Add invisible ReCAPTCHA to login and password reset

Author: schrej

app/Events/Auth/FailedCaptcha.php

@@ -0,0 +1,59 @@
+<?php
+/**
+* Pterodactyl - Panel
+* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+*
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+*
+* The above copyright notice and this permission notice shall be included in all
+* copies or substantial portions of the Software.
+*
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+* SOFTWARE.
+*/
+
+namespace Pterodactyl\Events\Auth;
+
+use Illuminate\Queue\SerializesModels;
+
+class FailedCaptcha
+{
+    use SerializesModels;
+    
+    /**
+    * The IP that the request originated from.
+    *
+    * @var string
+    */
+    public $ip;
+
+    /**
+     * The domain that was used to try to verify the request with recaptcha api.
+     * 
+     * @var string
+     */
+    public $domain;
+    
+    /**
+    * Create a new event instance.
+    *
+    * @param  string  $ip
+    * @param  string  $domain
+    * @return void
+    */
+    public function __construct($ip, $domain)
+    {
+        $this->ip = $ip;
+        $this->domain = $domain;
+    }
+}

app/Http/Kernel.php

@@ -58,5 +58,6 @@ class Kernel extends HttpKernel
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,
         'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+        'recaptcha' => \Pterodactyl\Http\Middleware\VerifyReCaptcha::class,
     ];
 }

app/Http/Middleware/VerifyReCaptcha.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware;
+
+use Closure;
+use Alert;
+use \Pterodactyl\Events\Auth\FailedCaptcha;
+
+class VerifyReCaptcha
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (!config('recaptcha.enabled')) return next($request);
+        
+        $response_domain = null;
+
+        if ($request->has('g-recaptcha-response')) {
+            $response = $request->get('g-recaptcha-response');
+
+            $client = new \GuzzleHttp\Client();
+            $res = $client->post('https://www.google.com/recaptcha/api/siteverify', [
+                'form_params' => [
+                    'secret' => config('recaptcha.secret_key'),
+                    'response' => $response,
+                ],
+            ]);
+
+            if ($res->getStatusCode() === 200) {
+                $result = json_decode($res->getBody());
+
+                $response_domain = $result->hostname;
+
+                // Compare the domain received by google with the app url
+                $domain_verified = false;
+                if (config('recaptcha.verify_domain')) {
+                   $matches;
+                   preg_match('/^(?:https?:\/\/)?((?:www\.)?[^:\/\n]+)/', config('app.url'), $matches);
+                   $domain = $matches[1];
+                   $domain_verified = $response_domain === $domain;
+                }
+
+                if ($result->success && (!config('recaptcha.verify_domain') || $domain_verified)) {
+                    return $next($request);
+                }
+            }
+        }
+        
+        // Emit an event and return to the previous view with an error (only the captcha error will be shown!)
+        event(new FailedCaptcha($request->ip(), $response_domain));
+        return back()->withErrors(['g-recaptcha-response' => trans('strings.captcha_invalid')])->withInput();
+    }
+}

app/Http/Routes/AuthRoutes.php

@@ -55,6 +55,7 @@ public function map(Router $router)
             // Handle Login
             $router->post('login', [
                 'uses' => 'Auth\LoginController@login',
+                'middleware' => 'recaptcha',
             ]);
 
             $router->get('login/totp', [
@@ -75,6 +76,7 @@ public function map(Router $router)
             // Handle Password Reset
             $router->post('password', [
                 'uses' => 'Auth\ForgotPasswordController@sendResetLinkEmail',
+                'middleware' => 'recaptcha',
             ]);
 
             // Show Verification Checkpoint
@@ -87,6 +89,7 @@ public function map(Router $router)
             $router->post('password/reset', [
                 'as' => 'auth.reset.post',
                 'uses' => 'Auth\ResetPasswordController@reset',
+                'middleware' => 'recaptcha',
             ]);
         });
 

config/recaptcha.php

@@ -0,0 +1,26 @@
+<?php
+
+return [
+
+    /**
+     * Enable or disable captchas
+     */
+    'enabled' => env('RECAPTCHA_ENABLED', true),
+
+    /**
+     * Use a custom secret key, we use our public one by default
+     */
+    'secret_key' => env('RECAPTCHA_SECRET_KEY', '6LekAxoUAAAAAPW-PxNWaCLH76WkClMLSa2jImwD'),
+
+    /**
+     * Use a custom website key, we use our public one by default
+     */
+    'website_key' => env('RECAPTCHA_WEBSITE_KEY' ,'6LekAxoUAAAAADjWZJ4ufcDRZBBiH9vfHawqRbup'),
+
+    /**
+     * Domain verification is enabled by default and compares the domain used when solving the captcha
+     * as public keys can't have domain verification on google's side enabled (obviously).
+     */
+    'verify_domain' => true,
+
+];

resources/lang/en/strings.php

@@ -69,4 +69,5 @@
     'owner' => 'Owner',
     'admin' => 'Admin',
     'subuser' => 'Subuser',
+    'captcha_invalid' => 'The provided captcha is invalid.',
 ];

resources/themes/pterodactyl/auth/login.blade.php

@@ -45,7 +45,7 @@
         @endforeach
     @endforeach
     <p class="login-box-msg">@lang('auth.authentication_required')</p>
-    <form action="{{ route('auth.login') }}" method="POST">
+    <form id="loginForm" action="{{ route('auth.login') }}" method="POST">
         <div class="form-group has-feedback">
             <input name="user" class="form-control" value="{{ old('user') }}" placeholder="@lang('strings.user_identifier')">
             <span class="fa fa-envelope form-control-feedback"></span>
@@ -62,10 +62,20 @@
             </div>
             <div class="col-xs-4">
                 {!! csrf_field() !!}
-                <button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.sign_in')</button>
+                <button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.sign_in')</button>
             </div>
         </div>
     </form>
     <a href="{{ route('auth.password') }}">@lang('auth.forgot_password')</a><br>
 </div>
 @endsection
+
+@section('scripts')
+    @parent
+    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    <script>
+       function onSubmit(token) {
+         document.getElementById("loginForm").submit();
+       }
+     </script>
+@endsection

resources/themes/pterodactyl/auth/passwords/email.blade.php

@@ -25,13 +25,24 @@
 
 @section('content')
 <div class="login-box-body">
+    @if (count($errors) > 0)
+        <div class="callout callout-danger">
+            <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+            @lang('auth.auth_error')<br><br>
+            <ul>
+                @foreach ($errors->all() as $error)
+                    <li>{{ $error }}</li>
+                @endforeach
+            </ul>
+        </div>
+    @endif
     @if (session('status'))
         <div class="callout callout-success">
             @lang('auth.email_sent')
         </div>
     @endif
     <p class="login-box-msg">@lang('auth.request_reset_text')</p>
-    <form action="{{ route('auth.password') }}" method="POST">
+    <form id="resetForm" action="{{ route('auth.password') }}" method="POST">
         <div class="form-group has-feedback">
             <input type="email" name="email" class="form-control" value="{{ old('email') }}" autofocus placeholder="@lang('strings.email')">
             <span class="fa fa-envelope form-control-feedback"></span>
@@ -47,9 +58,19 @@
             </div>
             <div class="col-xs-8">
                 {!! csrf_field() !!}
-                <button type="submit" class="btn btn-primary btn-block btn-flat">@lang('auth.request_reset')</button>
+                <button type="submit" class="btn btn-primary btn-block btn-flat g-recaptcha" data-sitekey="{{ config('recaptcha.website_key') }}" data-callback='onSubmit'>@lang('auth.request_reset')</button>
             </div>
         </div>
     </form>
 </div>
 @endsection
+
+@section('scripts')
+    @parent
+    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+    <script>
+       function onSubmit(token) {
+         document.getElementById("resetForm").submit();
+       }
+     </script>
+@endsection