Merge pull request #1665 from ClearlyClaire/glitch-soc/features/hcaptcha
Add optional hCaptcha supportremotes/1727458204337373841/tmp_refs/heads/signup-info-prompt
commit
129bc42979
|
@ -285,3 +285,7 @@ MAX_POLL_OPTION_CHARS=100
|
||||||
# Units are in bytes
|
# Units are in bytes
|
||||||
MAX_EMOJI_SIZE=51200
|
MAX_EMOJI_SIZE=51200
|
||||||
MAX_REMOTE_EMOJI_SIZE=204800
|
MAX_REMOTE_EMOJI_SIZE=204800
|
||||||
|
|
||||||
|
# Optional hCaptcha support
|
||||||
|
# HCAPTCHA_SECRET_KEY=
|
||||||
|
# HCAPTCHA_SITE_KEY=
|
||||||
|
|
2
Gemfile
2
Gemfile
|
@ -156,3 +156,5 @@ gem 'concurrent-ruby', require: false
|
||||||
gem 'connection_pool', require: false
|
gem 'connection_pool', require: false
|
||||||
|
|
||||||
gem 'xorcist', '~> 1.1'
|
gem 'xorcist', '~> 1.1'
|
||||||
|
|
||||||
|
gem 'hcaptcha', '~> 7.1'
|
||||||
|
|
|
@ -271,6 +271,8 @@ GEM
|
||||||
railties (>= 4.0.1)
|
railties (>= 4.0.1)
|
||||||
hashdiff (1.0.1)
|
hashdiff (1.0.1)
|
||||||
hashie (4.1.0)
|
hashie (4.1.0)
|
||||||
|
hcaptcha (7.1.0)
|
||||||
|
json
|
||||||
highline (2.0.3)
|
highline (2.0.3)
|
||||||
hiredis (0.6.3)
|
hiredis (0.6.3)
|
||||||
hkdf (0.3.0)
|
hkdf (0.3.0)
|
||||||
|
@ -719,6 +721,7 @@ DEPENDENCIES
|
||||||
fog-openstack (~> 0.3)
|
fog-openstack (~> 0.3)
|
||||||
fuubar (~> 2.5)
|
fuubar (~> 2.5)
|
||||||
hamlit-rails (~> 0.2)
|
hamlit-rails (~> 0.2)
|
||||||
|
hcaptcha (~> 7.1)
|
||||||
hiredis (~> 0.6)
|
hiredis (~> 0.6)
|
||||||
htmlentities (~> 4.3)
|
htmlentities (~> 4.3)
|
||||||
http (~> 5.0)
|
http (~> 5.0)
|
||||||
|
|
|
@ -1,12 +1,18 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Auth::ConfirmationsController < Devise::ConfirmationsController
|
class Auth::ConfirmationsController < Devise::ConfirmationsController
|
||||||
|
include CaptchaConcern
|
||||||
|
|
||||||
layout 'auth'
|
layout 'auth'
|
||||||
|
|
||||||
before_action :set_body_classes
|
before_action :set_body_classes
|
||||||
before_action :set_pack
|
before_action :set_pack
|
||||||
|
before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
|
||||||
before_action :require_unconfirmed!
|
before_action :require_unconfirmed!
|
||||||
|
|
||||||
|
before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
|
||||||
|
before_action :require_captcha_if_needed!, only: [:show]
|
||||||
|
|
||||||
skip_before_action :require_functional!
|
skip_before_action :require_functional!
|
||||||
|
|
||||||
def new
|
def new
|
||||||
|
@ -15,8 +21,46 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
|
||||||
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
|
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def show
|
||||||
|
old_session_values = session.to_hash
|
||||||
|
reset_session
|
||||||
|
session.update old_session_values.except('session_id')
|
||||||
|
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
|
def confirm_captcha
|
||||||
|
check_captcha! do |message|
|
||||||
|
flash.now[:alert] = message
|
||||||
|
render :captcha
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
show
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def require_captcha_if_needed!
|
||||||
|
render :captcha if captcha_required?
|
||||||
|
end
|
||||||
|
|
||||||
|
def set_confirmation_user!
|
||||||
|
# We need to reimplement looking up the user because
|
||||||
|
# Devise::ConfirmationsController#show looks up and confirms in one
|
||||||
|
# step.
|
||||||
|
confirmation_token = params[:confirmation_token]
|
||||||
|
return if confirmation_token.nil?
|
||||||
|
@confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
|
||||||
|
end
|
||||||
|
|
||||||
|
def captcha_user_bypass?
|
||||||
|
return true if @confirmation_user.nil? || @confirmation_user.confirmed?
|
||||||
|
|
||||||
|
invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
|
||||||
|
invite.present? && !invite.max_uses.nil?
|
||||||
|
end
|
||||||
|
|
||||||
def set_pack
|
def set_pack
|
||||||
use_pack 'auth'
|
use_pack 'auth'
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module CaptchaConcern
|
||||||
|
extend ActiveSupport::Concern
|
||||||
|
include Hcaptcha::Adapters::ViewMethods
|
||||||
|
|
||||||
|
included do
|
||||||
|
helper_method :render_captcha
|
||||||
|
end
|
||||||
|
|
||||||
|
def captcha_available?
|
||||||
|
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
|
||||||
|
end
|
||||||
|
|
||||||
|
def captcha_enabled?
|
||||||
|
captcha_available? && Setting.captcha_enabled
|
||||||
|
end
|
||||||
|
|
||||||
|
def captcha_user_bypass?
|
||||||
|
false
|
||||||
|
end
|
||||||
|
|
||||||
|
def captcha_required?
|
||||||
|
captcha_enabled? && !captcha_user_bypass?
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_captcha!
|
||||||
|
return true unless captcha_required?
|
||||||
|
|
||||||
|
if verify_hcaptcha
|
||||||
|
true
|
||||||
|
else
|
||||||
|
if block_given?
|
||||||
|
message = flash[:hcaptcha_error]
|
||||||
|
flash.delete(:hcaptcha_error)
|
||||||
|
yield message
|
||||||
|
end
|
||||||
|
false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def extend_csp_for_captcha!
|
||||||
|
policy = request.content_security_policy
|
||||||
|
return unless captcha_required? && policy.present?
|
||||||
|
|
||||||
|
%w(script_src frame_src style_src connect_src).each do |directive|
|
||||||
|
values = policy.send(directive)
|
||||||
|
values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
|
||||||
|
values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
|
||||||
|
policy.send(directive, *values)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def render_captcha
|
||||||
|
return unless captcha_required?
|
||||||
|
|
||||||
|
hcaptcha_tags
|
||||||
|
end
|
||||||
|
end
|
|
@ -8,4 +8,8 @@ module Admin::SettingsHelper
|
||||||
link = link_to t('admin.site_uploads.delete'), admin_site_upload_path(upload), data: { method: :delete }
|
link = link_to t('admin.site_uploads.delete'), admin_site_upload_path(upload), data: { method: :delete }
|
||||||
safe_join([hint, link], '<br/>'.html_safe)
|
safe_join([hint, link], '<br/>'.html_safe)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def captcha_available?
|
||||||
|
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1058,3 +1058,7 @@ code {
|
||||||
display: none;
|
display: none;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
.simple_form .h-captcha {
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
|
|
@ -40,6 +40,7 @@ class Form::AdminSettings
|
||||||
noindex
|
noindex
|
||||||
outgoing_spoilers
|
outgoing_spoilers
|
||||||
require_invite_text
|
require_invite_text
|
||||||
|
captcha_enabled
|
||||||
).freeze
|
).freeze
|
||||||
|
|
||||||
BOOLEAN_KEYS = %i(
|
BOOLEAN_KEYS = %i(
|
||||||
|
@ -58,6 +59,7 @@ class Form::AdminSettings
|
||||||
trendable_by_default
|
trendable_by_default
|
||||||
noindex
|
noindex
|
||||||
require_invite_text
|
require_invite_text
|
||||||
|
captcha_enabled
|
||||||
).freeze
|
).freeze
|
||||||
|
|
||||||
UPLOAD_KEYS = %i(
|
UPLOAD_KEYS = %i(
|
||||||
|
|
|
@ -42,7 +42,10 @@
|
||||||
|
|
||||||
.fields-group
|
.fields-group
|
||||||
= f.input :require_invite_text, as: :boolean, wrapper: :with_label, label: t('admin.settings.registrations.require_invite_text.title'), hint: t('admin.settings.registrations.require_invite_text.desc_html'), disabled: !approved_registrations?
|
= f.input :require_invite_text, as: :boolean, wrapper: :with_label, label: t('admin.settings.registrations.require_invite_text.title'), hint: t('admin.settings.registrations.require_invite_text.desc_html'), disabled: !approved_registrations?
|
||||||
|
|
||||||
|
- if captcha_available?
|
||||||
.fields-group
|
.fields-group
|
||||||
|
= f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
|
||||||
|
|
||||||
%hr.spacer/
|
%hr.spacer/
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
- content_for :page_title do
|
||||||
|
= t('auth.confirm_captcha')
|
||||||
|
|
||||||
|
= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
|
||||||
|
= hidden_field_tag :confirmation_token, params[:confirmation_token]
|
||||||
|
|
||||||
|
.field-group
|
||||||
|
= render_captcha
|
||||||
|
|
||||||
|
.actions
|
||||||
|
%button.button= t('challenge.continue')
|
|
@ -2,6 +2,9 @@
|
||||||
en:
|
en:
|
||||||
admin:
|
admin:
|
||||||
settings:
|
settings:
|
||||||
|
captcha_enabled:
|
||||||
|
desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when confirming their email address. This requires third-party scripts from hCaptcha to be embedded in the email verification page, which may have security and privacy concerns. Users that have been invited through a limited-use invite will not need to solve a CAPTCHA challenge.
|
||||||
|
title: Require new users to go through a CAPTCHA to confirm their account
|
||||||
enable_keybase:
|
enable_keybase:
|
||||||
desc_html: Allow your users to prove their identity via keybase
|
desc_html: Allow your users to prove their identity via keybase
|
||||||
title: Enable keybase integration
|
title: Enable keybase integration
|
||||||
|
@ -17,6 +20,8 @@ en:
|
||||||
show_replies_in_public_timelines:
|
show_replies_in_public_timelines:
|
||||||
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
|
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
|
||||||
title: Show replies in public timelines
|
title: Show replies in public timelines
|
||||||
|
auth:
|
||||||
|
confirm_captcha: User verification
|
||||||
generic:
|
generic:
|
||||||
use_this: Use this
|
use_this: Use this
|
||||||
settings:
|
settings:
|
||||||
|
|
|
@ -44,6 +44,7 @@ Rails.application.routes.draw do
|
||||||
resource :setup, only: [:show, :update], controller: :setup
|
resource :setup, only: [:show, :update], controller: :setup
|
||||||
resource :challenge, only: [:create], controller: :challenges
|
resource :challenge, only: [:create], controller: :challenges
|
||||||
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
|
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
|
||||||
|
post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -77,6 +77,7 @@ defaults: &defaults
|
||||||
show_domain_blocks_rationale: 'disabled'
|
show_domain_blocks_rationale: 'disabled'
|
||||||
outgoing_spoilers: ''
|
outgoing_spoilers: ''
|
||||||
require_invite_text: false
|
require_invite_text: false
|
||||||
|
captcha_enabled: false
|
||||||
|
|
||||||
development:
|
development:
|
||||||
<<: *defaults
|
<<: *defaults
|
||||||
|
|
Loading…
Reference in New Issue