Add ability to set hCaptcha either on registration form or on e-mail validation
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API.
This commit is contained in:
parent
a9269f8786
commit
0fb907441c
@ -1,12 +1,18 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Auth::ConfirmationsController < Devise::ConfirmationsController
|
||||
include CaptchaConcern
|
||||
|
||||
layout 'auth'
|
||||
|
||||
before_action :set_body_classes
|
||||
before_action :set_pack
|
||||
before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
|
||||
before_action :require_unconfirmed!
|
||||
|
||||
before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
|
||||
before_action :require_captcha_if_needed!, only: [:show]
|
||||
|
||||
skip_before_action :require_functional!
|
||||
|
||||
def new
|
||||
@ -15,8 +21,52 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
|
||||
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
|
||||
end
|
||||
|
||||
def show
|
||||
clear_captcha!
|
||||
|
||||
old_session_values = session.to_hash
|
||||
reset_session
|
||||
session.update old_session_values.except('session_id')
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def confirm_captcha
|
||||
check_captcha! do |message|
|
||||
flash.now[:alert] = message
|
||||
render :captcha
|
||||
return
|
||||
end
|
||||
|
||||
show
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def require_captcha_if_needed!
|
||||
render :captcha if captcha_required?
|
||||
end
|
||||
|
||||
def set_confirmation_user!
|
||||
# We need to reimplement looking up the user because
|
||||
# Devise::ConfirmationsController#show looks up and confirms in one
|
||||
# step.
|
||||
confirmation_token = params[:confirmation_token]
|
||||
return if confirmation_token.nil?
|
||||
@confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
|
||||
end
|
||||
|
||||
def captcha_user_bypass?
|
||||
return true if @confirmation_user.nil? || @confirmation_user.confirmed?
|
||||
|
||||
invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
|
||||
invite.present? && !invite.max_uses.nil?
|
||||
end
|
||||
|
||||
def captcha_context
|
||||
'email-confirmation'
|
||||
end
|
||||
|
||||
def set_pack
|
||||
use_pack 'auth'
|
||||
end
|
||||
|
@ -15,17 +15,21 @@ module CaptchaConcern
|
||||
end
|
||||
|
||||
def captcha_enabled?
|
||||
captcha_available? && Setting.captcha_enabled
|
||||
captcha_available? && Setting.captcha_mode == captcha_context
|
||||
end
|
||||
|
||||
def captcha_recently_passed?
|
||||
session[:captcha_passed_at].present? && session[:captcha_passed_at] >= CAPTCHA_TIMEOUT.ago
|
||||
end
|
||||
|
||||
def captcha_user_bypass?
|
||||
current_user.present? || (@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?)
|
||||
end
|
||||
|
||||
def captcha_required?
|
||||
return false if ENV['OMNIAUTH_ONLY'] == 'true'
|
||||
return false unless Setting.registrations_mode != 'none' || @invite&.valid_for_use?
|
||||
captcha_enabled? && !current_user && !(@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?) && !captcha_recently_passed?
|
||||
captcha_enabled? && !captcha_user_bypass? && !captcha_recently_passed?
|
||||
end
|
||||
|
||||
def clear_captcha!
|
||||
@ -65,4 +69,8 @@ module CaptchaConcern
|
||||
|
||||
hcaptcha_tags
|
||||
end
|
||||
|
||||
def captcha_context
|
||||
'registration-form'
|
||||
end
|
||||
end
|
||||
|
@ -40,7 +40,7 @@ class Form::AdminSettings
|
||||
noindex
|
||||
outgoing_spoilers
|
||||
require_invite_text
|
||||
captcha_enabled
|
||||
captcha_mode
|
||||
).freeze
|
||||
|
||||
BOOLEAN_KEYS = %i(
|
||||
@ -59,7 +59,6 @@ class Form::AdminSettings
|
||||
trendable_by_default
|
||||
noindex
|
||||
require_invite_text
|
||||
captcha_enabled
|
||||
).freeze
|
||||
|
||||
UPLOAD_KEYS = %i(
|
||||
@ -83,6 +82,7 @@ class Form::AdminSettings
|
||||
validates :bootstrap_timeline_accounts, existing_username: { multiple: true }
|
||||
validates :show_domain_blocks, inclusion: { in: %w(disabled users all) }
|
||||
validates :show_domain_blocks_rationale, inclusion: { in: %w(disabled users all) }
|
||||
validates :captcha_mode, inclusion: { in: %w(disabled registration-form email-confirmation) }
|
||||
|
||||
def initialize(_attributes = {})
|
||||
super
|
||||
|
@ -116,6 +116,6 @@ class REST::InstanceSerializer < ActiveModel::Serializer
|
||||
end
|
||||
|
||||
def captcha_enabled?
|
||||
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_enabled
|
||||
ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_mode == 'registration-form'
|
||||
end
|
||||
end
|
||||
|
@ -45,7 +45,7 @@
|
||||
|
||||
- if captcha_available?
|
||||
.fields-group
|
||||
= f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
|
||||
= f.input :captcha_mode, as: :radio_buttons, collection: %w(disabled registration-form email-confirmation), include_blank: false, wrapper: :with_block_label, label_method: ->(type) { safe_join([t("admin.settings.captcha.#{type}.title"), content_tag(:span, t("admin.settings.captcha.#{type}.desc_html"), class: 'hint')])}, label: t('admin.settings.captcha.title'), hint: t('admin.settings.captcha.desc_html')
|
||||
|
||||
%hr.spacer/
|
||||
|
||||
|
11
app/views/auth/confirmations/captcha.html.haml
Normal file
11
app/views/auth/confirmations/captcha.html.haml
Normal file
@ -0,0 +1,11 @@
|
||||
- content_for :page_title do
|
||||
= t('auth.confirm_captcha')
|
||||
|
||||
= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
|
||||
= hidden_field_tag :confirmation_token, params[:confirmation_token]
|
||||
|
||||
.field-group
|
||||
= render_captcha_if_needed
|
||||
|
||||
.actions
|
||||
%button.button= t('challenge.continue')
|
@ -2,9 +2,18 @@
|
||||
en:
|
||||
admin:
|
||||
settings:
|
||||
captcha_enabled:
|
||||
desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when signing up. Note that this disables app-based registration, may prevent your instance from being listed as having open registrations, and requires third-party scripts from hCaptcha to be embedded in the registration pages. This may have security and privacy concerns.
|
||||
title: Require new users to go through a CAPTCHA to sign up
|
||||
captcha:
|
||||
desc_html: Configure hCaptcha integration, relying on third-party scripts. This may have security and privacy implications.
|
||||
email-confirmation:
|
||||
desc_html: Require new users to go through hCaptcha at the e-mail validation step. Bots will not be deterred from creating accounts, but they may be prevented from confirming them, leaving them to be automatically cleaned up after a couple days. This does not interfere with app-based registrations.
|
||||
title: CAPTCHA on email validation
|
||||
disabled:
|
||||
desc_html: Do not require a CAPTCHA
|
||||
title: Disabled
|
||||
registration-form:
|
||||
desc_html: Require new users to go through hCaptcha on the registration form, so that CAPTCHA requirement is immediately apparent to them. This disables app-based registrations and may prevent your instance from being listed as having open registrations.
|
||||
title: CAPTCHA on registration forms
|
||||
title: CAPTCHA configuration
|
||||
enable_keybase:
|
||||
desc_html: Allow your users to prove their identity via keybase
|
||||
title: Enable keybase integration
|
||||
@ -20,6 +29,8 @@ en:
|
||||
show_replies_in_public_timelines:
|
||||
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
|
||||
title: Show replies in public timelines
|
||||
auth:
|
||||
confirm_captcha: User verification
|
||||
generic:
|
||||
use_this: Use this
|
||||
settings:
|
||||
|
@ -44,6 +44,7 @@ Rails.application.routes.draw do
|
||||
resource :setup, only: [:show, :update], controller: :setup
|
||||
resource :challenge, only: [:create], controller: :challenges
|
||||
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
|
||||
post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -77,7 +77,7 @@ defaults: &defaults
|
||||
show_domain_blocks_rationale: 'disabled'
|
||||
outgoing_spoilers: ''
|
||||
require_invite_text: false
|
||||
captcha_enabled: false
|
||||
captcha_mode: 'disabled'
|
||||
|
||||
development:
|
||||
<<: *defaults
|
||||
|
Loading…
Reference in New Issue
Block a user