[WIP] New GoogleReCAPTCHA code

Support for v3
v2-invisible doesn't work yet

config.php

@@ -127,9 +127,13 @@ $config = array(
 
 	// reCAPTCHA (prevent spam bots)
 	'recaptcha_enabled' => false, // enable recaptcha verification code
+	'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3'
 	'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha
 	'recaptcha_secret_key' => '',
 	'recaptcha_theme' => 'light', // light, dark
+	// min score for validation, between 0 - 1.0
+	// https://developers.google.com/recaptcha/docs/v3#interpreting_the_score
+	'recaptcha_v3_min_score' => 1.1,
 
 	//
 	'generate_new_reckey' => true,				// let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key)

system/functions.php

@@ -496,8 +496,10 @@ function template_header($is_admin = false)
 	</noscript>
 ';
 
-	if($config['recaptcha_enabled'])
+	if(config('recaptcha_enabled')) {
-		$ret .= "<script src='https://www.google.com/recaptcha/api.js'></script>";
+		$ret .= '<script src="https://www.google.com/recaptcha/api.js' . (config('recaptcha_type') === 'v2-checkbox' ? '' : '?render=' . config('recaptcha_site_key')) . '"></script>';
+	}
+
 	return $ret;
 }
 

system/libs/GoogleReCAPTCHA.php

@@ -0,0 +1,83 @@
+<?php
+
+class GoogleReCAPTCHA
+{
+	private static $errorMessage = '';
+	private static $errorType;
+
+	const ERROR_MISSING_RESPONSE = 1;
+	const ERROR_INVALID_ACTION = 2;
+	const ERROR_LOW_SCORE = 3;
+	const ERROR_NO_SUCCESS = 4;
+
+	public static function verify($action = '')
+	{
+		if (!isset($_POST['g-recaptcha-response']) || empty($_POST['g-recaptcha-response'])) {
+			self::$errorType = self::ERROR_MISSING_RESPONSE;
+			self::$errorMessage = "Please confirm that you're not a robot.";
+			return false;
+		}
+
+		$recaptchaApiUrl = 'https://www.google.com/recaptcha/api/siteverify';
+		$secretKey = config('recaptcha_secret_key');
+
+		$recaptchaResponse = $_POST['g-recaptcha-response'];
+		$ip = $_SERVER['REMOTE_ADDR'];
+		$params = 'secret='.$secretKey.'&response='.$recaptchaResponse.'&remoteip='.$ip;
+
+		if (function_exists('curl_version')) {
+			$curl_connection = curl_init($recaptchaApiUrl);
+
+			curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 5);
+			curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
+			curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
+			curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 0);
+			curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $params);
+
+			$response = curl_exec($curl_connection);
+			curl_close($curl_connection);
+		} else {
+			$response = file_get_contents($recaptchaApiUrl . '?' . $params);
+		}
+
+		$json = json_decode($response);
+
+		$recaptchaType = config('recaptcha_type');
+		if ($recaptchaType === 'v3') { // score based
+			log_append('recaptcha.log', 'recaptcha_score: ' . $json->score . ', action:' . $json->action);
+			if (!isset($json->action) || $json->action !== $action) {
+				self::$errorType = self::ERROR_INVALID_ACTION;
+				self::$errorMessage = 'Google ReCaptcha returned invalid action.';
+				return false;
+			}
+
+			if (!isset($json->score) || $json->score < config('recaptcha_v3_min_score')) {
+				self::$errorType = self::ERROR_LOW_SCORE;
+				self::$errorMessage = 'Your Google ReCaptcha score was too low.';
+				return false;
+			}
+		}
+
+		if (!isset($json->success) || !$json->success) {
+			self::$errorType = self::ERROR_NO_SUCCESS;
+			self::$errorMessage = "Please confirm that you're not a robot.";
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @return string
+	 */
+	public static function getErrorMessage() {
+		return self::$errorMessage;
+	}
+
+	/**
+	 * @return int
+	 */
+	public static function getErrorType() {
+		return self::$errorType;
+	}
+}

system/login.php

@@ -84,6 +84,14 @@ else
 				$t = isset($tmp[$ip]) ? $tmp[$ip] : NULL;
 			}
 
+			if(config('recaptcha_enabled'))
+			{
+				require LIBS . 'GoogleReCAPTCHA.php';
+				if (!GoogleReCAPTCHA::verify('login')) {
+					$errors[] = GoogleReCAPTCHA::getErrorMessage();
+				}
+			}
+
 			$account_logged = new OTS_Account();
 			if(USE_ACCOUNT_NAME)
 				$account_logged->find($login_account);

system/pages/createaccount.php

@@ -68,17 +68,12 @@ if($save)
 			$errors['country'] = 'Country is invalid.';
 	}
 
-	if($config['recaptcha_enabled'])
+	if(config('recaptcha_enabled'))
 	{
-		if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response']))
+		require LIBS . 'GoogleReCAPTCHA.php';
-		{
+		if (!GoogleReCAPTCHA::verify('register')) {
-			$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$config['recaptcha_secret_key'].'&response='.$_POST['g-recaptcha-response']);
+			$errors['verification'] = GoogleReCAPTCHA::getErrorMessage();
-			$responseData = json_decode($verifyResponse);
-			if(!$responseData->success)
-				$errors['verification'] = "Please confirm that you're not a robot.";
 		}
-		else
-			$errors['verification'] = "Please confirm that you're not a robot.";
 	}
 
 	// password

system/templates/account.create.html.twig

@@ -105,9 +105,14 @@
 												{{ hook('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS') }}
 
 												{% if config.recaptcha_enabled %}
+													{% if config.recaptcha_type == 'v3' %}
+														<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response" />
+													{% elseif config.recaptcha_type == 'v2-invisible' %}
+														<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-bind="login-submit"></div>
+													{% elseif config.recaptcha_type == 'v2-checkbox' %}
 														<tr>
 															<td class="LabelV" style="width: 150px">
-															<span{% if errors.verification[0] is defined %} class="red"{% endif %}>Verification:</span>
+																<span{% if errors.verification[0] is not null %} class="red"{% endif %}>Verification:</span>
 															</td>
 															<td>
 																<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-theme="{{ config.recaptcha_theme }}"></div>
@@ -117,6 +122,7 @@
 															<tr><td></td><td><span class="FormFieldError">{{ errors.verification }}</span></td></tr>
 														{% endif %}
 													{% endif %}
+												{% endif %}
 
 												{{ hook('HOOK_ACCOUNT_CREATE_AFTER_RECAPTCHA') }}
 												</tbody>
@@ -334,3 +340,7 @@
 </form>
 {{ hook('HOOK_ACCOUNT_CREATE_AFTER_FORM') }}
 <script type="text/javascript" src="tools/check_name.js"></script>
+{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %}
+	{% set action = 'register' %}
+	{{ include('google_recaptcha_v3.html.twig') }}
+{% endif %}

system/templates/account.login.html.twig

@@ -39,6 +39,22 @@ Please enter your account {{ account|lower }} and your password.<br/><a href="?s
 								<td><input type="checkbox" id="remember_me" name="remember_me" value="true" />
 									<label for="remember_me"> Remember me</label></td>
 							</tr>
+							{% if config.recaptcha_enabled %}
+								{% if config.recaptcha_type == 'v3' %}
+								<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response" />
+								{% elseif config.recaptcha_type == 'v2-invisible' %}
+									<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-bind="login-submit"></div>
+								{% elseif config.recaptcha_type == 'v2-checkbox' %}
+								<tr>
+									<td class="LabelV" style="width: 150px">
+										<span{% if error is not null %} class="red"{% endif %}>Verification:</span>
+									</td>
+									<td>
+										<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-theme="{{ config.recaptcha_theme }}"></div>
+									</td>
+								</tr>
+								{% endif %}
+							{% endif %}
 							{% if error is not null %}
 								<tr><td></td><td><span class="FormFieldError">{{ error }}</span></td></tr>
 							{% endif %}
@@ -74,3 +90,7 @@ Please enter your account {{ account|lower }} and your password.<br/><a href="?s
 			</td>
 		</tr>
 	</table>
+{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %}
+	{% set action = 'login' %}
+	{{ include('google_recaptcha_v3.html.twig') }}
+{% endif %}

system/templates/google_recaptcha_v3.html.twig

@@ -0,0 +1,11 @@
+<script>
+	$(document).ready(function() {
+		grecaptcha.ready(function() {
+			grecaptcha.execute('{{ config.recaptcha_site_key }}', {action: '{{ action }}'}).then(function(token) {
+				if (token) {
+					document.getElementById('g-recaptcha-response').value = token;
+				}
+			});
+		});
+	});
+</script>

templates/tibiacom/account.login.html.twig

@@ -45,6 +45,22 @@
 																<td><input type="checkbox" id="remember_me" name="remember_me" value="true" />
 																	<label for="remember_me"> Remember me</label></td>
 															</tr>
+															{% if config.recaptcha_enabled %}
+																{% if config.recaptcha_type == 'v3' %}
+																	<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response" />
+																{% elseif config.recaptcha_type == 'v2-invisible' %}
+																	<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-bind="login-submit"></div>
+																{% elseif config.recaptcha_type == 'v2-checkbox' %}
+																	<tr>
+																		<td class="LabelV" style="width: 150px">
+																			<span{% if error is not null %} class="red"{% endif %}>Verification:</span>
+																		</td>
+																		<td>
+																			<div class="g-recaptcha" data-sitekey="{{ config.recaptcha_site_key }}" data-theme="{{ config.recaptcha_theme }}"></div>
+																		</td>
+																	</tr>
+																{% endif %}
+															{% endif %}
 														</table>
 														<div style="float: right; font-size: 1px;" >
 															<input type="hidden" name="page" value="overview" >
@@ -142,3 +158,7 @@
 		</tr>
 	</table>
 </div>
+{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %}
+	{% set action = 'login' %}
+	{{ include('google_recaptcha_v3.html.twig') }}
+{% endif %}