From 32b3904c399558bc1d7d43f06b2186526f73045e Mon Sep 17 00:00:00 2001
From: Jonathan Rosenbaum <bike@bikelover.org>
Date: Tue, 25 Jul 2023 04:31:44 +0000
Subject: [PATCH] ReCaptcha v3 - almost working

---
 app/controllers/application_controller.rb | 13 ++++++++++++
 app/helpers/application_helper.rb         | 24 +++++++++++++++++++++++
 app/views/layouts/application.html.haml   |  8 ++++++--
 config/app_config.yml                     |  2 ++
 docker-compose.yml                        |  2 ++
 5 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index edb2a3b..dfa8961 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,3 +1,5 @@
+require 'net/https'
+
 class ApplicationController < BaseController
   protect_from_forgery with: :exception, except: [:do_confirm, :js_error, :admin_update]
 
@@ -6,6 +8,17 @@ class ApplicationController < BaseController
 
   helper_method :protect, :policies
 
+  RECAPTCHA_MINIMUM_SCORE = 0.5
+
+  def verify_recaptcha?(token, recaptcha_action)
+    recaptcha_secret_key = config.app_config['recaptcha_secret_key']
+
+    uri = URI.parse("https://www.google.com/recaptcha/api/siteverify?secret=#{recaptcha_secret_key}&response=#{token}")
+    response = Net::HTTP.get_response(uri)
+    json = JSON.parse(response.body)
+    json['success'] && json['score'] > RECAPTCHA_MINIMUM_SCORE && json['action'] == recaptcha_action
+  end
+
   def default_url_options
     { host: "#{request.protocol}#{request.host_with_port}", trailing_slash: true }
   end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 563131d..fc99ae5 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -10,6 +10,8 @@ module ApplicationHelper
   include TableHelper
   include AdminHelper
 
+  RECAPTCHA_SITE_KEY = ENV['RECAPTCH_SITE_KEY']
+
   def is_production?
     Rails.env == 'production' || Rails.env == 'preview'
   end
@@ -21,4 +23,26 @@ module ApplicationHelper
   def generate_confirmation(user, url, expiry = nil)
     ApplicationController::generate_confirmation(user, url, expiry)
   end
+  
+  def include_recaptcha_js
+    raw %Q{
+      <script src="https://www.google.com/recaptcha/api.js?render=#{RECAPTCHA_SITE_KEY}"></script>
+    }
+  end
+
+  def recaptcha_execute(action)
+    id = "recaptcha_token_#{SecureRandom.hex(10)}"
+
+    raw %Q{
+      <input name="recaptcha_token" type="hidden" id="#{id}"/>
+      <script>
+        grecaptcha.ready(function() {
+          grecaptcha.execute('#{RECAPTCHA_SITE_KEY}', {action: '#{action}'}).then(function(token) {
+            document.getElementById("#{id}").value = token;
+          });
+        });
+      </script>
+    }
+  end
+
 end
diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
index 21735a7..c47f9bb 100644
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -20,6 +20,7 @@
       %meta{property: 'og:type', content: 'website'}
       %meta{property: 'og:image', content: og_image}
     %meta{name: "theme-color", content: @theme_colour}
+    %script{src: "https://www.google.com/recaptcha/api.js?render=6LcWZFAnAAAAANKko--rHWo2iAkfGdcbkHKtF1-A}" }
     = yield :head
 
   %body{ class: page_style }
@@ -53,7 +54,7 @@
             .dlg-inner
               %p.message=''
               %a.button.confirm=_'modals.yes_button'
-              %button.delete.close=_'modals.no_button'
+              %button.delete.close=_'modals.no_button'            
       - if @info_dlg.present?
         .dlg#info-dlg
           .dlg-content
@@ -69,6 +70,8 @@
               .message=''
               %button.close=_'modals.done_button'
       - if @login_dlg.present?
+        = content_for :recaptcha_js do
+          = include_recaptcha_js        
         .dlg#login-dlg
           .dlg-content
             %h2.title=_'forms.actions.generic.login'
@@ -77,10 +80,11 @@
                 = hidden_field_tag :dest, settings_path
                 = emailfield :email, nil, big: true
                 = button :continue, value: :confirm_email
+                = recaptcha_execute('sign_in')
               .flex-form
                 = link_to (_'forms.actions.generic.facebook_sign_in','Facebook Sign In'), auth_at_provider_path(provider: :facebook, dest: settings_path), class: [:button, :facebook]
                 %button.close.subdued=_'forms.actions.generic.cancel'
-    
+
       - if @event_dlg.present?
         .event-dlg#event-dlg{ data: { type: :event } }
           .event-details
diff --git a/config/app_config.yml b/config/app_config.yml
index 3098fc1..737fefc 100644
--- a/config/app_config.yml
+++ b/config/app_config.yml
@@ -6,6 +6,8 @@ default: &default
   smtp_password: <%= ENV['SMTP_PASSWORD'] %>
   smtp_ssl: <%= ENV['SMTP_SSL'] %>
   default_url: <%= ENV['DEFAULT_URL'] %>
+  recaptcha_secret_key: <%= ENV['RECAPTCHA_SECRET_KEY'] %>
+  recaptcha_site_key: 'hello'
 
 development:
   <<: *default
diff --git a/docker-compose.yml b/docker-compose.yml
index 7907e08..bd0326d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -104,6 +104,8 @@ services:
       - ADMIN_EMAIL=${ADMIN_EMAIL:-info@bikebike.org}
       - DEFAULT_URL=${DEFAULT_URL:-bikebike.org}
       - REDIS_URL=redis://redis:6379
+      - RECAPTCHA_SECRET_KEY=${RECAPTCHA_SECRET_KEY:-123456789}
+      - RECAPTCHA_SITE_KEY=${RECAPTCHA_SITE_KEY:-123456789}      
     volumes:
       - bikebikebike:/app/BikeBike
       - bikebikebike_bundle:/usr/local/bundle