From 1a36aa89041b6813c1cb5d9e87f859fb648bdc1e Mon Sep 17 00:00:00 2001 From: slawkens Date: Thu, 15 Oct 2020 19:55:12 +0200 Subject: [PATCH 1/8] [WIP] New GoogleReCAPTCHA code Support for v3 v2-invisible doesn't work yet --- config.php | 4 + system/functions.php | 6 +- system/libs/GoogleReCAPTCHA.php | 83 +++++++++++++++++++ system/login.php | 8 ++ system/pages/createaccount.php | 13 +-- system/templates/account.create.html.twig | 36 +++++--- system/templates/account.login.html.twig | 22 ++++- .../templates/google_recaptcha_v3.html.twig | 11 +++ templates/tibiacom/account.login.html.twig | 20 +++++ 9 files changed, 178 insertions(+), 25 deletions(-) create mode 100644 system/libs/GoogleReCAPTCHA.php create mode 100644 system/templates/google_recaptcha_v3.html.twig diff --git a/config.php b/config.php index 376fad1d..75057068 100644 --- a/config.php +++ b/config.php @@ -127,9 +127,13 @@ $config = array( // reCAPTCHA (prevent spam bots) 'recaptcha_enabled' => false, // enable recaptcha verification code + 'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3' 'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha 'recaptcha_secret_key' => '', 'recaptcha_theme' => 'light', // light, dark + // min score for validation, between 0 - 1.0 + // https://developers.google.com/recaptcha/docs/v3#interpreting_the_score + 'recaptcha_v3_min_score' => 1.1, // 'generate_new_reckey' => true, // let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key) diff --git a/system/functions.php b/system/functions.php index 903570db..891a2ab3 100644 --- a/system/functions.php +++ b/system/functions.php @@ -496,8 +496,10 @@ function template_header($is_admin = false) '; - if($config['recaptcha_enabled']) - $ret .= ""; + if(config('recaptcha_enabled')) { + $ret .= ''; + } + return $ret; } diff --git a/system/libs/GoogleReCAPTCHA.php b/system/libs/GoogleReCAPTCHA.php new file mode 100644 index 00000000..d1799619 --- /dev/null +++ b/system/libs/GoogleReCAPTCHA.php @@ -0,0 +1,83 @@ +score . ', action:' . $json->action); + if (!isset($json->action) || $json->action !== $action) { + self::$errorType = self::ERROR_INVALID_ACTION; + self::$errorMessage = 'Google ReCaptcha returned invalid action.'; + return false; + } + + if (!isset($json->score) || $json->score < config('recaptcha_v3_min_score')) { + self::$errorType = self::ERROR_LOW_SCORE; + self::$errorMessage = 'Your Google ReCaptcha score was too low.'; + return false; + } + } + + if (!isset($json->success) || !$json->success) { + self::$errorType = self::ERROR_NO_SUCCESS; + self::$errorMessage = "Please confirm that you're not a robot."; + return false; + } + + return true; + } + + /** + * @return string + */ + public static function getErrorMessage() { + return self::$errorMessage; + } + + /** + * @return int + */ + public static function getErrorType() { + return self::$errorType; + } +} diff --git a/system/login.php b/system/login.php index 330efd13..452974cb 100644 --- a/system/login.php +++ b/system/login.php @@ -84,6 +84,14 @@ else $t = isset($tmp[$ip]) ? $tmp[$ip] : NULL; } + if(config('recaptcha_enabled')) + { + require LIBS . 'GoogleReCAPTCHA.php'; + if (!GoogleReCAPTCHA::verify('login')) { + $errors[] = GoogleReCAPTCHA::getErrorMessage(); + } + } + $account_logged = new OTS_Account(); if(USE_ACCOUNT_NAME) $account_logged->find($login_account); diff --git a/system/pages/createaccount.php b/system/pages/createaccount.php index 8af31629..49971e97 100644 --- a/system/pages/createaccount.php +++ b/system/pages/createaccount.php @@ -68,17 +68,12 @@ if($save) $errors['country'] = 'Country is invalid.'; } - if($config['recaptcha_enabled']) + if(config('recaptcha_enabled')) { - if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])) - { - $verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$config['recaptcha_secret_key'].'&response='.$_POST['g-recaptcha-response']); - $responseData = json_decode($verifyResponse); - if(!$responseData->success) - $errors['verification'] = "Please confirm that you're not a robot."; + require LIBS . 'GoogleReCAPTCHA.php'; + if (!GoogleReCAPTCHA::verify('register')) { + $errors['verification'] = GoogleReCAPTCHA::getErrorMessage(); } - else - $errors['verification'] = "Please confirm that you're not a robot."; } // password diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig index a52119b7..9f8e83b4 100644 --- a/system/templates/account.create.html.twig +++ b/system/templates/account.create.html.twig @@ -104,19 +104,25 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS') }} - {% if config.recaptcha_enabled %} - - - Verification: - - -
- - - {% if errors.verification is defined %} - {{ errors.verification }} - {% endif %} - {% endif %} + {% if config.recaptcha_enabled %} + {% if config.recaptcha_type == 'v3' %} + + {% elseif config.recaptcha_type == 'v2-invisible' %} +
+ {% elseif config.recaptcha_type == 'v2-checkbox' %} + + + Verification: + + +
+ + + {% if errors.verification is defined %} + {{ errors.verification }} + {% endif %} + {% endif %} + {% endif %} {{ hook('HOOK_ACCOUNT_CREATE_AFTER_RECAPTCHA') }} @@ -334,3 +340,7 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_FORM') }} +{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %} + {% set action = 'register' %} + {{ include('google_recaptcha_v3.html.twig') }} +{% endif %} \ No newline at end of file diff --git a/system/templates/account.login.html.twig b/system/templates/account.login.html.twig index 2ac4f3f6..40cd0f9c 100644 --- a/system/templates/account.login.html.twig +++ b/system/templates/account.login.html.twig @@ -39,6 +39,22 @@ Please enter your account {{ account|lower }} and your password.
+ {% if config.recaptcha_enabled %} + {% if config.recaptcha_type == 'v3' %} + + {% elseif config.recaptcha_type == 'v2-invisible' %} +
+ {% elseif config.recaptcha_type == 'v2-checkbox' %} + + + Verification: + + +
+ + + {% endif %} + {% endif %} {% if error is not null %} {{ error }} {% endif %} @@ -73,4 +89,8 @@ Please enter your account {{ account|lower }} and your password.
 + {% if config.recaptcha_enabled %} + {% if config.recaptcha_type == 'v3' %} + + {% elseif config.recaptcha_type == 'v2-invisible' %} +
+ {% elseif config.recaptcha_type == 'v2-checkbox' %} + + + Verification: + + +
+ + + {% endif %} + {% endif %}
@@ -142,3 +158,7 @@
+{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %} + {% set action = 'login' %} + {{ include('google_recaptcha_v3.html.twig') }} +{% endif %} \ No newline at end of file From fd51fa7779d1d15e1f54fe4563e6f9a0031267e7 Mon Sep 17 00:00:00 2001 From: slawkens Date: Fri, 16 Oct 2020 20:28:05 +0200 Subject: [PATCH 2/8] Add some notice about recaptchas versions --- config.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config.php b/config.php index 75057068..2bdf1413 100644 --- a/config.php +++ b/config.php @@ -130,10 +130,12 @@ $config = array( 'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3' 'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha 'recaptcha_secret_key' => '', + // following option apply only for ReCaptcha v2-checkbox 'recaptcha_theme' => 'light', // light, dark + // following option apply only for ReCaptcha v3 // min score for validation, between 0 - 1.0 // https://developers.google.com/recaptcha/docs/v3#interpreting_the_score - 'recaptcha_v3_min_score' => 1.1, + 'recaptcha_v3_min_score' => 0.5, // 'generate_new_reckey' => true, // let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key) From 87a98531d997f026e5924832aac5b7af9b6f1729 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sun, 28 Aug 2022 18:13:34 +0200 Subject: [PATCH 3/8] Lets support only ReCaptcha v3 Too much mess ;) --- config.php | 6 +---- system/functions.php | 2 +- system/templates/account.create.html.twig | 24 ++++--------------- system/templates/account.login.html.twig | 19 +++------------ ...3.html.twig => google_recaptcha.html.twig} | 0 templates/tibiacom/account.login.html.twig | 21 ++++------------ 6 files changed, 13 insertions(+), 59 deletions(-) rename system/templates/{google_recaptcha_v3.html.twig => google_recaptcha.html.twig} (100%) diff --git a/config.php b/config.php index 2bdf1413..2ba7b93d 100644 --- a/config.php +++ b/config.php @@ -125,14 +125,10 @@ $config = array( 'smtp_secure' => '', // What kind of encryption to use on the SMTP connection. Options: '', 'ssl' (GMail) or 'tls' (Microsoft Outlook) 'smtp_debug' => false, // set true to debug (you will see more info in error.log) - // reCAPTCHA (prevent spam bots) + // reCAPTCHA v3 (prevent spam bots) 'recaptcha_enabled' => false, // enable recaptcha verification code - 'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3' 'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha 'recaptcha_secret_key' => '', - // following option apply only for ReCaptcha v2-checkbox - 'recaptcha_theme' => 'light', // light, dark - // following option apply only for ReCaptcha v3 // min score for validation, between 0 - 1.0 // https://developers.google.com/recaptcha/docs/v3#interpreting_the_score 'recaptcha_v3_min_score' => 0.5, diff --git a/system/functions.php b/system/functions.php index 891a2ab3..c4b51046 100644 --- a/system/functions.php +++ b/system/functions.php @@ -497,7 +497,7 @@ function template_header($is_admin = false) '; if(config('recaptcha_enabled')) { - $ret .= ''; + $ret .= ''; } return $ret; diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig index 9f8e83b4..2c4b9654 100644 --- a/system/templates/account.create.html.twig +++ b/system/templates/account.create.html.twig @@ -105,23 +105,7 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS') }} {% if config.recaptcha_enabled %} - {% if config.recaptcha_type == 'v3' %} - - {% elseif config.recaptcha_type == 'v2-invisible' %} -
- {% elseif config.recaptcha_type == 'v2-checkbox' %} - - - Verification: - - -
- - - {% if errors.verification is defined %} - {{ errors.verification }} - {% endif %} - {% endif %} + {% endif %} {{ hook('HOOK_ACCOUNT_CREATE_AFTER_RECAPTCHA') }} @@ -340,7 +324,7 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_FORM') }} -{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %} +{% if config.recaptcha_enabled %} {% set action = 'register' %} - {{ include('google_recaptcha_v3.html.twig') }} -{% endif %} \ No newline at end of file + {{ include('google_recaptcha.html.twig') }} +{% endif %} diff --git a/system/templates/account.login.html.twig b/system/templates/account.login.html.twig index 40cd0f9c..cc10dd67 100644 --- a/system/templates/account.login.html.twig +++ b/system/templates/account.login.html.twig @@ -40,20 +40,7 @@ Please enter your account {{ account|lower }} and your password.
 Remember me {% if config.recaptcha_enabled %} - {% if config.recaptcha_type == 'v3' %} - {% elseif config.recaptcha_type == 'v2-invisible' %} -
- {% elseif config.recaptcha_type == 'v2-checkbox' %} - - - Verification: - - -
- - - {% endif %} {% endif %} {% if error is not null %} {{ error }} @@ -90,7 +77,7 @@ Please enter your account {{ account|lower }} and your password.
 Remember me {% if config.recaptcha_enabled %} - {% if config.recaptcha_type == 'v3' %} - - {% elseif config.recaptcha_type == 'v2-invisible' %} -
- {% elseif config.recaptcha_type == 'v2-checkbox' %} - - - Verification: - - -
- - - {% endif %} + {% endif %}
@@ -158,7 +145,7 @@
-{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %} +{% if config.recaptcha_enabled %} {% set action = 'login' %} - {{ include('google_recaptcha_v3.html.twig') }} -{% endif %} \ No newline at end of file + {{ include('google_recaptcha.html.twig') }} +{% endif %} From a9941dea8a0d7a947ddf36eb5335195393cb3123 Mon Sep 17 00:00:00 2001 From: slawkens Date: Mon, 29 Aug 2022 19:04:47 +0200 Subject: [PATCH 4/8] Fixes --- config.php | 4 ++-- system/libs/GoogleReCAPTCHA.php | 24 +++++++++------------ system/templates/templates.header.html.twig | 4 ++-- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/config.php b/config.php index bd8483bf..36eda984 100644 --- a/config.php +++ b/config.php @@ -135,13 +135,13 @@ $config = array( 'smtp_secure' => '', // What kind of encryption to use on the SMTP connection. Options: '', 'ssl' (GMail) or 'tls' (Microsoft Outlook) 'smtp_debug' => false, // set true to debug (you will see more info in error.log) - // reCAPTCHA v3 (prevent spam bots) + // Google reCAPTCHA v3 (prevent spam bots) 'recaptcha_enabled' => false, // enable recaptcha verification code 'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha 'recaptcha_secret_key' => '', // min score for validation, between 0 - 1.0 // https://developers.google.com/recaptcha/docs/v3#interpreting_the_score - 'recaptcha_v3_min_score' => 0.5, + 'recaptcha_min_score' => 0.5, // 'generate_new_reckey' => true, // let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key) diff --git a/system/libs/GoogleReCAPTCHA.php b/system/libs/GoogleReCAPTCHA.php index d1799619..fe4bda0a 100644 --- a/system/libs/GoogleReCAPTCHA.php +++ b/system/libs/GoogleReCAPTCHA.php @@ -41,21 +41,17 @@ class GoogleReCAPTCHA } $json = json_decode($response); + //log_append('recaptcha.log', 'recaptcha_score: ' . $json->score . ', action:' . $json->action); + if (!isset($json->action) || $json->action !== $action) { + self::$errorType = self::ERROR_INVALID_ACTION; + self::$errorMessage = 'Google ReCaptcha returned invalid action.'; + return false; + } - $recaptchaType = config('recaptcha_type'); - if ($recaptchaType === 'v3') { // score based - log_append('recaptcha.log', 'recaptcha_score: ' . $json->score . ', action:' . $json->action); - if (!isset($json->action) || $json->action !== $action) { - self::$errorType = self::ERROR_INVALID_ACTION; - self::$errorMessage = 'Google ReCaptcha returned invalid action.'; - return false; - } - - if (!isset($json->score) || $json->score < config('recaptcha_v3_min_score')) { - self::$errorType = self::ERROR_LOW_SCORE; - self::$errorMessage = 'Your Google ReCaptcha score was too low.'; - return false; - } + if (!isset($json->score) || $json->score < config('recaptcha_min_score')) { + self::$errorType = self::ERROR_LOW_SCORE; + self::$errorMessage = 'Your Google ReCaptcha score was too low.'; + return false; } if (!isset($json->success) || !$json->success) { diff --git a/system/templates/templates.header.html.twig b/system/templates/templates.header.html.twig index 6438076a..d6ae1fbb 100644 --- a/system/templates/templates.header.html.twig +++ b/system/templates/templates.header.html.twig @@ -17,5 +17,5 @@ {% if config.recaptcha_enabled %} - -{% endif %} \ No newline at end of file + +{% endif %} From c73e476e8859ec1341407fe74a9b83835aea1ca1 Mon Sep 17 00:00:00 2001 From: slawkens Date: Mon, 28 Nov 2022 12:36:23 +0100 Subject: [PATCH 5/8] Reverted support only for recaptcha v3 v2 & v3 are now both supported --- config.php | 8 +++++-- system/templates/account.create.html.twig | 22 ++++++++++++++++--- system/templates/account.login.html.twig | 19 +++++++++++++--- ...tml.twig => google_recaptcha_v3.html.twig} | 0 templates/tibiacom/account.login.html.twig | 21 ++++++++++++++---- 5 files changed, 58 insertions(+), 12 deletions(-) rename system/templates/{google_recaptcha.html.twig => google_recaptcha_v3.html.twig} (100%) diff --git a/config.php b/config.php index 36eda984..5f6d7706 100644 --- a/config.php +++ b/config.php @@ -135,13 +135,17 @@ $config = array( 'smtp_secure' => '', // What kind of encryption to use on the SMTP connection. Options: '', 'ssl' (GMail) or 'tls' (Microsoft Outlook) 'smtp_debug' => false, // set true to debug (you will see more info in error.log) - // Google reCAPTCHA v3 (prevent spam bots) + // reCAPTCHA (prevent spam bots) 'recaptcha_enabled' => false, // enable recaptcha verification code + 'recaptcha_type' => 'v3', // 'v2-checkbox', 'v2-invisible', 'v3' 'recaptcha_site_key' => '', // get your own site and secret keys at https://www.google.com/recaptcha 'recaptcha_secret_key' => '', + // following option apply only for ReCaptcha v2-checkbox + 'recaptcha_theme' => 'light', // light, dark + // following option apply only for ReCaptcha v3 // min score for validation, between 0 - 1.0 // https://developers.google.com/recaptcha/docs/v3#interpreting_the_score - 'recaptcha_min_score' => 0.5, + 'recaptcha_v3_min_score' => 0.5, // 'generate_new_reckey' => true, // let player generate new recovery key, he will receive e-mail with new rec key (not display on page, hacker can't generate rec key) diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig index 84be3ac6..b08ba42d 100644 --- a/system/templates/account.create.html.twig +++ b/system/templates/account.create.html.twig @@ -110,7 +110,23 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_PASSWORDS') }} {% if config.recaptcha_enabled %} - + {% if config.recaptcha_type == 'v3' %} + + {% elseif config.recaptcha_type == 'v2-invisible' %} +
+ {% elseif config.recaptcha_type == 'v2-checkbox' %} + + + Verification: + + +
+ + + {% if errors.verification is defined %} + {{ errors.verification }} + {% endif %} + {% endif %} {% endif %} {{ hook('HOOK_ACCOUNT_CREATE_AFTER_RECAPTCHA') }} @@ -329,9 +345,9 @@ {{ hook('HOOK_ACCOUNT_CREATE_AFTER_FORM') }} -{% if config.recaptcha_enabled %} +{% if config.recaptcha_enabled and config.recaptcha_type == 'v3' %} {% set action = 'register' %} - {{ include('google_recaptcha.html.twig') }} + {{ include('google_recaptcha_v3.html.twig') }} {% endif %}