[Login] Enable optional reCAPTCHA on Request Account page #6344
Conversation
johnsaigle
added
Feature
| $this->tpl_data['captcha_key'] = \NDB_Factory::singleton() | ||
| ->config() | ||
| ->getSetting('reCAPTCHAPublic'); | ||
| $this->tpl_data['nonce'] = base64_encode(openssl_random_pseudo_bytes(16)); |
There was a problem hiding this comment.
This is required as a security measure to avoid making our Content Security Policy weaker. Detailed discussion here. google/recaptcha#107
| $_SERVER['REMOTE_ADDR'] | ||
| ); | ||
| $success = $resp->isSuccess(); | ||
| // FIXME This leverages the error handling for the "site" text field. |
There was a problem hiding this comment.
I couldn't figure out how to get an error code to show up under the reCAPTCHA part so this is a bit hack-y but is functioning. I'm open to suggestions
There was a problem hiding this comment.
@johnsaigle maybe $resp returns null if error? I'm wondering what happens when an error is thrown.
There was a problem hiding this comment.
Oh sorry I didn't add the new file to Git. 😅
| @@ -211,18 +242,6 @@ class RequestAccount extends \NDB_Form | |||
| } | |||
| } | |||
|
|
|||
| // Verify reCAPTCHA | |||
There was a problem hiding this comment.
This is moved to _validate instead of _process. It doesn't make sense to insert a user into the DB if they failed the reCAPTCHA.
| <b class="text-danger">{$error_message['captcha']}</b> | ||
| </span> | ||
| </div> | ||
| <script src="https://www.google.com/recaptcha/api.js?render={$captcha_key}&onload=onloadCallback nonce={$nonce}"></script> |
There was a problem hiding this comment.
This should probably be refactored in a more generic way so that we can use reCAPTCHA in other places if we want to. That may be out of scope for now, plus I'm not really sure the best approach. Open for suggestions.
There was a problem hiding this comment.
I'm guessing a new react component will be made. 🙂
| 3. Verify that verification code is enforced (if and only if re-captcha has been activated by the project) | ||
| 4. Verify that new verification code loads on every refresh of the page |
There was a problem hiding this comment.
This refers to a very very old custom captcha that we deleted because it was insecure. #3645
|
Hey @johnsaigle, I'll be happy to test this PR and I see it's set as work in progress. Let me know when I should manually test it. |
|
You can manually test it now. Thanks! It's in draft mode only because I have a couple of hacks in the code that could be done better. It's totally functional. |
|
@johnsaigle probably good to update somewhere that we're using v3 of reCAPTCHA. |
|
@johnsaigle frontend is giving me this output in console: |
Did you do this step? You need to change the CSP. I described how in the wiki document in this PR. Also this is using v2, not v3. I couldn't get v3 to work. This is mentioned in that document as well. |
johnsaigle
added
the
Needs Code Formatting
|
@johnsaigle I'm not seeing the wiki readme. I was using a v3 key so I'll need to fix that as well. |
| corresponding values from your Google reCAPTCHA admin account. | ||
| This can also be configured via the Configuration module by modifying the values found in the "API Keys" heading. | ||
|
|
||
| * `CSPAdditionalHeaders` should include "frame-src www.google.com;" in order |
There was a problem hiding this comment.
@maltheism These are the instructions you need. Sorry for the confusion
There was a problem hiding this comment.
@johnsaigle maybe not for this PR but I'm a little confused why the way of going about this is by editing the database to include frame-src www.google.com;. I almost think there should just be a check in the code to see if reCAPTCHAPRIVATE has been added to the config.xml or admin configuration and if so add the frame-src www.google.com; to the content security policy. I would think that would be best for having it be hands free for users.
There was a problem hiding this comment.
Yeah that would probably be a good enhancement.
maltheism
added
the
Passed Manual Tests
|
Passed manual testing for me. |
johnsaigle
removed
the
Needs Code Formatting
Co-Authored-By: Dave MacFarlane <driusan@gmail.com>
mkdocs.yml
Outdated
| @@ -32,4 +32,5 @@ nav: | |||
| - 'SQL Dictionary': 'wiki/99 - Developers/SQL Dictionary.md' | |||
| - 'Automated Testing': 'wiki/99 - Developers/Automated Testing.md' | |||
| - 'Style Guide (for help text)': 'HelpStyleGuide.md' | |||
| - 'Enabling reCAPTCHA': 'wiki/99 - Developers/reCAPTCHA.md' | |||
There was a problem hiding this comment.
Why is this in the developers section? Shouldn't it be in the installation and configuration section? It's more for prod than devs..
Co-Authored-By: Dave MacFarlane <driusan@gmail.com>
Adds a reCAPTCHA validation feature to the existing request account page. reCAPTCHA is only active when a private key has been configured on the server. Otherwise it will be ignored.
Adds a reCAPTCHA validation feature to the existing request account page. reCAPTCHA is only active when a private key has been configured on the server. Otherwise it will be ignored.
Brief summary of changes
Adds a reCAPTCHA validation feature to the existing request account page.
reCAPTCHA is only active when a private key has been configured on the server. Otherwise it will be ignored.
This will probably need to be reworked alongside #5828 in the future.
Testing instructions (if applicable)
Link(s) to related issue(s)