render_template, redirect, url_for
 from flask_login import current_user
 from flask_wtf import FlaskForm
@@ -6,7 +7,7 @@ from wtforms import StringField, validators
 from app import email_utils, config
 from app.auth.base import auth_bp
 from app.auth.views.login_utils import get_referral
-from app.config import URL
+from app.config import URL, HCAPTCHA_SECRET, HCAPTCHA_SITEKEY
 from app.email_utils import (
     email_domain_can_be_used_as_mailbox,
     personal_email_already_used,
@@ -39,9 +40,34 @@ def register():
     next_url = request.args.get("next")
 
     if form.validate_on_submit():
+        # only check if hcaptcha is enabled
+        if HCAPTCHA_SECRET:
+            # check with hCaptcha
+            token = request.form.get("h-captcha-response")
+            params = {"secret": HCAPTCHA_SECRET, "response": token}
+            hcaptcha_res = requests.post(
+                "https://hcaptcha.com/siteverify", data=params
+            ).json()
+            # return something like
+            # {'success': True,
+            #  'challenge_ts': '2020-07-23T10:03:25',
+            #  'hostname': '127.0.0.1'}
+            if not hcaptcha_res["success"]:
+                LOG.warning(
+                    "User put wrong captcha %s %s", form.email.data, hcaptcha_res,
+                )
+                flash("Wrong Captcha", "error")
+                return render_template(
+                    "auth/register.html",
+                    form=form,
+                    next_url=next_url,
+                    HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+                )
+
         email = form.email.data.strip().lower()
         if not email_domain_can_be_used_as_mailbox(email):
             flash("You cannot use this email address as your personal inbox.", "error")
+
         else:
             if personal_email_already_used(email):
                 flash(f"Email {email} already used", "error")
@@ -63,7 +89,12 @@ def register():
 
                 return render_template("auth/register_waiting_activation.html")
 
-    return render_template("auth/register.html", form=form, next_url=next_url)
+    return render_template(
+        "auth/register.html",
+        form=form,
+        next_url=next_url,
+        HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+    )
 
 
 def send_activation_email(user, next_url):

app/config.py

@@ -292,3 +292,6 @@ ALERT_SPF = "spf"
 
 # Disable onboarding emails
 DISABLE_ONBOARDING = "DISABLE_ONBOARDING" in os.environ
+
+HCAPTCHA_SECRET = os.environ.get("HCAPTCHA_SECRET")
+HCAPTCHA_SITEKEY = os.environ.get("HCAPTCHA_SITEKEY")

example.env

@@ -145,4 +145,8 @@ DISABLE_ONBOARDING=true
 
 # By default use postfix port 25. This param is used to override the Postfix port,
 # useful when using another SMTP server when developing locally
-# POSTFIX_PORT=1025
+# POSTFIX_PORT=1025
+
+# set the 2 below variables to enable hCaptcha
+# HCAPTCHA_SECRET=very_long_string
+# HCAPTCHA_SITEKEY=00000000-0000-0000-0000-000000000000