Require CAPTCHA for password recovery

https://jira.coreos.com/browse/QS-79
2017-12-06 14:25:34 -05:00 · 2017-12-06 14:25:34 -05:00 · a204dc20fb
commit a204dc20fb
parent 927d469db0
3 changed files with 47 additions and 1 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -806,6 +806,10 @@ class Recovery(ApiResource):
          'type': 'string',
          'description': 'The user\'s email address',
        },
+        'recaptcha_response': {
+          'type': 'string',
+          'description': 'The (may be disabled) recaptcha response code for verification',
+        },
      },
    },
  }
@ -826,7 +830,21 @@ class Recovery(ApiResource):

      return v

-    email = request.get_json()['email']
+    recovery_data = request.get_json()
+
+    # If recaptcha is enabled, then verify the user is a human.
+    if features.RECAPTCHA:
+      recaptcha_response = recovery_data.get('recaptcha_response', '')
+      result = recaptcha2.verify(app.config['RECAPTCHA_SECRET_KEY'],
+                                 recaptcha_response,
+                                 request.remote_addr)
+
+      if not result['success']:
+        return {
+          'message': 'Are you a bot? If not, please revalidate the captcha.'
+        }, 400
+
+    email = recovery_data['email']
    user = model.user.find_user_by_email(email)
    if not user:
      return {