Add ability to set hCaptcha either on registration form or on e-mail validation

Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band
registration API.
This commit is contained in:
Claire 2022-01-25 22:37:12 +01:00
parent a9269f8786
commit 0fb907441c
9 changed files with 91 additions and 10 deletions

View file

@ -1,12 +1,18 @@
# frozen_string_literal: true
class Auth::ConfirmationsController < Devise::ConfirmationsController
include CaptchaConcern
layout 'auth'
before_action :set_body_classes
before_action :set_pack
before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
before_action :require_unconfirmed!
before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
before_action :require_captcha_if_needed!, only: [:show]
skip_before_action :require_functional!
def new
@ -15,8 +21,52 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
end
def show
clear_captcha!
old_session_values = session.to_hash
reset_session
session.update old_session_values.except('session_id')
super
end
def confirm_captcha
check_captcha! do |message|
flash.now[:alert] = message
render :captcha
return
end
show
end
private
def require_captcha_if_needed!
render :captcha if captcha_required?
end
def set_confirmation_user!
# We need to reimplement looking up the user because
# Devise::ConfirmationsController#show looks up and confirms in one
# step.
confirmation_token = params[:confirmation_token]
return if confirmation_token.nil?
@confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
end
def captcha_user_bypass?
return true if @confirmation_user.nil? || @confirmation_user.confirmed?
invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
invite.present? && !invite.max_uses.nil?
end
def captcha_context
'email-confirmation'
end
def set_pack
use_pack 'auth'
end

View file

@ -15,17 +15,21 @@ module CaptchaConcern
end
def captcha_enabled?
captcha_available? && Setting.captcha_enabled
captcha_available? && Setting.captcha_mode == captcha_context
end
def captcha_recently_passed?
session[:captcha_passed_at].present? && session[:captcha_passed_at] >= CAPTCHA_TIMEOUT.ago
end
def captcha_user_bypass?
current_user.present? || (@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?)
end
def captcha_required?
return false if ENV['OMNIAUTH_ONLY'] == 'true'
return false unless Setting.registrations_mode != 'none' || @invite&.valid_for_use?
captcha_enabled? && !current_user && !(@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?) && !captcha_recently_passed?
captcha_enabled? && !captcha_user_bypass? && !captcha_recently_passed?
end
def clear_captcha!
@ -65,4 +69,8 @@ module CaptchaConcern
hcaptcha_tags
end
def captcha_context
'registration-form'
end
end

View file

@ -40,7 +40,7 @@ class Form::AdminSettings
noindex
outgoing_spoilers
require_invite_text
captcha_enabled
captcha_mode
).freeze
BOOLEAN_KEYS = %i(
@ -59,7 +59,6 @@ class Form::AdminSettings
trendable_by_default
noindex
require_invite_text
captcha_enabled
).freeze
UPLOAD_KEYS = %i(
@ -83,6 +82,7 @@ class Form::AdminSettings
validates :bootstrap_timeline_accounts, existing_username: { multiple: true }
validates :show_domain_blocks, inclusion: { in: %w(disabled users all) }
validates :show_domain_blocks_rationale, inclusion: { in: %w(disabled users all) }
validates :captcha_mode, inclusion: { in: %w(disabled registration-form email-confirmation) }
def initialize(_attributes = {})
super

View file

@ -116,6 +116,6 @@ class REST::InstanceSerializer < ActiveModel::Serializer
end
def captcha_enabled?
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_enabled
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_mode == 'registration-form'
end
end

View file

@ -45,7 +45,7 @@
- if captcha_available?
.fields-group
= f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
= f.input :captcha_mode, as: :radio_buttons, collection: %w(disabled registration-form email-confirmation), include_blank: false, wrapper: :with_block_label, label_method: ->(type) { safe_join([t("admin.settings.captcha.#{type}.title"), content_tag(:span, t("admin.settings.captcha.#{type}.desc_html"), class: 'hint')])}, label: t('admin.settings.captcha.title'), hint: t('admin.settings.captcha.desc_html')
%hr.spacer/

View file

@ -0,0 +1,11 @@
- content_for :page_title do
= t('auth.confirm_captcha')
= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
= hidden_field_tag :confirmation_token, params[:confirmation_token]
.field-group
= render_captcha_if_needed
.actions
%button.button= t('challenge.continue')

View file

@ -2,9 +2,18 @@
en:
admin:
settings:
captcha_enabled:
desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when signing up. Note that this disables app-based registration, may prevent your instance from being listed as having open registrations, and requires third-party scripts from hCaptcha to be embedded in the registration pages. This may have security and privacy concerns.
title: Require new users to go through a CAPTCHA to sign up
captcha:
desc_html: Configure hCaptcha integration, relying on third-party scripts. This may have security and privacy implications.
email-confirmation:
desc_html: Require new users to go through hCaptcha at the e-mail validation step. Bots will not be deterred from creating accounts, but they may be prevented from confirming them, leaving them to be automatically cleaned up after a couple days. This does not interfere with app-based registrations.
title: CAPTCHA on email validation
disabled:
desc_html: Do not require a CAPTCHA
title: Disabled
registration-form:
desc_html: Require new users to go through hCaptcha on the registration form, so that CAPTCHA requirement is immediately apparent to them. This disables app-based registrations and may prevent your instance from being listed as having open registrations.
title: CAPTCHA on registration forms
title: CAPTCHA configuration
enable_keybase:
desc_html: Allow your users to prove their identity via keybase
title: Enable keybase integration
@ -20,6 +29,8 @@ en:
show_replies_in_public_timelines:
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
title: Show replies in public timelines
auth:
confirm_captcha: User verification
generic:
use_this: Use this
settings:

View file

@ -44,6 +44,7 @@ Rails.application.routes.draw do
resource :setup, only: [:show, :update], controller: :setup
resource :challenge, only: [:create], controller: :challenges
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
end
end

View file

@ -77,7 +77,7 @@ defaults: &defaults
show_domain_blocks_rationale: 'disabled'
outgoing_spoilers: ''
require_invite_text: false
captcha_enabled: false
captcha_mode: 'disabled'
development:
<<: *defaults