Business/AccountHub
2
0
Fork 2
Code Issues 3 Pull Requests Releases 3 Wiki Activity

Switch from reCAPTCHA to Captcheck

Browse Source
This commit is contained in:
Skylar Ittner 2018-04-15 20:07:01 -06:00
parent fea9e372c8
commit 606b286b1e
4 changed files with 48 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
index.php
View File

@ -1,5 +1,4 @@
<?php <?php
/* This Source Code Form is subject to the terms of the Mozilla Public /* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@ -24,7 +23,7 @@ $multiauth = false;
$change_password = false; $change_password = false;
if ($VARS['progress'] == "1") { if ($VARS['progress'] == "1") {
engageRateLimit(); engageRateLimit();
if (!RECAPTCHA_ENABLED || (RECAPTCHA_ENABLED && verifyReCaptcha($VARS['g-recaptcha-response']))) { if (!CAPTCHA_ENABLED || (CAPTCHA_ENABLED && verifyCaptcheck($VARS['captcheck_session_code'], $VARS['captcheck_selected_answer'], CAPTCHA_SERVER . "/api.php"))) {
$autherror = ""; $autherror = "";
if (user_exists($VARS['username'])) { if (user_exists($VARS['username'])) {
$status = get_account_status($VARS['username'], $error); $status = get_account_status($VARS['username'], $error);
@ -149,8 +148,8 @@ if ($VARS['progress'] == "1") {
<link href="static/css/font-awesome.min.css" rel="stylesheet"> <link href="static/css/font-awesome.min.css" rel="stylesheet">
<link href="static/css/material-color/material-color.min.css" rel="stylesheet"> <link href="static/css/material-color/material-color.min.css" rel="stylesheet">
<link href="static/css/app.css" rel="stylesheet"> <link href="static/css/app.css" rel="stylesheet">
<?php if (RECAPTCHA_ENABLED) { ?> <?php if (CAPTCHA_ENABLED) { ?>
<script src='https://www.google.com/recaptcha/api.js'></script> <script src="<?php echo CAPTCHA_SERVER ?>/captcheck.dist.js"></script>
<?php } ?> <?php } ?>
</head> </head>
<body> <body>
@ -202,8 +201,8 @@ if ($VARS['progress'] == "1") {
?> ?>
<input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br /> <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
<input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br /> <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
<?php if (RECAPTCHA_ENABLED) { ?> <?php if (CAPTCHA_ENABLED) { ?>
<div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div> <div class="captcheck_container" data-stylenonce="<?php echo $SECURE_NONCE; ?>"></div>
<br /> <br />
<?php } ?> <?php } ?>
<input type="hidden" name="progress" value="1" /> <input type="hidden" name="progress" value="1" />

50
lib/login.php
View File

@ -52,8 +52,8 @@ function adduser($username, $password, $realname, $email = null, $phone1 = "", $
* @param string $old The current password * @param string $old The current password
* @param string $new The new password * @param string $new The new password
* @param string $new2 New password again * @param string $new2 New password again
* @param [string] $error If the function returns false, this will have an array * @param [string] $error If the function returns false, this will have an array
* with a message ID from `lang/messages.php` and (depending on the message) an * with a message ID from `lang/messages.php` and (depending on the message) an
* extra string for that message. * extra string for that message.
* @return boolean true if the password is changed, else false * @return boolean true if the password is changed, else false
*/ */
@ -282,7 +282,7 @@ function doLoginUser($username, $password) {
/** /**
* Send an alert email to the system admin * Send an alert email to the system admin
* *
* Used when an account with the status ALERT_ON_ACCESS logs in * Used when an account with the status ALERT_ON_ACCESS logs in
* @param String $username the account username * @param String $username the account username
* @return Mixed TRUE if successful, error string if not * @return Mixed TRUE if successful, error string if not
@ -296,7 +296,7 @@ function sendLoginAlertEmail($username, $appname = SITE_TITLE) {
} }
$username = strtolower($username); $username = strtolower($username);
$mail = new PHPMailer; $mail = new PHPMailer;
if (DEBUG) { if (DEBUG) {
@ -341,30 +341,26 @@ function insertAuthLog($type, $uid = null, $data = "") {
$database->insert("authlog", ['logtime' => date("Y-m-d H:i:s"), 'logtype' => $type, 'uid' => $uid, 'ip' => $ip, 'otherdata' => $data]); $database->insert("authlog", ['logtime' => date("Y-m-d H:i:s"), 'logtype' => $type, 'uid' => $uid, 'ip' => $ip, 'otherdata' => $data]);
} }
function verifyReCaptcha($response) { function verifyCaptcheck($session, $answer, $url) {
try { $data = [
$client = new GuzzleHttp\Client(); 'session_id' => $session,
'answer_id' => $answer,
$response = $client 'action' => "verify"
->request('POST', "https://www.google.com/recaptcha/api/siteverify", [ ];
'form_params' => [ $options = [
'secret' => RECAPTCHA_SECRET_KEY, 'http' => [
'response' => $response 'header' => "Content-type: application/x-www-form-urlencoded\r\n",
] 'method' => 'POST',
]); 'content' => http_build_query($data)
]
if ($response->getStatusCode() != 200) { ];
return false; $context = stream_context_create($options);
} $result = file_get_contents($url, false, $context);
$resp = json_decode($result, TRUE);
$resp = json_decode($response->getBody(), TRUE); if (!$resp['result']) {
if ($resp['success'] === true) {
return true;
} else {
return false;
}
} catch (Exception $e) {
return false; return false;
} else {
return true;
} }
} }

29
required.php
View File

@ -8,6 +8,13 @@
* This file contains global settings and utility functions. * This file contains global settings and utility functions.
*/ */
ob_start(); // allow sending headers after content ob_start(); // allow sending headers after content
//
// Composer
require __DIR__ . '/vendor/autoload.php';
// Settings file
require __DIR__ . '/settings.php';
// Unicode, solves almost all stupid encoding problems // Unicode, solves almost all stupid encoding problems
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
@ -27,6 +34,7 @@ session_start(); // stick some cookies in it
//// renew session cookie //// renew session cookie
setcookie(session_name(), session_id(), time() + $session_length); setcookie(session_name(), session_id(), time() + $session_length);
$captcha_server = (CAPTCHA_ENABLED === true ? preg_replace("/http(s)?:\/\//", "", CAPTCHA_SERVER) : "");
if ($_SESSION['mobile'] === TRUE) { if ($_SESSION['mobile'] === TRUE) {
header("Content-Security-Policy: " header("Content-Security-Policy: "
. "default-src 'self';" . "default-src 'self';"
@ -37,7 +45,7 @@ if ($_SESSION['mobile'] === TRUE) {
. "font-src 'self'; " . "font-src 'self'; "
. "connect-src *; " . "connect-src *; "
. "style-src 'self' 'unsafe-inline'; " . "style-src 'self' 'unsafe-inline'; "
. "script-src 'self' 'unsafe-inline'"); . "script-src 'self' 'unsafe-inline' $captcha_server");
} else { } else {
header("Content-Security-Policy: " header("Content-Security-Policy: "
. "default-src 'self';" . "default-src 'self';"
@ -48,14 +56,9 @@ if ($_SESSION['mobile'] === TRUE) {
. "font-src 'self'; " . "font-src 'self'; "
. "connect-src *; " . "connect-src *; "
. "style-src 'self' 'nonce-$SECURE_NONCE'; " . "style-src 'self' 'nonce-$SECURE_NONCE'; "
. "script-src 'self' 'nonce-$SECURE_NONCE'"); . "script-src 'self' 'nonce-$SECURE_NONCE' $captcha_server");
} }
//
// Composer
require __DIR__ . '/vendor/autoload.php';
// Settings file
require __DIR__ . '/settings.php';
// List of alert messages // List of alert messages
require __DIR__ . '/lang/messages.php'; require __DIR__ . '/lang/messages.php';
// text strings (i18n) // text strings (i18n)
@ -76,7 +79,7 @@ function sendError($error) {
. "<h1>A fatal application error has occurred.</h1>" . "<h1>A fatal application error has occurred.</h1>"
. "<i>(This isn't your fault.)</i>" . "<i>(This isn't your fault.)</i>"
. "<h2>Details:</h2>" . "<h2>Details:</h2>"
. "<p>". htmlspecialchars($error) . "</p>"); . "<p>" . htmlspecialchars($error) . "</p>");
} }
date_default_timezone_set(TIMEZONE); date_default_timezone_set(TIMEZONE);
@ -183,7 +186,7 @@ function addLangStrings($strings) {
} }
/** /**
* Add strings to the i18n global array. Accepts an array of language code * Add strings to the i18n global array. Accepts an array of language code
* keys, with the values a key-value array of strings. * keys, with the values a key-value array of strings.
* @param array $strings ['en_us' => ['key' => 'value']] * @param array $strings ['en_us' => ['key' => 'value']]
*/ */
@ -417,12 +420,12 @@ function getClientIP() {
} }
/** /**
* Check if the client's IP has been doing too many brute-force-friendly * Check if the client's IP has been doing too many brute-force-friendly
* requests lately. * requests lately.
* Kills the script with a "friendly" error and response code 429 * Kills the script with a "friendly" error and response code 429
* (Too Many Requests) if the last access time in the DB is too near. * (Too Many Requests) if the last access time in the DB is too near.
* *
* Also updates the rate_limit table with the latest data and purges old rows. * Also updates the rate_limit table with the latest data and purges old rows.
* @global type $database * @global type $database
*/ */
function engageRateLimit() { function engageRateLimit() {

9
settings.template.php
View File

@ -64,11 +64,10 @@ define("MOBILE_ENABLED", TRUE);
// Base URL for site links. // Base URL for site links.
define('URL', 'http://localhost/accounthub'); define('URL', 'http://localhost/accounthub');
// Use reCAPTCHA on login screen // Use Captcheck on login screen
// https://www.google.com/recaptcha/ // https://captcheck.netsyms.com
define("RECAPTCHA_ENABLED", FALSE); define("CAPTCHA_ENABLED", FALSE);
define('RECAPTCHA_SITE_KEY', ''); define('CAPTCHA_SERVER', 'https://captcheck.netsyms.com');
define('RECAPTCHA_SECRET_KEY', '');
// API URL and index URL for TaskFloor // API URL and index URL for TaskFloor
define('TASKFLOOR_API', 'http://localhost/taskfloor/api.php'); define('TASKFLOOR_API', 'http://localhost/taskfloor/api.php');