Add invisible ReCAPTCHA to login and password reset

2017-03-31 12:19:44 +02:00 · 2017-03-31 12:19:44 +02:00 · 142cbb0641
commit 142cbb0641
parent f2f834af49
8 changed files with 184 additions and 4 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -58,5 +58,6 @@ class Kernel extends HttpKernel
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+        'recaptcha' => \Pterodactyl\Http\Middleware\VerifyReCaptcha::class,
    ];
 }
--- a/app/Http/Middleware/VerifyReCaptcha.php
+++ b/app/Http/Middleware/VerifyReCaptcha.php
@ -0,0 +1,59 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware;
+
+use Closure;
+use Alert;
+use \Pterodactyl\Events\Auth\FailedCaptcha;
+
+class VerifyReCaptcha
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (!config('recaptcha.enabled')) return next($request);
+        
+        $response_domain = null;
+
+        if ($request->has('g-recaptcha-response')) {
+            $response = $request->get('g-recaptcha-response');
+
+            $client = new \GuzzleHttp\Client();
+            $res = $client->post('https://www.google.com/recaptcha/api/siteverify', [
+                'form_params' => [
+                    'secret' => config('recaptcha.secret_key'),
+                    'response' => $response,
+                ],
+            ]);
+
+            if ($res->getStatusCode() === 200) {
+                $result = json_decode($res->getBody());
+
+                $response_domain = $result->hostname;
+
+                // Compare the domain received by google with the app url
+                $domain_verified = false;
+                if (config('recaptcha.verify_domain')) {
+                   $matches;
+                   preg_match('/^(?:https?:\/\/)?((?:www\.)?[^:\/\n]+)/', config('app.url'), $matches);
+                   $domain = $matches[1];
+                   $domain_verified = $response_domain === $domain;
+                }
+
+                if ($result->success && (!config('recaptcha.verify_domain') || $domain_verified)) {
+                    return $next($request);
+                }
+            }
+        }
+        
+        // Emit an event and return to the previous view with an error (only the captcha error will be shown!)
+        event(new FailedCaptcha($request->ip(), $response_domain));
+        return back()->withErrors(['g-recaptcha-response' => trans('strings.captcha_invalid')])->withInput();
+    }
+}
--- a/app/Http/Routes/AuthRoutes.php
+++ b/app/Http/Routes/AuthRoutes.php
@ -55,6 +55,7 @@ class AuthRoutes
            // Handle Login
            $router->post('login', [
                'uses' => 'Auth\LoginController@login',
+                'middleware' => 'recaptcha',
            ]);

            $router->get('login/totp', [
@ -75,6 +76,7 @@ class AuthRoutes
            // Handle Password Reset
            $router->post('password', [
                'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
+                'middleware' => 'recaptcha',
            ]);

            // Show Verification Checkpoint
@ -87,6 +89,7 @@ class AuthRoutes
            $router->post('password/reset', [
                'as' => 'auth.reset.post',
                'uses' => 'Auth\ResetPasswordController@reset',
+                'middleware' => 'recaptcha',
            ]);
        });