From 307e3c93c644a01f5c1eeeb77e1f91ef6526b570 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Thu, 23 Jul 2020 12:40:50 +0200
Subject: [PATCH 1/2] Add HCAPTCHA_SECRET, HCAPTCHA_SITEKEY param
---
app/config.py | 3 +++
example.env | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/app/config.py b/app/config.py
index 2ceac359..7ba40f00 100644
--- a/app/config.py
+++ b/app/config.py
@@ -292,3 +292,6 @@ ALERT_SPF = "spf"
# Disable onboarding emails
DISABLE_ONBOARDING = "DISABLE_ONBOARDING" in os.environ
+
+HCAPTCHA_SECRET = os.environ.get("HCAPTCHA_SECRET")
+HCAPTCHA_SITEKEY = os.environ.get("HCAPTCHA_SITEKEY")
diff --git a/example.env b/example.env
index ca5c4c19..79d70470 100644
--- a/example.env
+++ b/example.env
@@ -145,4 +145,8 @@ DISABLE_ONBOARDING=true
# By default use postfix port 25. This param is used to override the Postfix port,
# useful when using another SMTP server when developing locally
-# POSTFIX_PORT=1025
\ No newline at end of file
+# POSTFIX_PORT=1025
+
+# set the 2 below variables to enable hCaptcha
+# HCAPTCHA_SECRET=very_long_string
+# HCAPTCHA_SITEKEY=00000000-0000-0000-0000-000000000000
\ No newline at end of file
From efe1ab641f5c1f3ce8ab3c53589c11a700368294 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Thu, 23 Jul 2020 12:43:55 +0200
Subject: [PATCH 2/2] add hCaptcha check
---
app/auth/templates/auth/register.html | 5 ++++
app/auth/views/register.py | 35 +++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/app/auth/templates/auth/register.html b/app/auth/templates/auth/register.html
index 46a26fd1..54bc8dbc 100644
--- a/app/auth/templates/auth/register.html
+++ b/app/auth/templates/auth/register.html
@@ -31,6 +31,11 @@
-->
+ {% if HCAPTCHA_SITEKEY %}
+
+
+ {% endif %}
+
By clicking Create Account, you agree to abide by
SimpleLogin's Terms and Conditions.
diff --git a/app/auth/views/register.py b/app/auth/views/register.py
index 0fa89276..b1f65c4b 100644
--- a/app/auth/views/register.py
+++ b/app/auth/views/register.py
@@ -1,3 +1,4 @@
+import requests
from flask import request, flash, render_template, redirect, url_for
from flask_login import current_user
from flask_wtf import FlaskForm
@@ -6,7 +7,7 @@ from wtforms import StringField, validators
from app import email_utils, config
from app.auth.base import auth_bp
from app.auth.views.login_utils import get_referral
-from app.config import URL
+from app.config import URL, HCAPTCHA_SECRET, HCAPTCHA_SITEKEY
from app.email_utils import (
email_domain_can_be_used_as_mailbox,
personal_email_already_used,
@@ -39,9 +40,34 @@ def register():
next_url = request.args.get("next")
if form.validate_on_submit():
+ # only check if hcaptcha is enabled
+ if HCAPTCHA_SECRET:
+ # check with hCaptcha
+ token = request.form.get("h-captcha-response")
+ params = {"secret": HCAPTCHA_SECRET, "response": token}
+ hcaptcha_res = requests.post(
+ "https://hcaptcha.com/siteverify", data=params
+ ).json()
+ # return something like
+ # {'success': True,
+ # 'challenge_ts': '2020-07-23T10:03:25',
+ # 'hostname': '127.0.0.1'}
+ if not hcaptcha_res["success"]:
+ LOG.warning(
+ "User put wrong captcha %s %s", form.email.data, hcaptcha_res,
+ )
+ flash("Wrong Captcha", "error")
+ return render_template(
+ "auth/register.html",
+ form=form,
+ next_url=next_url,
+ HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+ )
+
email = form.email.data.strip().lower()
if not email_domain_can_be_used_as_mailbox(email):
flash("You cannot use this email address as your personal inbox.", "error")
+
else:
if personal_email_already_used(email):
flash(f"Email {email} already used", "error")
@@ -63,7 +89,12 @@ def register():
return render_template("auth/register_waiting_activation.html")
- return render_template("auth/register.html", form=form, next_url=next_url)
+ return render_template(
+ "auth/register.html",
+ form=form,
+ next_url=next_url,
+ HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+ )
def send_activation_email(user, next_url):