From 6e28bf83942382ab81bd8b45b49eecb8995a3d40 Mon Sep 17 00:00:00 2001
From: Chaoyi Zha <summermontreal@gmail.com>
Date: Wed, 17 May 2017 17:08:45 -0400
Subject: Implement optional reCAPTCHA for registrations

---
 app/Http/Controllers/SetupController.php |  7 +++++
 app/Http/Controllers/UserController.php  | 12 ++++++++
 composer.json                            |  3 +-
 composer.lock                            | 47 +++++++++++++++++++++++++++++++-
 public/css/signup.css                    |  4 +++
 resources/views/env.blade.php            | 11 ++++++++
 resources/views/setup.blade.php          | 28 +++++++++++++++++++
 resources/views/signup.blade.php         | 10 ++++++-
 8 files changed, 119 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php
index 8234c3f..d290065 100644
--- a/app/Http/Controllers/SetupController.php
+++ b/app/Http/Controllers/SetupController.php
@@ -102,6 +102,10 @@ class SetupController extends Controller {
             ]);
         }
 
+        $polr_acct_creation_recaptcha = $request->input('setting:acct_registration_recaptcha');
+        $polr_recaptcha_site_key = $request->input('setting:recaptcha_site_key');
+        $polr_recaptcha_secret_key = $request->input('setting:recaptcha_secret_key');
+
         $acct_username = $request->input('acct:username');
         $acct_email = $request->input('acct:email');
         $acct_password = $request->input('acct:password');
@@ -154,12 +158,15 @@ class SetupController extends Controller {
             'ST_PUBLIC_INTERFACE' => $st_public_interface,
             'POLR_ALLOW_ACCT_CREATION' => $polr_allow_acct_creation,
             'POLR_ACCT_ACTIVATION' => $polr_acct_activation,
+            'POLR_ACCT_CREATION_RECAPTCHA' => $polr_acct_creation_recaptcha,
             'ST_SHORTEN_PERMISSION' => $st_shorten_permission,
             'ST_INDEX_REDIRECT' => $st_index_redirect,
             'ST_REDIRECT_404' => $st_redirect_404,
             'ST_PASSWORD_RECOV' => $st_password_recov,
             'ST_RESTRICT_EMAIL_DOMAIN' => $st_restrict_email_domain,
             'ST_ALLOWED_EMAIL_DOMAINS' => $st_allowed_email_domains,
+            'POLR_RECAPTCHA_SITE_KEY' => $polr_recaptcha_site_key,
+            'POLR_RECAPTCHA_SECRET' => $polr_recaptcha_secret_key,
 
             'MAIL_ENABLED' => $mail_enabled,
             'MAIL_HOST' => $mail_host,
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 4d4a34c..7cdf545 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -57,6 +57,18 @@ class UserController extends Controller {
             return redirect(route('index'))->with('error', 'Sorry, but registration is disabled.');
         }
 
+        if (env('POLR_ACCT_CREATION_RECAPTCHA')) {
+            // Verify reCAPTCHA if setting is enabled
+            $gRecaptchaResponse = $request->input('g-recaptcha-response');
+
+            $recaptcha = new \ReCaptcha\ReCaptcha(env('POLR_RECAPTCHA_SECRET_KEY'));
+            $recaptcha_resp = $recaptcha->verify($gRecaptchaResponse, $request->ip());
+
+            if (!$recaptcha_resp->isSuccess()) {
+                return redirect(route('signup'))->with('error', 'You must complete the reCAPTCHA to register.');
+            }
+        }
+
         // Validate signup form data
         $this->validate($request, [
             'username' => 'required|alpha_dash',
diff --git a/composer.json b/composer.json
index 5c9fcb0..4f883ee 100644
--- a/composer.json
+++ b/composer.json
@@ -14,7 +14,8 @@
         "torann/geoip": "^1.0",
         "geoip2/geoip2": "^2.4",
         "nesbot/carbon": "^1.22",
-        "doctrine/dbal": "^2.5"
+        "doctrine/dbal": "^2.5",
+        "google/recaptcha": "~1.1"
     },
     "require-dev": {
         "fzaninotto/faker": "~1.0",
diff --git a/composer.lock b/composer.lock
index 232733f..14d90c6 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "270b76198a63efcbd85347ec35e337f4",
+    "content-hash": "1b7ae24ee886aba13a99bf0207be0cdd",
     "packages": [
         {
             "name": "composer/ca-bundle",
@@ -682,6 +682,51 @@
             ],
             "time": "2016-10-11T21:58:42+00:00"
         },
+        {
+            "name": "google/recaptcha",
+            "version": "1.1.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/google/recaptcha.git",
+                "reference": "5a56d15ca10a7b75158178752b2ad8f755eb4f78"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/google/recaptcha/zipball/5a56d15ca10a7b75158178752b2ad8f755eb4f78",
+                "reference": "5a56d15ca10a7b75158178752b2ad8f755eb4f78",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.8"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.1.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "ReCaptcha\\": "src/ReCaptcha"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "description": "Client library for reCAPTCHA, a free service that protect websites from spam and abuse.",
+            "homepage": "http://www.google.com/recaptcha/",
+            "keywords": [
+                "Abuse",
+                "captcha",
+                "recaptcha",
+                "spam"
+            ],
+            "time": "2017-03-09T18:44:34+00:00"
+        },
         {
             "name": "illuminate/auth",
             "version": "v5.1.28",
diff --git a/public/css/signup.css b/public/css/signup.css
index 5996f15..2de4c77 100644
--- a/public/css/signup.css
+++ b/public/css/signup.css
@@ -17,3 +17,7 @@
 .login-prompt {
     padding-top: 15px;
 }
+
+.g-recaptcha {
+    margin-bottom: 2em;
+}
diff --git a/resources/views/env.blade.php b/resources/views/env.blade.php
index 7bfd358..0b2b834 100644
--- a/resources/views/env.blade.php
+++ b/resources/views/env.blade.php
@@ -51,6 +51,11 @@ POLR_ALLOW_ACCT_CREATION={{$POLR_ALLOW_ACCT_CREATION}}
 # Set to true to require activation by email (e.g true/false)
 POLR_ACCT_ACTIVATION={{$POLR_ACCT_ACTIVATION}}
 
+# Set to true to require reCAPTCHAs on sign up pages
+# If this setting is enabled, you must also provide your reCAPTCHA keys
+# in POLR_RECAPTCHA_SITE_KEY and POLR_RECAPTCHA_SECRET_KEY
+POLR_ACCT_CREATION_RECAPTCHA={{$POLR_ACCT_CREATION_RECAPTCHA}}
+
 # Set to true to require users to be logged in before shortening URLs
 SETTING_SHORTEN_PERMISSION={{$ST_SHORTEN_PERMISSION}}
 
@@ -86,6 +91,12 @@ SETTING_RESTRICT_EMAIL_DOMAIN={{$ST_RESTRICT_EMAIL_DOMAIN}}
 # A comma-separated list of permitted email domains
 SETTING_ALLOWED_EMAIL_DOMAINS={{$ST_ALLOWED_EMAIL_DOMAINS}}
 
+# reCAPTCHA site key
+POLR_RECAPTCHA_SITE_KEY={{$POLR_RECAPTCHA_SITE_KEY}}
+
+# reCAPTCHA secret key
+POLR_RECAPTCHA_SECRET_KEY={{$POLR_RECAPTCHA_SECRET}}
+
 # Set each to blank to disable mail
 @if($MAIL_ENABLED)
 MAIL_DRIVER=smtp
diff --git a/resources/views/setup.blade.php b/resources/views/setup.blade.php
index c94ec85..c50b045 100644
--- a/resources/views/setup.blade.php
+++ b/resources/views/setup.blade.php
@@ -207,6 +207,34 @@ Setup
                 Please ensure SMTP is properly set up before enabling password recovery.
             </p>
 
+            <p>
+                Require reCAPTCHA for Registrations
+                <setup-tooltip content="You must provide your reCAPTCHA keys to use this feature."></setup-tooltip>
+            </p>
+            <select name='setting:acct_registration_recaptcha' class='form-control'>
+                <option value='false'>Do not require reCAPTCHA for registration</option>
+                <option value='true'>Require reCATPCHA for registration</option>
+            </select>
+
+            <p>
+                reCAPTCHA Configuration:
+                <setup-tooltip content="You must provide reCAPTCHA keys if you intend to use any reCAPTCHA-dependent features."></setup-tooltip>
+            </p>
+
+            <p>
+                reCAPTCHA Site Key
+            </p>
+            <input type='text' class='form-control' name='setting:recaptcha_site_key'>
+
+            <p>
+                reCAPTCHA Secret Key
+            </p>
+            <input type='text' class='form-control' name='setting:recaptcha_secret_key'>
+
+            <p class='text-muted'>
+                You can obtain reCAPTCHA keys from <a href="https://www.google.com/recaptcha/admin">Google's reCAPTCHA website</a>.
+            </p>
+
             <p>Theme (<a href='https://github.com/cydrobolt/polr/wiki/Themes-Screenshots'>screenshots</a>):</p>
             <select name='app:stylesheet' class='form-control'>
                 <option value=''>Modern (default)</option>
diff --git a/resources/views/signup.blade.php b/resources/views/signup.blade.php
index 0523ef5..d0bf3ea 100644
--- a/resources/views/signup.blade.php
+++ b/resources/views/signup.blade.php
@@ -12,6 +12,11 @@
         Username: <input type='text' name='username' class='form-control form-field' placeholder='Username' />
         Password: <input type='password' name='password' class='form-control form-field' placeholder='Password' />
         Email: <input type='email' name='email' class='form-control form-field' placeholder='Email' />
+
+        @if (env('POLR_ACCT_CREATION_RECAPTCHA'))
+        <div class="g-recaptcha" data-sitekey="{{env('POLR_RECAPTCHA_SITE_KEY')}}"></div>
+        @endif
+
         <input type="hidden" name='_token' value='{{csrf_token()}}' />
         <input type="submit" class="btn btn-default btn-success" value="Register"/>
         <p class='login-prompt'>
@@ -34,6 +39,9 @@
         <h4>Email</h4>
         <p>The email you will use to verify your account or to recover your account.</p>
     </p>
-
 </div>
 @endsection
+
+@section('js')
+<script src="https://www.google.com/recaptcha/api.js" async defer></script>
+@endsection
-- 
cgit v1.2.3


From 53128c11b4b2f7ca804cb9b9dfd66a34ecf1752b Mon Sep 17 00:00:00 2001
From: Chaoyi Zha <summermontreal@gmail.com>
Date: Wed, 17 May 2017 21:34:29 -0400
Subject: Load reCAPTCHA script only if it is enabled for the registration form

---
 resources/views/signup.blade.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/resources/views/signup.blade.php b/resources/views/signup.blade.php
index d0bf3ea..1bba206 100644
--- a/resources/views/signup.blade.php
+++ b/resources/views/signup.blade.php
@@ -43,5 +43,7 @@
 @endsection
 
 @section('js')
-<script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    @if (env('POLR_ACCT_CREATION_RECAPTCHA'))
+    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    @endif
 @endsection
-- 
cgit v1.2.3