Add invisible ReCAPTCHA to login and password reset

This commit is contained in:
Jakob Schrettenbrunner 2017-03-31 12:19:44 +02:00
parent f2f834af49
commit 142cbb0641
8 changed files with 184 additions and 4 deletions

View file

@ -0,0 +1,59 @@
<?php
/**
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace Pterodactyl\Events\Auth;
use Illuminate\Queue\SerializesModels;
class FailedCaptcha
{
use SerializesModels;
/**
* The IP that the request originated from.
*
* @var string
*/
public $ip;
/**
* The domain that was used to try to verify the request with recaptcha api.
*
* @var string
*/
public $domain;
/**
* Create a new event instance.
*
* @param string $ip
* @param string $domain
* @return void
*/
public function __construct($ip, $domain)
{
$this->ip = $ip;
$this->domain = $domain;
}
}

View file

@ -58,5 +58,6 @@ class Kernel extends HttpKernel
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'recaptcha' => \Pterodactyl\Http\Middleware\VerifyReCaptcha::class,
]; ];
} }

View file

@ -0,0 +1,59 @@
<?php
namespace Pterodactyl\Http\Middleware;
use Closure;
use Alert;
use \Pterodactyl\Events\Auth\FailedCaptcha;
class VerifyReCaptcha
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if (!config('recaptcha.enabled')) return next($request);
$response_domain = null;
if ($request->has('g-recaptcha-response')) {
$response = $request->get('g-recaptcha-response');
$client = new \GuzzleHttp\Client();
$res = $client->post('https://www.google.com/recaptcha/api/siteverify', [
'form_params' => [
'secret' => config('recaptcha.secret_key'),
'response' => $response,
],
]);
if ($res->getStatusCode() === 200) {
$result = json_decode($res->getBody());
$response_domain = $result->hostname;
// Compare the domain received by google with the app url
$domain_verified = false;
if (config('recaptcha.verify_domain')) {
$matches;
preg_match('/^(?:https?:\/\/)?((?:www\.)?[^:\/\n]+)/', config('app.url'), $matches);
$domain = $matches[1];
$domain_verified = $response_domain === $domain;
}
if ($result->success && (!config('recaptcha.verify_domain') || $domain_verified)) {
return $next($request);
}
}
}
// Emit an event and return to the previous view with an error (only the captcha error will be shown!)
event(new FailedCaptcha($request->ip(), $response_domain));
return back()->withErrors(['g-recaptcha-response' => trans('strings.captcha_invalid')])->withInput();
}
}

View file

@ -55,6 +55,7 @@ class AuthRoutes
// Handle Login // Handle Login
$router->post('login', [ $router->post('login', [
'uses' => 'Auth\LoginController@login', 'uses' => 'Auth\LoginController@login',
'middleware' => 'recaptcha',
]); ]);
$router->get('login/totp', [ $router->get('login/totp', [
@ -75,6 +76,7 @@ class AuthRoutes
// Handle Password Reset // Handle Password Reset
$router->post('password', [ $router->post('password', [
'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail', 'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
'middleware' => 'recaptcha',
]); ]);
// Show Verification Checkpoint // Show Verification Checkpoint
@ -87,6 +89,7 @@ class AuthRoutes
$router->post('password/reset', [ $router->post('password/reset', [
'as' => 'auth.reset.post', 'as' => 'auth.reset.post',
'uses' => 'Auth\ResetPasswordController@reset', 'uses' => 'Auth\ResetPasswordController@reset',
'middleware' => 'recaptcha',
]); ]);
}); });

26
config/recaptcha.php Normal file
View file

@ -0,0 +1,26 @@
<?php
return [
/**
* Enable or disable captchas
*/
'enabled' => env('RECAPTCHA_ENABLED', true),
/**
* Use a custom secret key, we use our public one by default
*/
'secret_key' => env('RECAPTCHA_SECRET_KEY', '6LekAxoUAAAAAPW-PxNWaCLH76WkClMLSa2jImwD'),
/**
* Use a custom website key, we use our public one by default
*/
'website_key' => env('RECAPTCHA_WEBSITE_KEY' ,'6LekAxoUAAAAADjWZJ4ufcDRZBBiH9vfHawqRbup'),
/**
* Domain verification is enabled by default and compares the domain used when solving the captcha
* as public keys can't have domain verification on google's side enabled (obviously).
*/
'verify_domain' => true,
];

View file

@ -69,4 +69,5 @@ return [
'owner' => 'Owner', 'owner' => 'Owner',
'admin' => 'Admin', 'admin' => 'Admin',
'subuser' => 'Subuser', 'subuser' => 'Subuser',
'captcha_invalid' => 'The provided captcha is invalid.',
]; ];

View file

@ -45,7 +45,7 @@
@endforeach @endforeach
@endforeach @endforeach
<p class="login-box-msg">@lang('auth.authentication_required')</p> <p class="login-box-msg">@lang('auth.authentication_required')</p>
<form action="{{ route('auth.login') }}" method="POST"> <form id="loginForm" action="{{ route('auth.login') }}" method="POST">
<div class="form-group has-feedback"> <div class="form-group has-feedback">
<input name="user" class="form-control" value="{{ old('user') }}" placeholder="@lang('strings.user_identifier')"> <input name="user" class="form-control" value="{{ old('user') }}" placeholder="@lang('strings.user_identifier')">
<span class="fa fa-envelope form-control-feedback"></span> <span class="fa fa-envelope form-control-feedback"></span>
@ -62,10 +62,20 @@
</div> </div>
<div class="col-xs-4"> <div class="col-xs-4">
{!! csrf_field() !!} {!! csrf_field() !!}
<button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.sign_in')</button> <button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.sign_in')</button>
</div> </div>
</div> </div>
</form> </form>
<a href="{{ route('auth.password') }}">@lang('auth.forgot_password')</a><br> <a href="{{ route('auth.password') }}">@lang('auth.forgot_password')</a><br>
</div> </div>
@endsection @endsection
@section('scripts')
@parent
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<script>
function onSubmit(token) {
document.getElementById("loginForm").submit();
}
</script>
@endsection

View file

@ -25,13 +25,24 @@
@section('content') @section('content')
<div class="login-box-body"> <div class="login-box-body">
@if (count($errors) > 0)
<div class="callout callout-danger">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
@lang('auth.auth_error')<br><br>
<ul>
@foreach ($errors->all() as $error)
<li>{{ $error }}</li>
@endforeach
</ul>
</div>
@endif
@if (session('status')) @if (session('status'))
<div class="callout callout-success"> <div class="callout callout-success">
@lang('auth.email_sent') @lang('auth.email_sent')
</div> </div>
@endif @endif
<p class="login-box-msg">@lang('auth.request_reset_text')</p> <p class="login-box-msg">@lang('auth.request_reset_text')</p>
<form action="{{ route('auth.password') }}" method="POST"> <form id="resetForm" action="{{ route('auth.password') }}" method="POST">
<div class="form-group has-feedback"> <div class="form-group has-feedback">
<input type="email" name="email" class="form-control" value="{{ old('email') }}" autofocus placeholder="@lang('strings.email')"> <input type="email" name="email" class="form-control" value="{{ old('email') }}" autofocus placeholder="@lang('strings.email')">
<span class="fa fa-envelope form-control-feedback"></span> <span class="fa fa-envelope form-control-feedback"></span>
@ -47,9 +58,19 @@
</div> </div>
<div class="col-xs-8"> <div class="col-xs-8">
{!! csrf_field() !!} {!! csrf_field() !!}
<button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.request_reset')</button> <button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.request_reset')</button>
</div> </div>
</div> </div>
</form> </form>
</div> </div>
@endsection @endsection
@section('scripts')
@parent
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<script>
function onSubmit(token) {
document.getElementById("resetForm").submit();
}
</script>
@endsection