Add invisible ReCAPTCHA to login and password reset

2017-03-31 12:19:44 +02:00 · 2017-03-31 12:19:44 +02:00 · 142cbb0641
commit 142cbb0641
parent f2f834af49
8 changed files with 184 additions and 4 deletions
--- a/app/Events/Auth/FailedCaptcha.php
+++ b/app/Events/Auth/FailedCaptcha.php
@ -0,0 +1,59 @@
+<?php
+/**
+* Pterodactyl - Panel
+* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+*
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+*
+* The above copyright notice and this permission notice shall be included in all
+* copies or substantial portions of the Software.
+*
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+* SOFTWARE.
+*/
+
+namespace Pterodactyl\Events\Auth;
+
+use Illuminate\Queue\SerializesModels;
+
+class FailedCaptcha
+{
+    use SerializesModels;
+    
+    /**
+    * The IP that the request originated from.
+    *
+    * @var string
+    */
+    public $ip;
+
+    /**
+     * The domain that was used to try to verify the request with recaptcha api.
+     * 
+     * @var string
+     */
+    public $domain;
+    
+    /**
+    * Create a new event instance.
+    *
+    * @param  string  $ip
+    * @param  string  $domain
+    * @return void
+    */
+    public function __construct($ip, $domain)
+    {
+        $this->ip = $ip;
+        $this->domain = $domain;
+    }
+}
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -58,5 +58,6 @@ class Kernel extends HttpKernel
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+        'recaptcha' => \Pterodactyl\Http\Middleware\VerifyReCaptcha::class,
    ];
 }
--- a/app/Http/Middleware/VerifyReCaptcha.php
+++ b/app/Http/Middleware/VerifyReCaptcha.php
@ -0,0 +1,59 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware;
+
+use Closure;
+use Alert;
+use \Pterodactyl\Events\Auth\FailedCaptcha;
+
+class VerifyReCaptcha
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (!config('recaptcha.enabled')) return next($request);
+        
+        $response_domain = null;
+
+        if ($request->has('g-recaptcha-response')) {
+            $response = $request->get('g-recaptcha-response');
+
+            $client = new \GuzzleHttp\Client();
+            $res = $client->post('https://www.google.com/recaptcha/api/siteverify', [
+                'form_params' => [
+                    'secret' => config('recaptcha.secret_key'),
+                    'response' => $response,
+                ],
+            ]);
+
+            if ($res->getStatusCode() === 200) {
+                $result = json_decode($res->getBody());
+
+                $response_domain = $result->hostname;
+
+                // Compare the domain received by google with the app url
+                $domain_verified = false;
+                if (config('recaptcha.verify_domain')) {
+                   $matches;
+                   preg_match('/^(?:https?:\/\/)?((?:www\.)?[^:\/\n]+)/', config('app.url'), $matches);
+                   $domain = $matches[1];
+                   $domain_verified = $response_domain === $domain;
+                }
+
+                if ($result->success && (!config('recaptcha.verify_domain') || $domain_verified)) {
+                    return $next($request);
+                }
+            }
+        }
+        
+        // Emit an event and return to the previous view with an error (only the captcha error will be shown!)
+        event(new FailedCaptcha($request->ip(), $response_domain));
+        return back()->withErrors(['g-recaptcha-response' => trans('strings.captcha_invalid')])->withInput();
+    }
+}
--- a/app/Http/Routes/AuthRoutes.php
+++ b/app/Http/Routes/AuthRoutes.php
@ -55,6 +55,7 @@ class AuthRoutes
            // Handle Login
            $router->post('login', [
                'uses' => 'Auth\LoginController@login',
+                'middleware' => 'recaptcha',
            ]);

            $router->get('login/totp', [
@ -75,6 +76,7 @@ class AuthRoutes
            // Handle Password Reset
            $router->post('password', [
                'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
+                'middleware' => 'recaptcha',
            ]);

            // Show Verification Checkpoint
@ -87,6 +89,7 @@ class AuthRoutes
            $router->post('password/reset', [
                'as' => 'auth.reset.post',
                'uses' => 'Auth\ResetPasswordController@reset',
+                'middleware' => 'recaptcha',
            ]);
        });