recaptcha 4.11.0 → 5.12.0

data/lib/recaptcha/adapters/controller_methods.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Adapters
+    module ControllerMethods
+      private
+
+      # Your private API can be specified in the +options+ hash or preferably
+      # using the Configuration.
+      def verify_recaptcha(options = {})
+        options = {model: options} unless options.is_a? Hash
+        return true if Recaptcha.skip_env?(options[:env])
+
+        model = options[:model]
+        attribute = options.fetch(:attribute, :base)
+        recaptcha_response = options[:response] || recaptcha_response_token(options[:action])
+
+        begin
+          verified = if Recaptcha.invalid_response?(recaptcha_response)
+            false
+          else
+            unless options[:skip_remote_ip]
+              remoteip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+              options = options.merge(remote_ip: remoteip.to_s) if remoteip
+            end
+
+            success, @_recaptcha_reply =
+              Recaptcha.verify_via_api_call(recaptcha_response, options.merge(with_reply: true))
+            success
+          end
+
+          if verified
+            flash.delete(:recaptcha_error) if recaptcha_flash_supported? && !model
+            true
+          else
+            recaptcha_error(
+              model,
+              attribute,
+              options.fetch(:message) { Recaptcha::Helpers.to_error_message(:verification_failed) }
+            )
+            false
+          end
+        rescue Timeout::Error
+          if Recaptcha.configuration.handle_timeouts_gracefully
+            recaptcha_error(
+              model,
+              attribute,
+              options.fetch(:message) { Recaptcha::Helpers.to_error_message(:recaptcha_unreachable) }
+            )
+            false
+          else
+            raise RecaptchaError, 'Recaptcha unreachable.'
+          end
+        rescue StandardError => e
+          raise RecaptchaError, e.message, e.backtrace
+        end
+      end
+
+      def verify_recaptcha!(options = {})
+        verify_recaptcha(options) || raise(VerifyError)
+      end
+
+      def recaptcha_reply
+        @_recaptcha_reply if defined?(@_recaptcha_reply)
+      end
+
+      def recaptcha_error(model, attribute, message)
+        if model
+          model.errors.add(attribute, message)
+        elsif recaptcha_flash_supported?
+          flash[:recaptcha_error] = message
+        end
+      end
+
+      def recaptcha_flash_supported?
+        request.respond_to?(:format) && request.format == :html && respond_to?(:flash)
+      end
+
+      # Extracts response token from params. params['g-recaptcha-response-data'] for recaptcha_v3 or
+      # params['g-recaptcha-response'] for recaptcha_tags and invisible_recaptcha_tags and should
+      # either be a string or a hash with the action name(s) as keys. If it is a hash, then `action`
+      # is used as the key.
+      # @return [String] A response token if one was passed in the params; otherwise, `''`
+      def recaptcha_response_token(action = nil)
+        response_param = params['g-recaptcha-response-data'] || params['g-recaptcha-response']
+        response_param = response_param[action] if action && response_param.respond_to?(:key?)
+
+        if response_param.is_a?(String)
+          response_param
+        else
+          ''
+        end
+      end
+    end
+  end
+end

data/lib/recaptcha/adapters/view_methods.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Adapters
+    module ViewMethods
+      # Renders a [reCAPTCHA v3](https://developers.google.com/recaptcha/docs/v3) script and (by
+      # default) a hidden input to submit the response token. You can also call the functions
+      # directly if you prefer. You can use
+      # `Recaptcha::Helpers.recaptcha_v3_execute_function_name(action)` to get the name of the
+      # function to call.
+      def recaptcha_v3(options = {})
+        ::Recaptcha::Helpers.recaptcha_v3(options)
+      end
+
+      # Renders a reCAPTCHA [v2 Checkbox](https://developers.google.com/recaptcha/docs/display) widget
+      def recaptcha_tags(options = {})
+        ::Recaptcha::Helpers.recaptcha_tags(options)
+      end
+
+      # Renders a reCAPTCHA v2 [Invisible reCAPTCHA](https://developers.google.com/recaptcha/docs/invisible)
+      def invisible_recaptcha_tags(options = {})
+        ::Recaptcha::Helpers.invisible_recaptcha_tags(options)
+      end
+    end
+  end
+end

data/lib/recaptcha/configuration.rb

@@ -30,17 +30,33 @@ module Recaptcha
   #   end
   #
   class Configuration
-    attr_accessor :skip_verify_env, :secret_key, :site_key, :proxy, :handle_timeouts_gracefully, :hostname
+    DEFAULTS = {
+      'free_server_url' => 'https://www.recaptcha.net/recaptcha/api.js',
+      'enterprise_server_url' => 'https://www.recaptcha.net/recaptcha/enterprise.js',
+      'free_verify_url' => 'https://www.recaptcha.net/recaptcha/api/siteverify',
+      'enterprise_verify_url' => 'https://recaptchaenterprise.googleapis.com/v1/projects'
+    }.freeze
+
+    attr_accessor :default_env, :skip_verify_env, :proxy, :secret_key, :site_key, :handle_timeouts_gracefully,
+                  :hostname, :enterprise, :enterprise_api_key, :enterprise_project_id, :response_limit
     attr_writer :api_server_url, :verify_url
 
-    def initialize #:nodoc:
+    def initialize # :nodoc:
+      @default_env = ENV['RAILS_ENV'] || ENV['RACK_ENV'] || (Rails.env if defined? Rails.env)
       @skip_verify_env = %w[test cucumber]
-      @handle_timeouts_gracefully = HANDLE_TIMEOUTS_GRACEFULLY
+      @handle_timeouts_gracefully = true
 
       @secret_key = ENV['RECAPTCHA_SECRET_KEY']
       @site_key = ENV['RECAPTCHA_SITE_KEY']
+
+      @enterprise = ENV['RECAPTCHA_ENTERPRISE'] == 'true'
+      @enterprise_api_key = ENV['RECAPTCHA_ENTERPRISE_API_KEY']
+      @enterprise_project_id = ENV['RECAPTCHA_ENTERPRISE_PROJECT_ID']
+
       @verify_url = nil
       @api_server_url = nil
+
+      @response_limit = 4000
     end
 
     def secret_key!
@@ -51,12 +67,20 @@ module Recaptcha
       site_key || raise(RecaptchaError, "No site key specified.")
     end
 
+    def enterprise_api_key!
+      enterprise_api_key || raise(RecaptchaError, "No Enterprise API key specified.")
+    end
+
+    def enterprise_project_id!
+      enterprise_project_id || raise(RecaptchaError, "No Enterprise project ID specified.")
+    end
+
     def api_server_url
-      @api_server_url || CONFIG.fetch('server_url')
+      @api_server_url || (enterprise ? DEFAULTS.fetch('enterprise_server_url') : DEFAULTS.fetch('free_server_url'))
     end
 
     def verify_url
-      @verify_url || CONFIG.fetch('verify_url')
+      @verify_url || (enterprise ? DEFAULTS.fetch('enterprise_verify_url') : DEFAULTS.fetch('free_verify_url'))
     end
   end
 end

data/lib/recaptcha/helpers.rb

@@ -0,0 +1,332 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Helpers
+    DEFAULT_ERRORS = {
+      recaptcha_unreachable: 'Oops, we failed to validate your reCAPTCHA response. Please try again.',
+      verification_failed: 'reCAPTCHA verification failed, please try again.'
+    }.freeze
+
+    def self.recaptcha_v3(options = {})
+      site_key = options[:site_key] ||= Recaptcha.configuration.site_key!
+      action = options.delete(:action) || raise(Recaptcha::RecaptchaError, 'action is required')
+      id = options.delete(:id) || "g-recaptcha-response-data-#{dasherize_action(action)}"
+      name = options.delete(:name) || "g-recaptcha-response-data[#{action}]"
+      turbolinks = options.delete(:turbolinks)
+      options[:render] = site_key
+      options[:script_async] ||= false
+      options[:script_defer] ||= false
+      element = options.delete(:element)
+      element = element == false ? false : :input
+      if element == :input
+        callback = options.delete(:callback) || recaptcha_v3_default_callback_name(action)
+      end
+      options[:class] = "g-recaptcha-response #{options[:class]}"
+
+      if turbolinks
+        options[:onload] = recaptcha_v3_execute_function_name(action)
+      end
+      html, tag_attributes = components(options)
+      if turbolinks
+        html << recaptcha_v3_onload_script(site_key, action, callback, id, options)
+      elsif recaptcha_v3_inline_script?(options)
+        html << recaptcha_v3_inline_script(site_key, action, callback, id, options)
+      end
+      case element
+      when :input
+        html << %(<input type="hidden" name="#{name}" id="#{id}" #{tag_attributes}/>\n)
+      when false
+        # No tag
+        nil
+      else
+        raise(RecaptchaError, "ReCAPTCHA element `#{options[:element]}` is not valid.")
+      end
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.recaptcha_tags(options)
+      if options.key?(:stoken)
+        raise(RecaptchaError, "Secure Token is deprecated. Please remove 'stoken' from your calls to recaptcha_tags.")
+      end
+      if options.key?(:ssl)
+        raise(RecaptchaError, "SSL is now always true. Please remove 'ssl' from your calls to recaptcha_tags.")
+      end
+
+      noscript = options.delete(:noscript)
+
+      html, tag_attributes, fallback_uri = components(options.dup)
+      html << %(<div #{tag_attributes}></div>\n)
+
+      if noscript != false
+        html << <<-HTML
+          <noscript>
+            <div>
+              <div style="width: 302px; height: 422px; position: relative;">
+                <div style="width: 302px; height: 422px; position: absolute;">
+                  <iframe
+                    src="#{fallback_uri}"
+                    name="ReCAPTCHA"
+                    style="width: 302px; height: 422px; border-style: none; border: 0; overflow: hidden;">
+                  </iframe>
+                </div>
+              </div>
+              <div style="width: 300px; height: 60px; border-style: none;
+                bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px;
+                background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
+                <textarea id="g-recaptcha-response" name="g-recaptcha-response"
+                  class="g-recaptcha-response"
+                  style="width: 250px; height: 40px; border: 1px solid #c1c1c1;
+                  margin: 10px 25px; padding: 0px; resize: none;">
+                </textarea>
+              </div>
+            </div>
+          </noscript>
+        HTML
+      end
+
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.invisible_recaptcha_tags(custom)
+      options = {callback: 'invisibleRecaptchaSubmit', ui: :button}.merge(custom)
+      text = options.delete(:text)
+      html, tag_attributes = components(options.dup)
+      html << default_callback(options) if default_callback_required?(options)
+
+      case options[:ui]
+      when :button
+        html << %(<button type="submit" #{tag_attributes}>#{text}</button>\n)
+      when :invisible
+        html << %(<div data-size="invisible" #{tag_attributes}></div>\n)
+      when :input
+        html << %(<input type="submit" #{tag_attributes} value="#{text}"/>\n)
+      else
+        raise(RecaptchaError, "ReCAPTCHA ui `#{options[:ui]}` is not valid.")
+      end
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.to_error_message(key)
+      default = DEFAULT_ERRORS.fetch(key) { raise ArgumentError "Unknown reCAPTCHA error - #{key}" }
+      to_message("recaptcha.errors.#{key}", default)
+    end
+
+    if defined?(I18n)
+      def self.to_message(key, default)
+        I18n.translate(key, default: default)
+      end
+    else
+      def self.to_message(_key, default)
+        default
+      end
+    end
+
+    private_class_method def self.components(options)
+      html = +''
+      attributes = {}
+      fallback_uri = +''
+
+      options = options.dup
+      env = options.delete(:env)
+      class_attribute = options.delete(:class)
+      site_key = options.delete(:site_key)
+      hl = options.delete(:hl)
+      onload = options.delete(:onload)
+      render = options.delete(:render)
+      script_async = options.delete(:script_async)
+      script_defer = options.delete(:script_defer)
+      nonce = options.delete(:nonce)
+      skip_script = (options.delete(:script) == false) || (options.delete(:external_script) == false)
+      ui = options.delete(:ui)
+
+      data_attribute_keys = [:badge, :theme, :type, :callback, :expired_callback, :error_callback, :size]
+      data_attribute_keys << :tabindex unless ui == :button
+      data_attributes = {}
+      data_attribute_keys.each do |data_attribute|
+        value = options.delete(data_attribute)
+        data_attributes["data-#{data_attribute.to_s.tr('_', '-')}"] = value if value
+      end
+
+      unless Recaptcha.skip_env?(env)
+        site_key ||= Recaptcha.configuration.site_key!
+        script_url = Recaptcha.configuration.api_server_url
+        query_params = hash_to_query(
+          hl: hl,
+          onload: onload,
+          render: render
+        )
+        script_url += "?#{query_params}" unless query_params.empty?
+        async_attr = "async" if script_async != false
+        defer_attr = "defer" if script_defer != false
+        nonce_attr = " nonce='#{nonce}'" if nonce
+        html << %(<script src="#{script_url}" #{async_attr} #{defer_attr} #{nonce_attr}></script>\n) unless skip_script
+        fallback_uri = %(#{script_url.chomp(".js")}/fallback?k=#{site_key})
+        attributes["data-sitekey"] = site_key
+        attributes.merge! data_attributes
+      end
+
+      # The remaining options will be added as attributes on the tag.
+      attributes["class"] = "g-recaptcha #{class_attribute}"
+      tag_attributes = attributes.merge(options).map { |k, v| %(#{k}="#{v}") }.join(" ")
+
+      [html, tag_attributes, fallback_uri]
+    end
+
+    # v3
+
+    # Renders a script that calls `grecaptcha.execute` or
+    # `grecaptcha.enterprise.execute` for the given `site_key` and `action` and
+    # calls the `callback` with the resulting response token.
+    private_class_method def self.recaptcha_v3_inline_script(site_key, action, callback, id, options = {})
+      nonce = options[:nonce]
+      nonce_attr = " nonce='#{nonce}'" if nonce
+
+      <<-HTML
+        <script#{nonce_attr}>
+          // Define function so that we can call it again later if we need to reset it
+          // This executes reCAPTCHA and then calls our callback.
+          function #{recaptcha_v3_execute_function_name(action)}() {
+            #{recaptcha_ready_method_name}(function() {
+              #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}).then(function(token) {
+                #{callback}('#{id}', token)
+              });
+            });
+          };
+          // Invoke immediately
+          #{recaptcha_v3_execute_function_name(action)}()
+
+          // Async variant so you can await this function from another async function (no need for
+          // an explicit callback function then!)
+          // Returns a Promise that resolves with the response token.
+          async function #{recaptcha_v3_async_execute_function_name(action)}() {
+            return new Promise((resolve, reject) => {
+             #{recaptcha_ready_method_name}(async function() {
+                resolve(await #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}))
+              });
+            })
+          };
+
+          #{recaptcha_v3_define_default_callback(callback) if recaptcha_v3_define_default_callback?(callback, action, options)}
+        </script>
+      HTML
+    end
+
+    private_class_method def self.recaptcha_v3_onload_script(site_key, action, callback, id, options = {})
+      nonce = options[:nonce]
+      nonce_attr = " nonce='#{nonce}'" if nonce
+
+      <<-HTML
+        <script#{nonce_attr}>
+          function #{recaptcha_v3_execute_function_name(action)}() {
+            #{recaptcha_ready_method_name}(function() {
+              #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}).then(function(token) {
+                #{callback}('#{id}', token)
+              });
+            });
+          };
+          #{recaptcha_v3_define_default_callback(callback) if recaptcha_v3_define_default_callback?(callback, action, options)}
+        </script>
+      HTML
+    end
+
+    private_class_method def self.recaptcha_v3_inline_script?(options)
+      !Recaptcha.skip_env?(options[:env]) &&
+      options[:script] != false &&
+      options[:inline_script] != false
+    end
+
+    private_class_method def self.recaptcha_v3_define_default_callback(callback)
+      <<-HTML
+          var #{callback} = function(id, token) {
+            var element = document.getElementById(id);
+            element.value = token;
+          }
+      HTML
+    end
+
+    # Returns true if we should be adding the default callback.
+    # That is, if the given callback name is the default callback name (for the given action) and we
+    # are not skipping inline scripts for any reason.
+    private_class_method def self.recaptcha_v3_define_default_callback?(callback, action, options)
+      callback == recaptcha_v3_default_callback_name(action) &&
+      recaptcha_v3_inline_script?(options)
+    end
+
+    # Returns the name of the JavaScript function that actually executes the
+    # reCAPTCHA code (calls `grecaptcha.execute` or
+    # `grecaptcha.enterprise.execute`). You can call it again later to reset it.
+    def self.recaptcha_v3_execute_function_name(action)
+      "executeRecaptchaFor#{sanitize_action_for_js(action)}"
+    end
+
+    # Returns the name of an async JavaScript function that executes the reCAPTCHA code.
+    def self.recaptcha_v3_async_execute_function_name(action)
+      "#{recaptcha_v3_execute_function_name(action)}Async"
+    end
+
+    def self.recaptcha_v3_default_callback_name(action)
+      "setInputWithRecaptchaResponseTokenFor#{sanitize_action_for_js(action)}"
+    end
+
+    # v2
+
+    private_class_method def self.default_callback(options = {})
+      nonce = options[:nonce]
+      nonce_attr = " nonce='#{nonce}'" if nonce
+      selector_attr = options[:id] ? "##{options[:id]}" : ".g-recaptcha"
+
+      <<-HTML
+        <script#{nonce_attr}>
+          var invisibleRecaptchaSubmit = function () {
+            var closestForm = function (ele) {
+              var curEle = ele.parentNode;
+              while (curEle.nodeName !== 'FORM' && curEle.nodeName !== 'BODY'){
+                curEle = curEle.parentNode;
+              }
+              return curEle.nodeName === 'FORM' ? curEle : null
+            };
+
+            var el = document.querySelector("#{selector_attr}")
+            if (!!el) {
+              var form = closestForm(el);
+              if (form) {
+                form.submit();
+              }
+            }
+          };
+        </script>
+      HTML
+    end
+
+    def self.recaptcha_execute_method_name
+      Recaptcha.configuration.enterprise ? "grecaptcha.enterprise.execute" : "grecaptcha.execute"
+    end
+
+    def self.recaptcha_ready_method_name
+      Recaptcha.configuration.enterprise ? "grecaptcha.enterprise.ready" : "grecaptcha.ready"
+    end
+
+    private_class_method def self.default_callback_required?(options)
+      options[:callback] == 'invisibleRecaptchaSubmit' &&
+      !Recaptcha.skip_env?(options[:env]) &&
+      options[:script] != false &&
+      options[:inline_script] != false
+    end
+
+    # Returns a camelized string that is safe for use in a JavaScript variable/function name.
+    # sanitize_action_for_js('my/action') => 'MyAction'
+    private_class_method def self.sanitize_action_for_js(action)
+      action.to_s.gsub(/\W/, '_').split(/\/|_/).map(&:capitalize).join
+    end
+
+    # Returns a dasherized string that is safe for use as an HTML ID
+    # dasherize_action('my/action') => 'my-action'
+    private_class_method def self.dasherize_action(action)
+      action.to_s.gsub(/\W/, '-').tr('_', '-')
+    end
+
+    private_class_method def self.hash_to_query(hash)
+      hash.delete_if { |_, val| val.nil? || val.empty? }.to_a.map { |pair| pair.join('=') }.join('&')
+    end
+  end
+end

data/lib/recaptcha/rails.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
+
 # deprecated, but let's not blow everyone up
 require 'recaptcha'

data/lib/recaptcha/railtie.rb

@@ -3,13 +3,33 @@
 module Recaptcha
   class Railtie < Rails::Railtie
     ActiveSupport.on_load(:action_view) do
-      require 'recaptcha/client_helper'
-      include Recaptcha::ClientHelper
+      include Recaptcha::Adapters::ViewMethods
     end
 
     ActiveSupport.on_load(:action_controller) do
-      require 'recaptcha/verify'
-      include Recaptcha::Verify
+      include Recaptcha::Adapters::ControllerMethods
+    end
+
+    initializer 'recaptcha' do |app|
+      Recaptcha::Railtie.instance_eval do
+        pattern = pattern_from app.config.i18n.available_locales
+
+        add("rails/locales/#{pattern}.yml")
+      end
+    end
+
+    class << self
+      protected
+
+      def add(pattern)
+        files = Dir[File.join(File.dirname(__FILE__), '../..', pattern)]
+        I18n.load_path.concat(files)
+      end
+
+      def pattern_from(args)
+        array = Array(args || [])
+        array.blank? ? '*' : "{#{array.join ','}}"
+      end
     end
   end
 end

data/lib/recaptcha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Recaptcha
-  VERSION = '4.11.0'
+  VERSION = '5.12.0'
 end