Implement new reCAPTCHA interface

Summary:
Fixes T12195. For the past few years, Recaptcha (now part of Google) has supported
a new, "no captcha" one-click user interface. This new UI is stable, doesn't
require any typing or reading words, and can even work without JavaScript (if
the administrator enables it on the Recaptcha side).

Furthermore, the new Recaptcha has a completely trivial API that can be dealt
with in a few lines of code. Thus, the external `recaptcha` php library is now
gone.

This API is a complete replacement for the old one, and does not require any
upgrade path for users or Phabricator administrators - public and secret keys
for the "new" Recaptcha UI are the exact same as the "classic" Recaptcha. Any
old Recaptcha keys for a domain will continue to work.

Note that Google is currently testing Yet Another new Captcha API, called
"Invisible reCAPTCHA", that will not require user interaction at all. In fact,
the user will not even be aware there //is even a captcha form//, as far as I
understand. However, this new API is 1) in beta, 2) requires new Recaptcha keys
(so it cannot be a drop-in replacement), and 3) requires more drastic API
changes, as form submission buttons must instead invoke JavaScript code, rather
than a token being passed along with the form submission. This would require far
more extensive changes to the controllers. Maybe when it's several years old, it
can be considered.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

Test Plan:
Created a brand-new Phabricator installation, saw the new Captcha UI
on administrator sign up. Logged out, made 5 invalid login attempts, and saw the
new Captcha UI. Reworked the conditional to invert the condition, etc to test
and make sure the API responded properly.

Reviewers: epriestley, #blessed_reviewers, chad

Reviewed By: epriestley, #blessed_reviewers

Subscribers: avivey, Korvin

Maniphest Tasks: T12195

Differential Revision: https://secure.phabricator.com/D17304

Author: thoughtpolice

externals/recaptcha/LICENSE

@@ -23,6 +23,7 @@ public function getOptions() {
 
     return array(
       $this->newOption('recaptcha.enabled', 'bool', false)
+        ->setLocked(true)
         ->setBoolOptions(
           array(
             pht('Enable Recaptcha'),
@@ -35,6 +36,7 @@ public function getOptions() {
             'failed login attempts. This hinders brute-force attacks against '.
             'user passwords. For more information, see http://recaptcha.net/')),
       $this->newOption('recaptcha.public-key', 'string', null)
+        ->setLocked(true)
         ->setDescription(
           pht('Recaptcha public key, obtained by signing up for Recaptcha.')),
       $this->newOption('recaptcha.private-key', 'string', null)

externals/recaptcha/recaptchalib.php

@@ -1,10 +1,5 @@
 <?php
 
-/**
- *
- * @phutil-external-symbol function recaptcha_get_html
- * @phutil-external-symbol function recaptcha_check_answer
- */
 final class AphrontFormRecaptchaControl extends AphrontFormControl {
 
   protected function getCustomControlClass() {
@@ -19,44 +14,44 @@ public static function isRecaptchaEnabled() {
     return PhabricatorEnv::getEnvConfig('recaptcha.enabled');
   }
 
-  private static function requireLib() {
-    $root = phutil_get_library_root('phabricator');
-    require_once dirname($root).'/externals/recaptcha/recaptchalib.php';
-  }
-
   public static function hasCaptchaResponse(AphrontRequest $request) {
-    return $request->getBool('recaptcha_response_field');
+    return $request->getBool('g-recaptcha-response');
   }
 
   public static function processCaptcha(AphrontRequest $request) {
     if (!self::isRecaptchaEnabled()) {
       return true;
     }
 
-    self::requireLib();
+    $uri = 'https://www.google.com/recaptcha/api/siteverify';
+    $params = array(
+      'secret'   => PhabricatorEnv::getEnvConfig('recaptcha.private-key'),
+      'response' => $request->getStr('g-recaptcha-response'),
+      'remoteip' => $request->getRemoteAddress(),
+    );
 
-    $challenge = $request->getStr('recaptcha_challenge_field');
-    $response = $request->getStr('recaptcha_response_field');
-    $resp = recaptcha_check_answer(
-      PhabricatorEnv::getEnvConfig('recaptcha.private-key'),
-      $_SERVER['REMOTE_ADDR'],
-      $challenge,
-      $response);
+    list($body) = id(new HTTPSFuture($uri, $params))
+      ->setMethod('POST')
+      ->resolvex();
 
-    return (bool)@$resp->is_valid;
+    $json = phutil_json_decode($body);
+    return (bool)idx($json, 'success');
   }
 
   protected function renderInput() {
-    self::requireLib();
-
-    $uri = new PhutilURI(PhabricatorEnv::getEnvConfig('phabricator.base-uri'));
-    $protocol = $uri->getProtocol();
-    $use_ssl = ($protocol == 'https');
-
-    return phutil_safe_html(recaptcha_get_html(
-      PhabricatorEnv::getEnvConfig('recaptcha.public-key'),
-      $error = null,
-      $use_ssl));
+    $js = 'https://www.google.com/recaptcha/api.js';
+    $pubkey = PhabricatorEnv::getEnvConfig('recaptcha.public-key');
+
+    return array(
+      phutil_tag('div', array(
+        'class'        => 'g-recaptcha',
+        'data-sitekey' => $pubkey,
+      )),
+
+      phutil_tag('script', array(
+        'type' => 'text/javascript',
+        'src'  => $js,
+      )),
+    );
   }
-
 }