[fixmystreet.com] Add option for recaptcha.

CHANGELOG.md

@@ -12,6 +12,9 @@
         - `#geolocate_link` is now easier to re-style. #3006
         - Links inside `#front-main` can be customised using `$primary_link_*` Sass variables. #3007
         - Add option to show front end testing code coverage. #3036
+        - Add function to fetch user's country from Gaze.
+    - UK:
+        - Add option for recaptcha. #3050
 
 * v3.0.1 (6th May 2020)
     - New features:

perllib/FixMyStreet/App.pm

@@ -536,6 +536,11 @@ sub check_2fa {
     return 0;
 }
 
+sub user_country {
+    my $c = shift;
+    return FixMyStreet::Gaze::get_country_from_ip($c->req->address);
+}
+
 =head1 SEE ALSO
 
 L<FixMyStreet::App::Controller::Root>, L<Catalyst>

perllib/FixMyStreet/App/Controller/Auth.pm

@@ -448,6 +448,9 @@ sub check_csrf_token : Private {
         unless $time
             && $time > time() - 3600
             && $token eq $gen_token;
+
+    # Also check recaptcha if needed
+    $c->cobrand->call_hook('check_recaptcha');
 }
 
 sub no_csrf_token : Private {

perllib/FixMyStreet/Cobrand/UK.pm

@@ -3,6 +3,7 @@ use base 'FixMyStreet::Cobrand::Default';
 use strict;
 
 use JSON::MaybeXS;
+use LWP::UserAgent;
 use mySociety::MaPit;
 use mySociety::VotingArea;
 use Utils;
@@ -422,4 +423,36 @@ sub report_new_munge_before_insert {
     }
 }
 
+# To use recaptcha, add a RECAPTCHA key to your config, with subkeys secret and
+# site_key, taken from the recaptcha site. This shows it to non-UK IP addresses
+# on alert and report pages.
+
+sub requires_recaptcha {
+    my $self = shift;
+    my $c = $self->{c};
+
+    return 0 if $c->user_exists;
+    return 0 if !FixMyStreet->config('RECAPTCHA');
+    return 0 if $c->user_country eq 'GB';
+    return 0 unless $c->action =~ /^(alert|report)/;
+    return 1;
+}
+
+sub check_recaptcha {
+    my $self = shift;
+    my $c = $self->{c};
+
+    return unless $self->requires_recaptcha;
+
+    my $url = 'https://www.google.com/recaptcha/api/siteverify';
+    my $res = LWP::UserAgent->new->post($url, {
+        secret => FixMyStreet->config('RECAPTCHA')->{secret},
+        response => $c->get_param('g-recaptcha-response'),
+        remoteip => $c->req->address,
+    });
+    $res = decode_json($res->content);
+    $c->detach('/page_error_400_bad_request', ['Bad recaptcha'])
+        unless $res->{success};
+}
+
 1;

perllib/FixMyStreet/Gaze.pm

@@ -3,6 +3,7 @@ package FixMyStreet::Gaze;
 use strict;
 use warnings;
 
+use FixMyStreet;
 use mySociety::Gaze;
 
 sub get_radius_containing_population ($$) {
@@ -24,4 +25,11 @@ sub get_radius_containing_population ($$) {
     return $dist;
 }
 
+sub get_country_from_ip {
+    my ($ip) = @_;
+    return 'GB' if FixMyStreet->test_mode;
+    # uncoverable statement
+    return mySociety::Gaze::get_country_from_ip($ip);
+}
+
 1;

t/app/controller/alert.t

@@ -1,6 +1,7 @@
 use FixMyStreet::TestMech;
 my $mech = FixMyStreet::TestMech->new;
 
+use Test::MockModule;
 use t::Mock::Nominatim;
 
 # check that we can get the page
@@ -73,4 +74,25 @@ FixMyStreet::override_config {
     is $mech->uri->path, '/rss/reports/Cheltenham/Lansdown';
 };
 
+FixMyStreet::override_config {
+    ALLOWED_COBRANDS => 'fixmystreet',
+    MAPIT_URL => 'http://mapit.uk/',
+    GEOCODER => '',
+    RECAPTCHA => { secret => 'secret', site_key => 'site_key' },
+}, sub {
+    subtest 'recaptcha' => sub {
+        $mech->get_ok('/alert/list?pc=EH11BB');
+        $mech->content_lacks('g-recaptcha'); # GB is default test country
+
+        my $mod_app = Test::MockModule->new('FixMyStreet::App');
+        $mod_app->mock('user_country', sub { 'FR' });
+        my $mod_lwp = Test::MockModule->new('LWP::UserAgent');
+        $mod_lwp->mock('post', sub { HTTP::Response->new(200, 'OK', [], '{ "success": true }') });
+
+        $mech->get_ok('/alert/list?pc=EH11BB');
+        $mech->content_contains('g-recaptcha');
+        $mech->submit_form_ok({ with_fields => { rznvy => 'someone@example.org' } });
+    };
+};
+
 done_testing();

templates/web/base/alert/_list.html

@@ -62,6 +62,7 @@ <h3>[% loc('Reports by destination') %]</h3>
     </div>
   [% END %]
 
+  [% PROCESS 'auth/form_extra.html' %]
 
   <div class="alerts__cta-box">
     <h3>[% loc('Subscribe by email') %]</h3>

templates/web/base/alert/updates.html

@@ -15,6 +15,8 @@
 </p>
 
 <form action="/alert/subscribe" method="post">
+    [% PROCESS 'auth/form_extra.html' %]
+
     <fieldset>
       [% IF c.user_exists %]
         [% IF c.user.has_permission_to("contribute_as_another_user", problem.bodies_str_ids) %]

templates/web/base/report/display_tools.html

@@ -44,6 +44,7 @@
             <img src="/i/feed.png" width="16" height="16" title="[% loc('RSS feed') %]" alt="[% loc('RSS feed of updates to this problem' ) %]" border="0">
         </a>
         [% loc('Receive email when updates are left on this problem.' ) %]</p>
+        [% PROCESS 'auth/form_extra.html' %]
         <fieldset>
       [% IF c.user_exists %]
           [% IF permissions.contribute_as_another_user %]

templates/web/base/report/form/user_loggedout_by_email.html

@@ -62,6 +62,8 @@
 
     <input class="form-control js-password-validate" type="password" name="password_register" id="password_register" aria-describedby="password_register_hint" value="">
 
+    [% PROCESS 'auth/form_extra.html' %]
+
     <input class="btn btn--primary btn--block btn--final js-submit_register" type="submit" name="submit_register" value="[% loc('Submit') %]">
 
 </div>

templates/web/fixmystreet.com/auth/form_extra.html

@@ -0,0 +1,4 @@
+[% IF c.cobrand.requires_recaptcha %]
+    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    <div class="g-recaptcha" data-sitekey="[% c.config.RECAPTCHA.site_key %]"></div>
+[% END %]