Merge pull request #572 from Ilhasoft/hotfix/add-recaptcha

Hotfix/add recaptcha
weni-ai · Apr 27, 2021 · 9dc3946 · 9dc3946
2 parents f0bcbc1 + 7c44512
commit 9dc3946
Show file tree

Hide file tree

Showing 10 changed files with 443 additions and 296 deletions.
diff --git a/Pipfile b/Pipfile
@@ -27,12 +27,12 @@ python-slugify = "~=4.0.0"
 openpyxl = "~=3.0.3"
 pillow = "~=7.1.2"
 kombu = "~=4.6.7"
-importlib-metadata = "~=1.6.1"
 psycopg2-binary = "~=2.7.7"
 matplot = "~=0.1.9"
 django-redis = "~=4.12.1"
 elastic-apm = "~=5.9.0"
 mozilla-django-oidc = "~=1.2.4"
+djangorestframework-recaptcha = "~=0.2.0"
 
 [dev-packages]
 "flake8" = "*"

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -151,6 +151,7 @@ You can set environment variables in your OS, write on ```.env``` file or pass v
 | OIDC_OP_JWKS_ENDPOINT | ```string``` | ```None``` | URL of your OpenID Connect provider JWKS endpoint.
 | OIDC_RP_SIGN_ALGO | ```string``` | ```RS256``` | Sets the algorithm the IdP uses to sign ID tokens.
 | OIDC_DRF_AUTH_BACKEND | ```string``` | ```bothub.authentication.authorization.WeniOIDCAuthenticationBackend``` | Define the authentication middleware for the django rest framework.
+| RECAPTCHA_SECRET_KEY | ```string``` | ```''``` | Token of the recaptcha used in the validation of a user's registration.
 
 
 ## Roadmap

diff --git a/bothub/api/v2/account/serializers.py b/bothub/api/v2/account/serializers.py
@@ -4,6 +4,7 @@
 from rest_framework.authtoken.serializers import AuthTokenSerializer
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
+from rest_framework_recaptcha.fields import ReCaptchaField
 
 from bothub.authentication.models import User, RepositoryOwner
 from ..fields import PasswordField, TextField
@@ -20,13 +21,18 @@ class Meta:
 
 
 class RegisterUserSerializer(serializers.ModelSerializer):
+    recaptcha = ReCaptchaField()
     password = PasswordField(
         write_only=True, validators=[validate_password], label=_("Password")
     )
 
+    def create(self, validated_data):
+        validated_data.pop("recaptcha")
+        return super().create(validated_data)
+
     class Meta:
         model = User
-        fields = ["email", "name", "nickname", "password"]
+        fields = ["email", "name", "nickname", "password", "recaptcha"]
         ref_name = None
 
     @staticmethod

diff --git a/bothub/api/v2/tests/test_account.py b/bothub/api/v2/tests/test_account.py
@@ -1,8 +1,9 @@
 import json
 
 from django.test import RequestFactory
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.test.client import MULTIPART_CONTENT
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import status
 
 from bothub.authentication.models import User
@@ -61,16 +62,37 @@ def request(self, data):
         content_data = json.loads(response.content)
         return (response, content_data)
 
+    @override_settings(DRF_RECAPTCHA_SECRET_KEY="6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe")
     def test_okay(self):
         email = "fake@user.com"
         password = "abc!1234"
-        response, content_data = self.request(
-            {"email": email, "name": "Fake", "nickname": "fake", "password": password}
-        )
+
+        response, content_data = self.request({
+            "email": email, "name": "Fake", "nickname": "fake",
+            "password": password, "recaptcha": "RECAPTCHA-TOKEN"
+        })
         self.assertEqual(response.status_code, status.HTTP_201_CREATED)
         user = User.objects.get(email=email)
         self.assertTrue(user.check_password(password))
 
+    def test_invalid_recaptcha(self):
+        email = "fake@user.com"
+        password = "abc!1234"
+        response, content_data = self.request(
+            {"email": email, "name": "Fake", "nickname": "fake", "password": password}
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("recaptcha", content_data.keys())
+
+        response, content_data = self.request({
+            "email": email, "name": "Fake", "nickname": "fake",
+            "password": password, "recaptcha": "WRONG-RECAPTCHA-TOKEN"
+        })
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("recaptcha", content_data.keys())
+        self.assertIn(_("The response parameter is invalid or malformed."), content_data.get("recaptcha"))
+
     def test_invalid_password(self):
         response, content_data = self.request(
             {

diff --git a/bothub/api/v2/tests/test_nlp.py b/bothub/api/v2/tests/test_nlp.py
@@ -197,4 +197,4 @@ def test_ok(self):
 
     def test_not_auth(self):
         response, content_data = self.request(str(uuid.uuid4()))
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
diff --git a/bothub/locale/pt_BR/LC_MESSAGES/django.mo b/bothub/locale/pt_BR/LC_MESSAGES/django.mo
diff --git a/bothub/locale/pt_BR/LC_MESSAGES/django.po b/bothub/locale/pt_BR/LC_MESSAGES/django.po
@@ -57,6 +57,30 @@ msgstr "Token"
 msgid "Invalid token for this user"
 msgstr "Token inválido para esse usuário"
 
+#: bothub/api/v2/account/serializers.py:24
+msgid "The request is invalid or malformed."
+msgstr "A solicitação está inválida ou malformada."
+
+#: bothub/api/v2/account/serializers.py:24
+msgid "The response parameter is invalid or malformed."
+msgstr "O parâmetro response está inválido ou malformado."
+
+#: bothub/api/v2/account/serializers.py:24
+msgid "The secret parameter is invalid or malformed."
+msgstr "O parâmetro secret está inválido ou malformado."
+
+#: bothub/api/v2/account/serializers.py:24
+msgid "The response parameter is missing."
+msgstr "O parâmetro response precisa ser enviado."
+
+#: bothub/api/v2/account/serializers.py:24
+msgid "The secret parameter is missing."
+msgstr "O parâmetro secret precisa ser enviado."
+
+#: bothub/api/v2/account/serializers.py:24
+msgid "The response parameter has timed out or has already been used."
+msgstr "O parâmetro de resposta expirou ou já foi usado."
+
 #: bothub/api/v2/evaluate/filters.py:24 bothub/api/v2/evaluate/filters.py:98
 #: bothub/api/v2/evaluate/filters.py:151 bothub/api/v2/examples/filters.py:22
 #: bothub/api/v2/repository/filters.py:39

diff --git a/bothub/settings.py b/bothub/settings.py
@@ -101,6 +101,7 @@
     "django.contrib.postgres",
     "rest_framework",
     "rest_framework.authtoken",
+    "rest_framework_recaptcha",
     "drf_yasg2",
     "django_filters",
     "corsheaders",
@@ -162,6 +163,9 @@
 
 AUTH_USER_MODEL = "authentication.User"
 
+DRF_RECAPTCHA_SECRET_KEY = env.str("RECAPTCHA_SECRET_KEY", default="")
+
+DRF_RECAPTCHA_VERIFY_ENDPOINT = "https://www.google.com/recaptcha/api/siteverify"
 
 # Password validation
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -57,6 +57,7 @@ services:
       - BOTHUB_ENGINE_AWS_REGION_NAME=${BOTHUB_ENGINE_AWS_REGION_NAME}
       - BOTHUB_ENGINE_CELERY_BROKER_URL=${BOTHUB_ENGINE_CELERY_BROKER_URL:-redis://bothub-engine-celery-redis:6379/0}
       - BOTHUB_ENGINE_CELERY_BACKEND_URL=${BOTHUB_ENGINE_CELERY_BACKEND_URL:-redis://bothub-engine-celery-redis:6379/0}
+      - RECAPTCHA_SECRET_KEY=${RECAPTCHA_SECRET_KEY}
   celery:
     build:
       context: .