add hCaptcha check

2020-07-23 12:43:55 +02:00 · 2020-07-23 12:43:55 +02:00 · efe1ab641f
parent 307e3c93c6
commit efe1ab641f
2 changed files with 38 additions and 2 deletions
--- a/app/auth/templates/auth/register.html
+++ b/app/auth/templates/auth/register.html
@ -31,6 +31,11 @@
      </div>
      -->

+      {% if HCAPTCHA_SITEKEY %}
+        <div class="h-captcha" data-sitekey="{{ HCAPTCHA_SITEKEY }}"></div>
+        <script src="https://hcaptcha.com/1/api.js" async defer></script>
+      {% endif %}
+
      <small class="text-center mt-3">
        By clicking Create Account, you agree to abide by
        <a href="https://simplelogin.io/terms">SimpleLogin's Terms and Conditions.</a>
--- a/app/auth/views/register.py
+++ b/app/auth/views/register.py
@ -1,3 +1,4 @@
+import requests
 from flask import request, flash, render_template, redirect, url_for
 from flask_login import current_user
 from flask_wtf import FlaskForm
@ -6,7 +7,7 @@ from wtforms import StringField, validators
 from app import email_utils, config
 from app.auth.base import auth_bp
 from app.auth.views.login_utils import get_referral
-from app.config import URL
+from app.config import URL, HCAPTCHA_SECRET, HCAPTCHA_SITEKEY
 from app.email_utils import (
    email_domain_can_be_used_as_mailbox,
    personal_email_already_used,
@ -39,9 +40,34 @@ def register():
    next_url = request.args.get("next")

    if form.validate_on_submit():
+        # only check if hcaptcha is enabled
+        if HCAPTCHA_SECRET:
+            # check with hCaptcha
+            token = request.form.get("h-captcha-response")
+            params = {"secret": HCAPTCHA_SECRET, "response": token}
+            hcaptcha_res = requests.post(
+                "https://hcaptcha.com/siteverify", data=params
+            ).json()
+            # return something like
+            # {'success': True,
+            #  'challenge_ts': '2020-07-23T10:03:25',
+            #  'hostname': '127.0.0.1'}
+            if not hcaptcha_res["success"]:
+                LOG.warning(
+                    "User put wrong captcha %s %s", form.email.data, hcaptcha_res,
+                )
+                flash("Wrong Captcha", "error")
+                return render_template(
+                    "auth/register.html",
+                    form=form,
+                    next_url=next_url,
+                    HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+                )
+
        email = form.email.data.strip().lower()
        if not email_domain_can_be_used_as_mailbox(email):
            flash("You cannot use this email address as your personal inbox.", "error")
+
        else:
            if personal_email_already_used(email):
                flash(f"Email {email} already used", "error")
@ -63,7 +89,12 @@ def register():

                return render_template("auth/register_waiting_activation.html")

-    return render_template("auth/register.html", form=form, next_url=next_url)
+    return render_template(
+        "auth/register.html",
+        form=form,
+        next_url=next_url,
+        HCAPTCHA_SITEKEY=HCAPTCHA_SITEKEY,
+    )


 def send_activation_email(user, next_url):