Add invisible ReCAPTCHA to login and password reset
This commit is contained in:
parent
f2f834af49
commit
142cbb0641
8 changed files with 184 additions and 4 deletions
59
app/Events/Auth/FailedCaptcha.php
Normal file
59
app/Events/Auth/FailedCaptcha.php
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Pterodactyl - Panel
|
||||||
|
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
|
||||||
|
*
|
||||||
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
* of this software and associated documentation files (the "Software"), to deal
|
||||||
|
* in the Software without restriction, including without limitation the rights
|
||||||
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
* copies of the Software, and to permit persons to whom the Software is
|
||||||
|
* furnished to do so, subject to the following conditions:
|
||||||
|
*
|
||||||
|
* The above copyright notice and this permission notice shall be included in all
|
||||||
|
* copies or substantial portions of the Software.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
* SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Pterodactyl\Events\Auth;
|
||||||
|
|
||||||
|
use Illuminate\Queue\SerializesModels;
|
||||||
|
|
||||||
|
class FailedCaptcha
|
||||||
|
{
|
||||||
|
use SerializesModels;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The IP that the request originated from.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
public $ip;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The domain that was used to try to verify the request with recaptcha api.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
public $domain;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a new event instance.
|
||||||
|
*
|
||||||
|
* @param string $ip
|
||||||
|
* @param string $domain
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function __construct($ip, $domain)
|
||||||
|
{
|
||||||
|
$this->ip = $ip;
|
||||||
|
$this->domain = $domain;
|
||||||
|
}
|
||||||
|
}
|
|
@ -58,5 +58,6 @@ class Kernel extends HttpKernel
|
||||||
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
||||||
'can' => \Illuminate\Auth\Middleware\Authorize::class,
|
'can' => \Illuminate\Auth\Middleware\Authorize::class,
|
||||||
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
|
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
|
||||||
|
'recaptcha' => \Pterodactyl\Http\Middleware\VerifyReCaptcha::class,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
59
app/Http/Middleware/VerifyReCaptcha.php
Normal file
59
app/Http/Middleware/VerifyReCaptcha.php
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Pterodactyl\Http\Middleware;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
use Alert;
|
||||||
|
use \Pterodactyl\Events\Auth\FailedCaptcha;
|
||||||
|
|
||||||
|
class VerifyReCaptcha
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Handle an incoming request.
|
||||||
|
*
|
||||||
|
* @param \Illuminate\Http\Request $request
|
||||||
|
* @param \Closure $next
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function handle($request, Closure $next)
|
||||||
|
{
|
||||||
|
if (!config('recaptcha.enabled')) return next($request);
|
||||||
|
|
||||||
|
$response_domain = null;
|
||||||
|
|
||||||
|
if ($request->has('g-recaptcha-response')) {
|
||||||
|
$response = $request->get('g-recaptcha-response');
|
||||||
|
|
||||||
|
$client = new \GuzzleHttp\Client();
|
||||||
|
$res = $client->post('https://www.google.com/recaptcha/api/siteverify', [
|
||||||
|
'form_params' => [
|
||||||
|
'secret' => config('recaptcha.secret_key'),
|
||||||
|
'response' => $response,
|
||||||
|
],
|
||||||
|
]);
|
||||||
|
|
||||||
|
if ($res->getStatusCode() === 200) {
|
||||||
|
$result = json_decode($res->getBody());
|
||||||
|
|
||||||
|
$response_domain = $result->hostname;
|
||||||
|
|
||||||
|
// Compare the domain received by google with the app url
|
||||||
|
$domain_verified = false;
|
||||||
|
if (config('recaptcha.verify_domain')) {
|
||||||
|
$matches;
|
||||||
|
preg_match('/^(?:https?:\/\/)?((?:www\.)?[^:\/\n]+)/', config('app.url'), $matches);
|
||||||
|
$domain = $matches[1];
|
||||||
|
$domain_verified = $response_domain === $domain;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($result->success && (!config('recaptcha.verify_domain') || $domain_verified)) {
|
||||||
|
return $next($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Emit an event and return to the previous view with an error (only the captcha error will be shown!)
|
||||||
|
event(new FailedCaptcha($request->ip(), $response_domain));
|
||||||
|
return back()->withErrors(['g-recaptcha-response' => trans('strings.captcha_invalid')])->withInput();
|
||||||
|
}
|
||||||
|
}
|
|
@ -55,6 +55,7 @@ class AuthRoutes
|
||||||
// Handle Login
|
// Handle Login
|
||||||
$router->post('login', [
|
$router->post('login', [
|
||||||
'uses' => 'Auth\LoginController@login',
|
'uses' => 'Auth\LoginController@login',
|
||||||
|
'middleware' => 'recaptcha',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$router->get('login/totp', [
|
$router->get('login/totp', [
|
||||||
|
@ -75,6 +76,7 @@ class AuthRoutes
|
||||||
// Handle Password Reset
|
// Handle Password Reset
|
||||||
$router->post('password', [
|
$router->post('password', [
|
||||||
'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
|
'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
|
||||||
|
'middleware' => 'recaptcha',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
// Show Verification Checkpoint
|
// Show Verification Checkpoint
|
||||||
|
@ -87,6 +89,7 @@ class AuthRoutes
|
||||||
$router->post('password/reset', [
|
$router->post('password/reset', [
|
||||||
'as' => 'auth.reset.post',
|
'as' => 'auth.reset.post',
|
||||||
'uses' => 'Auth\ResetPasswordController@reset',
|
'uses' => 'Auth\ResetPasswordController@reset',
|
||||||
|
'middleware' => 'recaptcha',
|
||||||
]);
|
]);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
26
config/recaptcha.php
Normal file
26
config/recaptcha.php
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
return [
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enable or disable captchas
|
||||||
|
*/
|
||||||
|
'enabled' => env('RECAPTCHA_ENABLED', true),
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Use a custom secret key, we use our public one by default
|
||||||
|
*/
|
||||||
|
'secret_key' => env('RECAPTCHA_SECRET_KEY', '6LekAxoUAAAAAPW-PxNWaCLH76WkClMLSa2jImwD'),
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Use a custom website key, we use our public one by default
|
||||||
|
*/
|
||||||
|
'website_key' => env('RECAPTCHA_WEBSITE_KEY' ,'6LekAxoUAAAAADjWZJ4ufcDRZBBiH9vfHawqRbup'),
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Domain verification is enabled by default and compares the domain used when solving the captcha
|
||||||
|
* as public keys can't have domain verification on google's side enabled (obviously).
|
||||||
|
*/
|
||||||
|
'verify_domain' => true,
|
||||||
|
|
||||||
|
];
|
|
@ -69,4 +69,5 @@ return [
|
||||||
'owner' => 'Owner',
|
'owner' => 'Owner',
|
||||||
'admin' => 'Admin',
|
'admin' => 'Admin',
|
||||||
'subuser' => 'Subuser',
|
'subuser' => 'Subuser',
|
||||||
|
'captcha_invalid' => 'The provided captcha is invalid.',
|
||||||
];
|
];
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
@endforeach
|
@endforeach
|
||||||
@endforeach
|
@endforeach
|
||||||
<p class="login-box-msg">@lang('auth.authentication_required')</p>
|
<p class="login-box-msg">@lang('auth.authentication_required')</p>
|
||||||
<form action="{{ route('auth.login') }}" method="POST">
|
<form id="loginForm" action="{{ route('auth.login') }}" method="POST">
|
||||||
<div class="form-group has-feedback">
|
<div class="form-group has-feedback">
|
||||||
<input name="user" class="form-control" value="{{ old('user') }}" placeholder="@lang('strings.user_identifier')">
|
<input name="user" class="form-control" value="{{ old('user') }}" placeholder="@lang('strings.user_identifier')">
|
||||||
<span class="fa fa-envelope form-control-feedback"></span>
|
<span class="fa fa-envelope form-control-feedback"></span>
|
||||||
|
@ -62,10 +62,20 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="col-xs-4">
|
<div class="col-xs-4">
|
||||||
{!! csrf_field() !!}
|
{!! csrf_field() !!}
|
||||||
<button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.sign_in')</button>
|
<button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.sign_in')</button>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</form>
|
</form>
|
||||||
<a href="{{ route('auth.password') }}">@lang('auth.forgot_password')</a><br>
|
<a href="{{ route('auth.password') }}">@lang('auth.forgot_password')</a><br>
|
||||||
</div>
|
</div>
|
||||||
@endsection
|
@endsection
|
||||||
|
|
||||||
|
@section('scripts')
|
||||||
|
@parent
|
||||||
|
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
|
||||||
|
<script>
|
||||||
|
function onSubmit(token) {
|
||||||
|
document.getElementById("loginForm").submit();
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
@endsection
|
|
@ -25,13 +25,24 @@
|
||||||
|
|
||||||
@section('content')
|
@section('content')
|
||||||
<div class="login-box-body">
|
<div class="login-box-body">
|
||||||
|
@if (count($errors) > 0)
|
||||||
|
<div class="callout callout-danger">
|
||||||
|
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button>
|
||||||
|
@lang('auth.auth_error')<br><br>
|
||||||
|
<ul>
|
||||||
|
@foreach ($errors->all() as $error)
|
||||||
|
<li>{{ $error }}</li>
|
||||||
|
@endforeach
|
||||||
|
</ul>
|
||||||
|
</div>
|
||||||
|
@endif
|
||||||
@if (session('status'))
|
@if (session('status'))
|
||||||
<div class="callout callout-success">
|
<div class="callout callout-success">
|
||||||
@lang('auth.email_sent')
|
@lang('auth.email_sent')
|
||||||
</div>
|
</div>
|
||||||
@endif
|
@endif
|
||||||
<p class="login-box-msg">@lang('auth.request_reset_text')</p>
|
<p class="login-box-msg">@lang('auth.request_reset_text')</p>
|
||||||
<form action="{{ route('auth.password') }}" method="POST">
|
<form id="resetForm" action="{{ route('auth.password') }}" method="POST">
|
||||||
<div class="form-group has-feedback">
|
<div class="form-group has-feedback">
|
||||||
<input type="email" name="email" class="form-control" value="{{ old('email') }}" autofocus placeholder="@lang('strings.email')">
|
<input type="email" name="email" class="form-control" value="{{ old('email') }}" autofocus placeholder="@lang('strings.email')">
|
||||||
<span class="fa fa-envelope form-control-feedback"></span>
|
<span class="fa fa-envelope form-control-feedback"></span>
|
||||||
|
@ -47,9 +58,19 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="col-xs-8">
|
<div class="col-xs-8">
|
||||||
{!! csrf_field() !!}
|
{!! csrf_field() !!}
|
||||||
<button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.request_reset')</button>
|
<button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.request_reset')</button>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
@endsection
|
@endsection
|
||||||
|
|
||||||
|
@section('scripts')
|
||||||
|
@parent
|
||||||
|
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
|
||||||
|
<script>
|
||||||
|
function onSubmit(token) {
|
||||||
|
document.getElementById("resetForm").submit();
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
@endsection
|
Loading…
Reference in a new issue