tootlab-mastodon/app/controllers/concerns/captcha_concern.rb

# frozen_string_literal: true

module CaptchaConcern
  extend ActiveSupport::Concern
  include Hcaptcha::Adapters::ViewMethods

  CAPTCHA_TIMEOUT = 2.hours.freeze

  included do
    helper_method :render_captcha_if_needed
  end

  def captcha_available?
    ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
  end

  def captcha_enabled?
    captcha_available? && Setting.captcha_enabled
  end

  def captcha_recently_passed?
    session[:captcha_passed_at].present? && session[:captcha_passed_at] >= CAPTCHA_TIMEOUT.ago
  end

  def captcha_required?
    captcha_enabled? && !current_user && !(@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?) && !captcha_recently_passed?
  end

  def clear_captcha!
    session.delete(:captcha_passed_at)
  end

  def check_captcha!
    return true unless captcha_required?

    if verify_hcaptcha
      session[:captcha_passed_at] = Time.now.utc
      return true
    else
      if block_given?
        message = flash[:hcaptcha_error]
        flash.delete(:hcaptcha_error)
        yield message
      end
      return false
    end
  end

  def extend_csp_for_captcha!
    policy = request.content_security_policy
    return unless captcha_required? && policy.present?

    %w(script_src frame_src style_src connect_src).each do |directive|
      values = policy.send(directive)
      values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
      values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
      policy.send(directive, *values)
    end
  end

  def render_captcha_if_needed
    return unless captcha_required?

    hcaptcha_tags
  end
end
Add optional hCaptcha support Fixes #1649 This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then enabling the admin setting at `/admin/settings/edit#form_admin_settings_captcha_enabled` Subsequently, a hCaptcha widget will be displayed on `/about` and `/auth/sign_up` unless: - the user is already signed-up already - the user has used an invite link - the user has already solved the captcha (and registration failed for another reason) The Content-Security-Policy headers are altered automatically to allow the third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same rules as above. 2022-01-24 13:06:19 -05:00			`# frozen_string_literal: true`

			`module CaptchaConcern`
			`extend ActiveSupport::Concern`
			`include Hcaptcha::Adapters::ViewMethods`

			`CAPTCHA_TIMEOUT = 2.hours.freeze`

			`included do`
			`helper_method :render_captcha_if_needed`
			`end`

			`def captcha_available?`
			`ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?`
			`end`

			`def captcha_enabled?`
			`captcha_available? && Setting.captcha_enabled`
			`end`

			`def captcha_recently_passed?`
			`session[:captcha_passed_at].present? && session[:captcha_passed_at] >= CAPTCHA_TIMEOUT.ago`
			`end`

			`def captcha_required?`
			`captcha_enabled? && !current_user && !(@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?) && !captcha_recently_passed?`
			`end`

			`def clear_captcha!`
			`session.delete(:captcha_passed_at)`
			`end`

			`def check_captcha!`
			`return true unless captcha_required?`

			`if verify_hcaptcha`
			`session[:captcha_passed_at] = Time.now.utc`
			`return true`
			`else`
			`if block_given?`
			`message = flash[:hcaptcha_error]`
			`flash.delete(:hcaptcha_error)`
			`yield message`
			`end`
			`return false`
			`end`
			`end`

			`def extend_csp_for_captcha!`
			`policy = request.content_security_policy`
			`return unless captcha_required? && policy.present?`

			`%w(script_src frame_src style_src connect_src).each do \|directive\|`
			`values = policy.send(directive)`
			`values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') \|\| values.include?('https:')`
			`values << 'https://.hcaptcha.com' unless values.include?('https://.hcaptcha.com') \|\| values.include?('https:')`
			`policy.send(directive, *values)`
			`end`
			`end`

			`def render_captcha_if_needed`
			`return unless captcha_required?`

			`hcaptcha_tags`
			`end`
			`end`