Skip to content

Commit

Permalink
feat: fix secret information issue in the CAPTCHA provider code (casd…
Browse files Browse the repository at this point in the history 
…oor#2531)
  • Loading branch information
@HGZ-20
HGZ-20 authored Dec 11, 2023
1 parent b068202 commit dc06eb9
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 11 deletions.
2 changes: 1 addition & 1 deletion controllers/account.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,7 @@ func (c *ApiController) GetCaptcha() {
Type: captchaProvider.Type,
SubType: captchaProvider.SubType,
ClientId: captchaProvider.ClientId,
ClientSecret: captchaProvider.ClientSecret,
ClientSecret: "***",
ClientId2: captchaProvider.ClientId2,
ClientSecret2: captchaProvider.ClientSecret2,
})
Expand Down
10 changes: 10 additions & 0 deletions controllers/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,6 +387,16 @@ func (c *ApiController) Login() {
c.ResponseError(err.Error())
return
} else if enableCaptcha {
captchaProvider, err := object.GetCaptchaProviderByApplication(util.GetId(application.Owner, application.Name), "false", c.GetAcceptLanguage())
if err != nil {
c.ResponseError(err.Error())
return
}

if captchaProvider.Type != "Default" {
authForm.ClientSecret = captchaProvider.ClientSecret
}

var isHuman bool
isHuman, err = captcha.VerifyCaptchaByCaptchaType(authForm.CaptchaType, authForm.CaptchaToken, authForm.ClientSecret)
if err != nil {
Expand Down
43 changes: 35 additions & 8 deletions controllers/verification.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,17 +53,34 @@ func (c *ApiController) SendVerificationCode() {
return
}

if vform.CaptchaType != "none" {
if captchaProvider := captcha.GetCaptchaProvider(vform.CaptchaType); captchaProvider == nil {
c.ResponseError(c.T("general:don't support captchaProvider: ") + vform.CaptchaType)
return
} else if isHuman, err := captchaProvider.VerifyCaptcha(vform.CaptchaToken, vform.ClientSecret); err != nil {
c.ResponseError(err.Error())
return
} else if !isHuman {
provider, err := object.GetCaptchaProviderByApplication(vform.ApplicationId, "false", c.GetAcceptLanguage())
if err != nil {
c.ResponseError(err.Error())
return
}

if provider != nil {
if vform.CaptchaType != provider.Type {
c.ResponseError(c.T("verification:Turing test failed."))
return
}

if provider.Type != "Default" {
vform.ClientSecret = provider.ClientSecret
}

if vform.CaptchaType != "none" {
if captchaProvider := captcha.GetCaptchaProvider(vform.CaptchaType); captchaProvider == nil {
c.ResponseError(c.T("general:don't support captchaProvider: ") + vform.CaptchaType)
return
} else if isHuman, err := captchaProvider.VerifyCaptcha(vform.CaptchaToken, vform.ClientSecret); err != nil {
c.ResponseError(err.Error())
return
} else if !isHuman {
c.ResponseError(c.T("verification:Turing test failed."))
return
}
}
}

application, err := object.GetApplication(vform.ApplicationId)
Expand Down Expand Up @@ -225,6 +242,16 @@ func (c *ApiController) VerifyCaptcha() {
return
}

captchaProvider, err := object.GetCaptchaProviderByOwnerName(vform.ApplicationId, c.GetAcceptLanguage())
if err != nil {
c.ResponseError(err.Error())
return
}

if captchaProvider.Type != "Default" {
vform.ClientSecret = captchaProvider.ClientSecret
}

provider := captcha.GetCaptchaProvider(vform.CaptchaType)
if provider == nil {
c.ResponseError(c.T("verification:Invalid captcha provider."))
Expand Down
3 changes: 2 additions & 1 deletion web/src/backend/UserBackend.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,11 +153,12 @@ export function sendCode(captchaType, captchaToken, clientSecret, method, countr
});
}

export function verifyCaptcha(captchaType, captchaToken, clientSecret) {
export function verifyCaptcha(owner, name, captchaType, captchaToken, clientSecret) {
const formData = new FormData();
formData.append("captchaType", captchaType);
formData.append("captchaToken", captchaToken);
formData.append("clientSecret", clientSecret);
formData.append("applicationId", `${owner}/${name}`);
return fetch(`${Setting.ServerUrl}/api/verify-captcha`, {
method: "POST",
credentials: "include",
Expand Down
2 changes: 1 addition & 1 deletion web/src/common/CaptchaPreview.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ export const CaptchaPreview = (props) => {
};

const onOk = (captchaType, captchaToken, clientSecret) => {
UserBackend.verifyCaptcha(captchaType, captchaToken, clientSecret).then(() => {
UserBackend.verifyCaptcha(owner, name, captchaType, captchaToken, clientSecret).then(() => {
setVisible(false);
});
};
Expand Down

0 comments on commit dc06eb9

Please sign in to comment.