mirror of
https://github.com/go-gitea/gitea
synced 2025-07-23 02:38:35 +00:00
Consume hcaptcha and pwn deps (#22610)
This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com>
This commit is contained in:
47
modules/hcaptcha/error.go
Normal file
47
modules/hcaptcha/error.go
Normal file
@@ -0,0 +1,47 @@
|
||||
// Copyright 2023 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package hcaptcha
|
||||
|
||||
const (
|
||||
ErrMissingInputSecret ErrorCode = "missing-input-secret"
|
||||
ErrInvalidInputSecret ErrorCode = "invalid-input-secret"
|
||||
ErrMissingInputResponse ErrorCode = "missing-input-response"
|
||||
ErrInvalidInputResponse ErrorCode = "invalid-input-response"
|
||||
ErrBadRequest ErrorCode = "bad-request"
|
||||
ErrInvalidOrAlreadySeenResponse ErrorCode = "invalid-or-already-seen-response"
|
||||
ErrNotUsingDummyPasscode ErrorCode = "not-using-dummy-passcode"
|
||||
ErrSitekeySecretMismatch ErrorCode = "sitekey-secret-mismatch"
|
||||
)
|
||||
|
||||
// ErrorCode is any possible error from hCaptcha
|
||||
type ErrorCode string
|
||||
|
||||
// String fulfills the Stringer interface
|
||||
func (err ErrorCode) String() string {
|
||||
switch err {
|
||||
case ErrMissingInputSecret:
|
||||
return "Your secret key is missing."
|
||||
case ErrInvalidInputSecret:
|
||||
return "Your secret key is invalid or malformed."
|
||||
case ErrMissingInputResponse:
|
||||
return "The response parameter (verification token) is missing."
|
||||
case ErrInvalidInputResponse:
|
||||
return "The response parameter (verification token) is invalid or malformed."
|
||||
case ErrBadRequest:
|
||||
return "The request is invalid or malformed."
|
||||
case ErrInvalidOrAlreadySeenResponse:
|
||||
return "The response parameter has already been checked, or has another issue."
|
||||
case ErrNotUsingDummyPasscode:
|
||||
return "You have used a testing sitekey but have not used its matching secret."
|
||||
case ErrSitekeySecretMismatch:
|
||||
return "The sitekey is not registered with the provided secret."
|
||||
default:
|
||||
return ""
|
||||
}
|
||||
}
|
||||
|
||||
// Error fulfills the error interface
|
||||
func (err ErrorCode) Error() string {
|
||||
return err.String()
|
||||
}
|
@@ -5,20 +5,127 @@ package hcaptcha
|
||||
|
||||
import (
|
||||
"context"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"code.gitea.io/gitea/modules/json"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
|
||||
"go.jolheiser.com/hcaptcha"
|
||||
)
|
||||
|
||||
const verifyURL = "https://hcaptcha.com/siteverify"
|
||||
|
||||
// Client is an hCaptcha client
|
||||
type Client struct {
|
||||
ctx context.Context
|
||||
http *http.Client
|
||||
|
||||
secret string
|
||||
}
|
||||
|
||||
// PostOptions are optional post form values
|
||||
type PostOptions struct {
|
||||
RemoteIP string
|
||||
Sitekey string
|
||||
}
|
||||
|
||||
// ClientOption is a func to modify a new Client
|
||||
type ClientOption func(*Client)
|
||||
|
||||
// WithHTTP sets the http.Client of a Client
|
||||
func WithHTTP(httpClient *http.Client) func(*Client) {
|
||||
return func(hClient *Client) {
|
||||
hClient.http = httpClient
|
||||
}
|
||||
}
|
||||
|
||||
// WithContext sets the context.Context of a Client
|
||||
func WithContext(ctx context.Context) func(*Client) {
|
||||
return func(hClient *Client) {
|
||||
hClient.ctx = ctx
|
||||
}
|
||||
}
|
||||
|
||||
// New returns a new hCaptcha Client
|
||||
func New(secret string, options ...ClientOption) (*Client, error) {
|
||||
if strings.TrimSpace(secret) == "" {
|
||||
return nil, ErrMissingInputSecret
|
||||
}
|
||||
|
||||
client := &Client{
|
||||
ctx: context.Background(),
|
||||
http: http.DefaultClient,
|
||||
secret: secret,
|
||||
}
|
||||
|
||||
for _, opt := range options {
|
||||
opt(client)
|
||||
}
|
||||
|
||||
return client, nil
|
||||
}
|
||||
|
||||
// Response is an hCaptcha response
|
||||
type Response struct {
|
||||
Success bool `json:"success"`
|
||||
ChallengeTS string `json:"challenge_ts"`
|
||||
Hostname string `json:"hostname"`
|
||||
Credit bool `json:"credit,omitempty"`
|
||||
ErrorCodes []ErrorCode `json:"error-codes"`
|
||||
}
|
||||
|
||||
// Verify checks the response against the hCaptcha API
|
||||
func (c *Client) Verify(token string, opts PostOptions) (*Response, error) {
|
||||
if strings.TrimSpace(token) == "" {
|
||||
return nil, ErrMissingInputResponse
|
||||
}
|
||||
|
||||
post := url.Values{
|
||||
"secret": []string{c.secret},
|
||||
"response": []string{token},
|
||||
}
|
||||
if strings.TrimSpace(opts.RemoteIP) != "" {
|
||||
post.Add("remoteip", opts.RemoteIP)
|
||||
}
|
||||
if strings.TrimSpace(opts.Sitekey) != "" {
|
||||
post.Add("sitekey", opts.Sitekey)
|
||||
}
|
||||
|
||||
// Basically a copy of http.PostForm, but with a context
|
||||
req, err := http.NewRequestWithContext(c.ctx, http.MethodPost, verifyURL, strings.NewReader(post.Encode()))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
|
||||
resp, err := c.http.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
body, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
var response *Response
|
||||
if err := json.Unmarshal(body, &response); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return response, nil
|
||||
}
|
||||
|
||||
// Verify calls hCaptcha API to verify token
|
||||
func Verify(ctx context.Context, response string) (bool, error) {
|
||||
client, err := hcaptcha.New(setting.Service.HcaptchaSecret, hcaptcha.WithContext(ctx))
|
||||
client, err := New(setting.Service.HcaptchaSecret, WithContext(ctx))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
resp, err := client.Verify(response, hcaptcha.PostOptions{
|
||||
resp, err := client.Verify(response, PostOptions{
|
||||
Sitekey: setting.Service.HcaptchaSitekey,
|
||||
})
|
||||
if err != nil {
|
||||
|
106
modules/hcaptcha/hcaptcha_test.go
Normal file
106
modules/hcaptcha/hcaptcha_test.go
Normal file
@@ -0,0 +1,106 @@
|
||||
// Copyright 2023 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package hcaptcha
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
dummySiteKey = "10000000-ffff-ffff-ffff-000000000001"
|
||||
dummySecret = "0x0000000000000000000000000000000000000000"
|
||||
dummyToken = "10000000-aaaa-bbbb-cccc-000000000001"
|
||||
)
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
||||
func TestCaptcha(t *testing.T) {
|
||||
tt := []struct {
|
||||
Name string
|
||||
Secret string
|
||||
Token string
|
||||
Error ErrorCode
|
||||
}{
|
||||
{
|
||||
Name: "Success",
|
||||
Secret: dummySecret,
|
||||
Token: dummyToken,
|
||||
},
|
||||
{
|
||||
Name: "Missing Secret",
|
||||
Token: dummyToken,
|
||||
Error: ErrMissingInputSecret,
|
||||
},
|
||||
{
|
||||
Name: "Missing Token",
|
||||
Secret: dummySecret,
|
||||
Error: ErrMissingInputResponse,
|
||||
},
|
||||
{
|
||||
Name: "Invalid Token",
|
||||
Secret: dummySecret,
|
||||
Token: "test",
|
||||
Error: ErrInvalidInputResponse,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tt {
|
||||
t.Run(tc.Name, func(t *testing.T) {
|
||||
client, err := New(tc.Secret, WithHTTP(&http.Client{
|
||||
Timeout: time.Second * 5,
|
||||
}))
|
||||
if err != nil {
|
||||
// The only error that can be returned from creating a client
|
||||
if tc.Error == ErrMissingInputSecret && err == ErrMissingInputSecret {
|
||||
return
|
||||
}
|
||||
t.Log(err)
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
resp, err := client.Verify(tc.Token, PostOptions{
|
||||
Sitekey: dummySiteKey,
|
||||
})
|
||||
if err != nil {
|
||||
// The only error that can be returned prior to the request
|
||||
if tc.Error == ErrMissingInputResponse && err == ErrMissingInputResponse {
|
||||
return
|
||||
}
|
||||
t.Log(err)
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
if tc.Error.String() != "" {
|
||||
if resp.Success {
|
||||
t.Log("Verification should fail.")
|
||||
t.Fail()
|
||||
}
|
||||
if len(resp.ErrorCodes) == 0 {
|
||||
t.Log("hCaptcha should have returned an error.")
|
||||
t.Fail()
|
||||
}
|
||||
var hasErr bool
|
||||
for _, err := range resp.ErrorCodes {
|
||||
if strings.EqualFold(err.String(), tc.Error.String()) {
|
||||
hasErr = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !hasErr {
|
||||
t.Log("hCaptcha did not return the error being tested")
|
||||
t.Fail()
|
||||
}
|
||||
} else if !resp.Success {
|
||||
t.Log("Verification should succeed.")
|
||||
t.Fail()
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user