Changeset 18083 for main/waeup.kofa/branches/uli-recaptcha/src/waeup/kofa/browser/captcha.py

Timestamp:

7 Jun 2025, 02:06:59 (3 days ago)

Author:

uli

Message:

Support Google Recaptcha v3.

File:

• main/waeup.kofa/branches/uli-recaptcha/src/waeup/kofa/browser/captcha.py (modified) (12 diffs)

main/waeup.kofa/branches/uli-recaptcha/src/waeup/kofa/browser/captcha.py

@@ -21 +21 @@
 """
 import grok
+import decimal
 import json
+import logging
 import urllib
 import urllib2
@@ -33 +35 @@
     ICaptchaRequest, ICaptchaResponse, ICaptcha, ICaptchaConfig,
     ICaptchaManager)
-from waeup.kofa.interfaces import IUniversity
+from waeup.kofa.interfaces import IUniversity, IReCaptchaConfig
 
 #
@@ -103 +105 @@
     grok.implements(ICaptcha)
 
-    def verify(self, request):
+    def verify(self, request, action="submit"):
         return CaptchaResponse(True, None)
 
-    def display(self, error_code=None):
+    def display(self, error_code=None, action="submit"):
         return u''
 
@@ -139 +141 @@
     chal_field = 'challenge'
 
-    def verify(self, request):
+    def verify(self, request, action='submit'):
         """Verify that a solution sent equals the challenge.
         """
@@ -149 +151 @@
         return CaptchaResponse(is_valid=False)
 
-    def display(self, error_code=None):
+    def display(self, error_code=None, action='submit'):
         """Display challenge and input field for solution as HTML.
         """
@@ -164 +166 @@
 
 ##
-## ReCaptcha (v2)
+## ReCaptcha (v3)
 ##
 class ReCaptcha(StaticCaptcha):
@@ -170 +172 @@
 
     This is the Kofa implementation to support captchas as provided by
-    http://www.google.com/recaptcha (v2).
+    http://www.google.com/recaptcha (v3).
 
     ReCaptcha is widely used and adopted in web applications. See the
@@ -226 +228 @@
         - Google will track all activity of our clients
     """
-
     grok.implements(ICaptcha)
 
@@ -240 +241 @@
     VERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify'
 
-    def verify(self, request):
+    @property
+    def sitekey(self):
+        return self.get_config()['public_key']
+
+    @property
+    def logger(self):
+        # if there is no site, we are most probably in a testing env
+        return getattr(grok.getSite(), "logger", logging.getLogger("dummy"))
+
+    @property
+    def ob_class(self):
+        return self.__implemented__.__name__.replace('waeup.kofa.', '')
+
+    def get_config(self):
+        if not getattr(self, "config", None):
+            self.config = queryUtility(IReCaptchaConfig, default={
+                'public_key': self.PUBLIC_KEY,
+                'private_key': self.PRIVATE_KEY,
+                'hostname': u'localhost',
+                'min_score': decimal.Decimal("0.5")
+                })
+        self.logger.debug(u'%s : getting ReCaptchaConfig: %s' % (
+            self.ob_class, self.config))
+        return self.config
+
+    def verify(self, request, action='submit'):
         """Grab challenge/solution from HTTP request and verify it.
 
@@ -249 +275 @@
         Returns a :class:`CaptchaResponse` indicating that the
         verification failed or succeeded.
-        """
+
+        Possible error codes (official Google codes):
+            missing-input-secret    The secret parameter is missing.
+            invalid-input-secret    The secret parameter is invalid or malformed.
+            missing-input-response  The response parameter is missing.
+            invalid-input-response  The response parameter is invalid or malformed.
+            bad-request     The request is invalid or malformed.
+            timeout-or-duplicate    The response is no longer valid: either is too old or has been used previously.
+        We also have our own ones:
+            invalid-action          The passed action does not match the one we expected
+            insufficient-score      The returned score is too low; talking to a bot
+            invalid-hostname        The captcha was solved on a different domain.
+        """
+        remote_ip = request.get('HTTP_X_FORWARDED_FOR', '127.0.0.1')
         form = getattr(request, 'form', {})
         token = form.get(self.token_field, None)
+        oc = self.ob_class
+        self.logger.debug(u'%s: get token from form: %s' % (oc, token))
         if not token:
             # on first-time display, we won't get a token
             return CaptchaResponse(is_valid=False)
+        conf = self.get_config()
         params = urllib.urlencode(
             {
-                'secret': self.PRIVATE_KEY,
+                'secret': conf['private_key'],
                 'response': token,
-                'remoteip': '127.0.0.1',
+                'remoteip': remote_ip,
                 })
-        request = urllib2.Request(
+        self.logger.debug(u'%s: send validation request to Google' % oc)
+        v_request = urllib2.Request(
             url = self.VERIFY_URL,
             data = params,
@@ -269 +312 @@
                 }
             )
-        conn = urllib2.urlopen(request)
-        ret_vals = json.loads(conn.read())
-        conn.close()
+        try:
+            conn = urllib2.urlopen(v_request)
+            ret_vals = json.loads(conn.read())
+        except:
+            conn.close()
+            return CaptchaResponse(is_valid=False, error_code="could-not-reach-verification-server")
+        self.logger.debug(u'%s: got answer from Google: %s' % (oc, ret_vals))
+        err_codes = ret_vals.get('error-codes', [])
         if ret_vals.get('success', False) is True:
-            return CaptchaResponse(is_valid=True)
+            r_action = ret_vals.get('action', None)
+            score = ret_vals.get('score', decimal.Decimal("0.0"))
+            hostname = ret_vals.get('hostname', '')
+            if r_action != action:
+                err_codes.append('invalid-action')
+                self.logger.warn(
+                    u'%s: invalid action code: %s (expected: %s)' %
+                    (oc, r_action, action))
+            elif score < conf['min_score']:
+                err_codes.append('insufficent-score')
+                self.logger.debug(u'%s: insufficient score: %s' % (oc, score))
+            elif not hostname.endswith(conf['hostname']):
+                err_codes.append('invalid-hostname')
+                self.logger.warn(
+                    u'%s: cought captcha from illegal hostname: %s' % (
+                        oc, hostname))
+            else:
+                self.logger.debug(u'%s: captcha accepted' % oc)
+                return CaptchaResponse(is_valid=True)
+        self.logger.info(u'%s: captcha invalid/refused, form-data: %s' % (
+            oc, form))
         return CaptchaResponse(
-            is_valid=False, error_code="%s" % ret_vals['error-codes'])
-
-    def display(self, error_code=None):
+            is_valid=False, error_code="%s" % err_codes)
+
+    def display(self, error_code=None, action='submit'):
         """Display captcha widget snippet.
 
@@ -290 +358 @@
         form).
         """
-        error_param = ''
+        html = u''
+        # TODO: display errors as warnings
         if error_code:
-            error_param = '&error=%s' % error_code
-
-        html = (
-            u'<script type="text/javascript" '
-            u'src="%(ApiServer)s" async defer>'
+            html = u"<p class='warning'>Captcha-Error: Are you a bot?</p><!-- %s -->" % error_code
+        html += (
+            # Main event handler, triggered when a submit button is clicked.
+            # Requests the captcha token for the form and also copies name and
+            # value of the clicked button to a hidden field `fakebtn` defined
+            # below.
+            u'<script class="kofa-script-recaptcha-v3" '
+            u' src="https://www.google.com/recaptcha/api.js?render=%(sitekey)s">'
+            u'</script>\n'
+            u'<script class="kofa-script-recaptcha-v3"> '
+            u'  function onClickRecaptcha(e) {'
+            u'    e.preventDefault();'
+            u'    grecaptcha.ready(function() {'
+            u'      grecaptcha.execute("%(sitekey)s", {action: "%(action)s"}).then('
+            u'        function(token) {'
+            u'          document.getElementById("g-recaptcha-token").value = token;'
+            u'          var fakebtn = document.getElementById("g-recaptcha-fakebtn");'
+            u'          fakebtn.name = e.target.name;'
+            u'          fakebtn.value = e.target.value;'
+            u'          document.querySelector("form").submit();});});}'
+            u'</script>\n'
+        ) % {
+            'sitekey': self.sitekey,
+            'action': action,
+        }
+        html += (
+            # Form fields we use to (1) embed the captcha token and (2) a field
+            # to embed the name and value of the submit button/input clicked.
+            u'<input id="g-recaptcha-token" type="hidden" name="%(token_field)s"/>\n'
+            u'<input id="g-recaptcha-fakebtn" type="hidden"/>\n'
+            ) % {'token_field': self.token_field}
+        html += (
+            # install event handler `onClickRecaptcha` defined above, but only
+            # after document (HTML) loaded.
+            u'<script> window.addEventListener("load", function () {'
+            u'  if (typeof onClickRecaptcha === "function") {'
+            u'document.querySelector("*[type=\'submit\']").addEventListener('
+            u'"click", onClickRecaptcha);}})'
             u'</script>'
-            u'<div class="g-recaptcha" data-sitekey="%(SiteKey)s"></div>' % {
-                'ApiServer': "https://www.google.com/recaptcha/api.js",
-                'SiteKey': self.PUBLIC_KEY,
-                }
-        )
+            )
         return html