ReCaptcha v3 - almost working

9 months ago · 32b3904c39
5 changed files with 47 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,3 +1,5 @@
+require 'net/https'
+
 class ApplicationController < BaseController
  protect_from_forgery with: :exception, except: [:do_confirm, :js_error, :admin_update]

@ -6,6 +8,17 @@ class ApplicationController < BaseController

  helper_method :protect, :policies

+  RECAPTCHA_MINIMUM_SCORE = 0.5
+
+  def verify_recaptcha?(token, recaptcha_action)
+    recaptcha_secret_key = config.app_config['recaptcha_secret_key']
+
+    uri = URI.parse("https://www.google.com/recaptcha/api/siteverify?secret=#{recaptcha_secret_key}&response=#{token}")
+    response = Net::HTTP.get_response(uri)
+    json = JSON.parse(response.body)
+    json['success'] && json['score'] > RECAPTCHA_MINIMUM_SCORE && json['action'] == recaptcha_action
+  end
+
  def default_url_options
    { host: "#{request.protocol}#{request.host_with_port}", trailing_slash: true }
  end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -10,6 +10,8 @@ module ApplicationHelper
  include TableHelper
  include AdminHelper

+  RECAPTCHA_SITE_KEY = ENV['RECAPTCH_SITE_KEY']
+
  def is_production?
    Rails.env == 'production' || Rails.env == 'preview'
  end
@ -21,4 +23,26 @@ module ApplicationHelper
  def generate_confirmation(user, url, expiry = nil)
    ApplicationController::generate_confirmation(user, url, expiry)
  end
+  
+  def include_recaptcha_js
+    raw %Q{
+      <script src="https://www.google.com/recaptcha/api.js?render=#{RECAPTCHA_SITE_KEY}"></script>
+    }
+  end
+
+  def recaptcha_execute(action)
+    id = "recaptcha_token_#{SecureRandom.hex(10)}"
+
+    raw %Q{
+      <input name="recaptcha_token" type="hidden" id="#{id}"/>
+      <script>
+        grecaptcha.ready(function() {
+          grecaptcha.execute('#{RECAPTCHA_SITE_KEY}', {action: '#{action}'}).then(function(token) {
+            document.getElementById("#{id}").value = token;
+          });
+        });
+      </script>
+    }
+  end
+
 end
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@ -20,6 +20,7 @@
      %meta{property: 'og:type', content: 'website'}
      %meta{property: 'og:image', content: og_image}
    %meta{name: "theme-color", content: @theme_colour}
+    %script{src: "https://www.google.com/recaptcha/api.js?render=6LcWZFAnAAAAANKko--rHWo2iAkfGdcbkHKtF1-A}" }
    = yield :head

  %body{ class: page_style }
@ -53,7 +54,7 @@
            .dlg-inner
              %p.message=''
              %a.button.confirm=_'modals.yes_button'
-              %button.delete.close=_'modals.no_button'
+              %button.delete.close=_'modals.no_button'            
      - if @info_dlg.present?
        .dlg#info-dlg
          .dlg-content
@ -69,6 +70,8 @@
              .message=''
              %button.close=_'modals.done_button'
      - if @login_dlg.present?
+        = content_for :recaptcha_js do
+          = include_recaptcha_js        
        .dlg#login-dlg
          .dlg-content
            %h2.title=_'forms.actions.generic.login'
@ -77,10 +80,11 @@
                = hidden_field_tag :dest, settings_path
                = emailfield :email, nil, big: true
                = button :continue, value: :confirm_email
+                = recaptcha_execute('sign_in')
              .flex-form
                = link_to (_'forms.actions.generic.facebook_sign_in','Facebook Sign In'), auth_at_provider_path(provider: :facebook, dest: settings_path), class: [:button, :facebook]
                %button.close.subdued=_'forms.actions.generic.cancel'
-    
+
      - if @event_dlg.present?
        .event-dlg#event-dlg{ data: { type: :event } }
          .event-details
--- a/config/app_config.yml
+++ b/config/app_config.yml
@ -6,6 +6,8 @@ default: &default
  smtp_password: <%= ENV['SMTP_PASSWORD'] %>
  smtp_ssl: <%= ENV['SMTP_SSL'] %>
  default_url: <%= ENV['DEFAULT_URL'] %>
+  recaptcha_secret_key: <%= ENV['RECAPTCHA_SECRET_KEY'] %>
+  recaptcha_site_key: 'hello'

 development:
  <<: *default
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -104,6 +104,8 @@ services:
      - ADMIN_EMAIL=${ADMIN_EMAIL:-info@bikebike.org}
      - DEFAULT_URL=${DEFAULT_URL:-bikebike.org}
      - REDIS_URL=redis://redis:6379
+      - RECAPTCHA_SECRET_KEY=${RECAPTCHA_SECRET_KEY:-123456789}
+      - RECAPTCHA_SITE_KEY=${RECAPTCHA_SITE_KEY:-123456789}      
    volumes:
      - bikebikebike:/app/BikeBike
      - bikebikebike_bundle:/usr/local/bundle