Require CAPTCHA for password recovery

https://jira.coreos.com/browse/QS-79
2017-12-06 14:25:34 -05:00 · 2017-12-06 14:25:34 -05:00 · a204dc20fb
commit a204dc20fb
parent 927d469db0
3 changed files with 47 additions and 1 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -806,6 +806,10 @@ class Recovery(ApiResource):
          'type': 'string',
          'description': 'The user\'s email address',
        },
+        'recaptcha_response': {
+          'type': 'string',
+          'description': 'The (may be disabled) recaptcha response code for verification',
+        },
      },
    },
  }
@ -826,7 +830,21 @@ class Recovery(ApiResource):

      return v

-    email = request.get_json()['email']
+    recovery_data = request.get_json()
+
+    # If recaptcha is enabled, then verify the user is a human.
+    if features.RECAPTCHA:
+      recaptcha_response = recovery_data.get('recaptcha_response', '')
+      result = recaptcha2.verify(app.config['RECAPTCHA_SECRET_KEY'],
+                                 recaptcha_response,
+                                 request.remote_addr)
+
+      if not result['success']:
+        return {
+          'message': 'Are you a bot? If not, please revalidate the captcha.'
+        }, 400
+
+    email = recovery_data['email']
    user = model.user.find_user_by_email(email)
    if not user:
      return {
--- a/static/css/directives/ui/recovery-form.css
+++ b/static/css/directives/ui/recovery-form.css
@ -5,4 +5,24 @@

 .recovery-form-element input {
    margin-bottom: 10px;
+}
+
+.recovery-form-element .captcha {
+    display: block;
+    text-align: center;
+}
+
+.recovery-form-element .captcha div {
+    display: inline-block;
+    margin: 2px;
+}
+
+.recovery-form-element .captcha {
+    height: 0px;
+    transition: height ease-in-out 250ms;
+    overflow: hidden;
+}
+
+.recovery-form-element .captcha.expanded {
+    height: 94px;
 }
--- a/static/directives/recovery-form.html
+++ b/static/directives/recovery-form.html
@ -18,6 +18,14 @@

    <form class="form-signin" ng-submit="sendRecovery()" ng-show="!sent">
      <input type="text" class="form-control" placeholder="Email" ng-model="recovery.email">
+
+      <div quay-require="['RECAPTCHA']">
+        <div class="captcha"
+             ng-class="{'expanded': recovery.email}">
+          <div vc-recaptcha ng-model="recovery.recaptcha_response" key="Config.RECAPTCHA_SITE_KEY"></div>
+        </div>
+      </div>
+    
      <button class="btn btn-primary btn-block" type="submit">Send Recovery Email</button>
    </form>
  </div>