From fbebe1d32994f72dbf1be60e2c54f9a071214977 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 28 Jun 2022 18:19:35 -0700 Subject: [PATCH 1/3] fix: add captcha to verify and token endpoints --- api/api.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/api.go b/api/api.go index cb98b37fc..116707de6 100644 --- a/api/api.go +++ b/api/api.go @@ -127,7 +127,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati tollbooth.NewLimiter(api.config.RateLimitTokenRefresh/(60*5), &limiter.ExpirableOptions{ DefaultExpirationTTL: time.Hour, }).SetBurst(30), - )).Post("/token", api.Token) + )).With(api.verifyCaptcha).Post("/token", api.Token) r.With(api.limitHandler( // Allow requests at the specified rate per 5 minutes. @@ -136,7 +136,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati }).SetBurst(30), )).Route("/verify", func(r *router) { r.Get("/", api.Verify) - r.Post("/", api.Verify) + r.With(api.verifyCaptcha).Post("/", api.Verify) }) r.With(api.requireAuthentication).Post("/logout", api.Logout) From 07f2fefdf78d17146bacb7ece3865185cd79cf22 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 28 Jun 2022 19:03:31 -0700 Subject: [PATCH 2/3] don't enable captcha on refresh token grant_type --- security/hcaptcha.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/hcaptcha.go b/security/hcaptcha.go index f34c7d61d..f72b26588 100644 --- a/security/hcaptcha.go +++ b/security/hcaptcha.go @@ -56,6 +56,10 @@ func init() { } func VerifyRequest(r *http.Request, secretKey string) (VerificationResult, error) { + if r.FormValue("grant_type") == "refresh_token" { + // captcha shouldn't be enabled on requests to refresh the token + return SuccessfullyVerified, nil + } res := GotrueRequest{} bodyBytes, err := ioutil.ReadAll(r.Body) if err != nil { From e4bce0c44b864eb47995396c81b84aaa96a72ac3 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Tue, 28 Jun 2022 19:05:45 -0700 Subject: [PATCH 3/3] refactor: rename hcaptcha_token to captcha_token for generalizability --- api/middleware_test.go | 6 +++--- security/hcaptcha.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/middleware_test.go b/api/middleware_test.go index 1c99037c3..dde8a4cdc 100644 --- a/api/middleware_test.go +++ b/api/middleware_test.go @@ -48,7 +48,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaValid() { "email": "test@example.com", "password": "secret", "gotrue_meta_security": map[string]interface{}{ - "hcaptcha_token": HCaptchaResponse, + "captcha_token": HCaptchaResponse, }, })) @@ -75,7 +75,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaValid() { "email": "test@example.com", "password": "secret", "gotrue_meta_security": map[string]interface{}{ - "hcaptcha_token": HCaptchaResponse, + "captcha_token": HCaptchaResponse, }, })) @@ -129,7 +129,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaInvalid() { "email": "test@example.com", "password": "secret", "gotrue_meta_security": map[string]interface{}{ - "hcaptcha_token": HCaptchaResponse, + "captcha_token": HCaptchaResponse, }, })) req := httptest.NewRequest(http.MethodPost, "http://localhost", &buffer) diff --git a/security/hcaptcha.go b/security/hcaptcha.go index f72b26588..64da884d7 100644 --- a/security/hcaptcha.go +++ b/security/hcaptcha.go @@ -22,7 +22,7 @@ type GotrueRequest struct { } type GotrueSecurity struct { - Token string `json:"hcaptcha_token"` + Token string `json:"captcha_token"` } type VerificationResponse struct {