Merge pull request #2934 from coreos-inc/joseph.schorr/QS-78/email-recovery

Security fixes for password recovery
2017-12-06 14:53:02 -05:00 · 2017-12-06 14:53:02 -05:00 · b9ad8bbb5d
commit b9ad8bbb5d
parent 8d7381336a a204dc20fb
4 changed files with 55 additions and 7 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -806,6 +806,10 @@ class Recovery(ApiResource):
          'type': 'string',
          'description': 'The user\'s email address',
        },
+        'recaptcha_response': {
+          'type': 'string',
+          'description': 'The (may be disabled) recaptcha response code for verification',
+        },
      },
    },
  }
@ -826,10 +830,26 @@ class Recovery(ApiResource):

      return v

-    email = request.get_json()['email']
+    recovery_data = request.get_json()
+
+    # If recaptcha is enabled, then verify the user is a human.
+    if features.RECAPTCHA:
+      recaptcha_response = recovery_data.get('recaptcha_response', '')
+      result = recaptcha2.verify(app.config['RECAPTCHA_SECRET_KEY'],
+                                 recaptcha_response,
+                                 request.remote_addr)
+
+      if not result['success']:
+        return {
+          'message': 'Are you a bot? If not, please revalidate the captcha.'
+        }, 400
+
+    email = recovery_data['email']
    user = model.user.find_user_by_email(email)
    if not user:
-      raise model.InvalidEmailAddressException('Email address was not found.')
+      return {
+        'status': 'sent',
+      }

    if user.organization:
      send_org_recovery_email(user, model.organization.get_admin_users(user))