recaptcha 4.14.0 → 5.2.1

data/lib/recaptcha.rb

@@ -1,25 +1,26 @@
 # frozen_string_literal: true
 
-require 'recaptcha/configuration'
-require 'uri'
+require 'json'
 require 'net/http'
+require 'uri'
 
+require 'recaptcha/configuration'
+require 'recaptcha/helpers'
+require 'recaptcha/adapters/controller_methods'
+require 'recaptcha/adapters/view_methods'
 if defined?(Rails)
   require 'recaptcha/railtie'
-else
-  require 'recaptcha/client_helper'
-  require 'recaptcha/verify'
 end
 
 module Recaptcha
-  CONFIG = {
-    'server_url' => 'https://www.google.com/recaptcha/api.js',
-    'verify_url' => 'https://www.google.com/recaptcha/api/siteverify'
-  }.freeze
-
-  USE_SSL_BY_DEFAULT              = false
-  HANDLE_TIMEOUTS_GRACEFULLY      = true
   DEFAULT_TIMEOUT = 3
+  RESPONSE_LIMIT = 4000
+
+  class RecaptchaError < StandardError
+  end
+
+  class VerifyError < RecaptchaError
+  end
 
   # Gives access to the current Configuration.
   def self.configuration
@@ -50,33 +51,68 @@ module Recaptcha
     original_config.each { |key, value| configuration.send("#{key}=", value) }
   end
 
-  def self.get(verify_hash, options)
-    http = if Recaptcha.configuration.proxy
-      proxy_server = URI.parse(Recaptcha.configuration.proxy)
-      Net::HTTP::Proxy(proxy_server.host, proxy_server.port, proxy_server.user, proxy_server.password)
-    else
-      Net::HTTP
+  def self.skip_env?(env)
+    configuration.skip_verify_env.include?(env || configuration.default_env)
+  end
+
+  def self.invalid_response?(resp)
+    resp.empty? || resp.length > RESPONSE_LIMIT
+  end
+
+  def self.verify_via_api_call(response, options)
+    secret_key = options.fetch(:secret_key) { configuration.secret_key! }
+    verify_hash = { 'secret' => secret_key, 'response' => response }
+    verify_hash['remoteip'] = options[:remote_ip] if options.key?(:remote_ip)
+
+    reply = api_verification(verify_hash, timeout: options[:timeout])
+    reply['success'].to_s == 'true' &&
+      hostname_valid?(reply['hostname'], options[:hostname]) &&
+      action_valid?(reply['action'], options[:action]) &&
+      score_above_threshold?(reply['score'], options[:minimum_score])
+  end
+
+  def self.hostname_valid?(hostname, validation)
+    validation ||= configuration.hostname
+
+    case validation
+    when nil, FalseClass then true
+    when String then validation == hostname
+    else validation.call(hostname)
     end
-    query = URI.encode_www_form(verify_hash)
-    uri = URI.parse(Recaptcha.configuration.verify_url + '?' + query)
-    http_instance = http.new(uri.host, uri.port)
-    http_instance.read_timeout = http_instance.open_timeout = options[:timeout] || DEFAULT_TIMEOUT
-    http_instance.use_ssl = true if uri.port == 443
-    request = Net::HTTP::Get.new(uri.request_uri)
-    http_instance.request(request).body
   end
 
-  def self.i18n(key, default)
-    if defined?(I18n)
-      I18n.translate(key, default: default)
-    else
-      default
+  def self.action_valid?(action, expected_action)
+    case expected_action
+    when nil, FalseClass then true
+    else action == expected_action
     end
   end
 
-  class RecaptchaError < StandardError
+  # Returns true iff score is greater or equal to (>=) minimum_score, or if no minimum_score was specified
+  def self.score_above_threshold?(score, minimum_score)
+    return true if minimum_score.nil?
+    return false if score.nil?
+
+    case minimum_score
+    when nil, FalseClass then true
+    else score >= minimum_score
+    end
   end
 
-  class VerifyError < RecaptchaError
+  def self.api_verification(verify_hash, timeout: nil)
+    timeout ||= DEFAULT_TIMEOUT
+    http = if configuration.proxy
+      proxy_server = URI.parse(configuration.proxy)
+      Net::HTTP::Proxy(proxy_server.host, proxy_server.port, proxy_server.user, proxy_server.password)
+    else
+      Net::HTTP
+    end
+    query = URI.encode_www_form(verify_hash)
+    uri = URI.parse(configuration.verify_url + '?' + query)
+    http_instance = http.new(uri.host, uri.port)
+    http_instance.read_timeout = http_instance.open_timeout = timeout
+    http_instance.use_ssl = true if uri.port == 443
+    request = Net::HTTP::Get.new(uri.request_uri)
+    JSON.parse(http_instance.request(request).body)
   end
 end

data/lib/recaptcha/adapters/controller_methods.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Adapters
+    module ControllerMethods
+      private
+
+      # Your private API can be specified in the +options+ hash or preferably
+      # using the Configuration.
+      def verify_recaptcha(options = {})
+        options = {model: options} unless options.is_a? Hash
+        return true if Recaptcha.skip_env?(options[:env])
+
+        model = options[:model]
+        attribute = options.fetch(:attribute, :base)
+        recaptcha_response = options[:response] || recaptcha_response_token(options[:action])
+
+        begin
+          verified = if Recaptcha.invalid_response?(recaptcha_response)
+            false
+          else
+            unless options[:skip_remote_ip]
+              remoteip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+              options = options.merge(remote_ip: remoteip.to_s) if remoteip
+            end
+
+            Recaptcha.verify_via_api_call(recaptcha_response, options)
+          end
+
+          if verified
+            flash.delete(:recaptcha_error) if recaptcha_flash_supported? && !model
+            true
+          else
+            recaptcha_error(
+              model,
+              attribute,
+              options.fetch(:message) { Recaptcha::Helpers.to_error_message(:verification_failed) }
+            )
+            false
+          end
+        rescue Timeout::Error
+          if Recaptcha.configuration.handle_timeouts_gracefully
+            recaptcha_error(
+              model,
+              attribute,
+              options.fetch(:message) { Recaptcha::Helpers.to_error_message(:recaptcha_unreachable) }
+            )
+            false
+          else
+            raise RecaptchaError, 'Recaptcha unreachable.'
+          end
+        rescue StandardError => e
+          raise RecaptchaError, e.message, e.backtrace
+        end
+      end
+
+      def verify_recaptcha!(options = {})
+        verify_recaptcha(options) || raise(VerifyError)
+      end
+
+      def recaptcha_error(model, attribute, message)
+        if model
+          model.errors.add(attribute, message)
+        elsif recaptcha_flash_supported?
+          flash[:recaptcha_error] = message
+        end
+      end
+
+      def recaptcha_flash_supported?
+        request.respond_to?(:format) && request.format == :html && respond_to?(:flash)
+      end
+
+      # Extracts response token from params. params['g-recaptcha-response'] should either be a
+      # string or a hash with the action name(s) as keys. If it is a hash, then `action` is used as
+      # the key.
+      # @return [String] A response token if one was passed in the params; otherwise, `''`
+      def recaptcha_response_token(action = nil)
+        response_param = params['g-recaptcha-response']
+        if response_param&.respond_to?(:to_h) # Includes ActionController::Parameters
+          response_param[action].to_s
+        else
+          response_param.to_s
+        end
+      end
+    end
+  end
+end

data/lib/recaptcha/adapters/view_methods.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Adapters
+    module ViewMethods
+      # Renders a [reCAPTCHA v3](https://developers.google.com/recaptcha/docs/v3) script and (by
+      # default) a hidden input to submit the response token. You can also call the functions
+      # directly if you prefer. You can use
+      # `Recaptcha::Helpers.recaptcha_v3_execute_function_name(action)` to get the name of the
+      # function to call.
+      def recaptcha_v3(options = {})
+        ::Recaptcha::Helpers.recaptcha_v3(options)
+      end
+
+      # Renders a reCAPTCHA [v2 Checkbox](https://developers.google.com/recaptcha/docs/display) widget
+      def recaptcha_tags(options = {})
+        ::Recaptcha::Helpers.recaptcha_tags(options)
+      end
+
+      # Renders a reCAPTCHA v2 [Invisible reCAPTCHA](https://developers.google.com/recaptcha/docs/invisible)
+      def invisible_recaptcha_tags(options = {})
+        ::Recaptcha::Helpers.invisible_recaptcha_tags(options)
+      end
+    end
+  end
+end

data/lib/recaptcha/configuration.rb

@@ -30,12 +30,18 @@ module Recaptcha
   #   end
   #
   class Configuration
-    attr_accessor :skip_verify_env, :secret_key, :site_key, :proxy, :handle_timeouts_gracefully, :hostname
+    DEFAULTS = {
+      'server_url' => 'https://www.recaptcha.net/recaptcha/api.js',
+      'verify_url' => 'https://www.recaptcha.net/recaptcha/api/siteverify'
+    }.freeze
+
+    attr_accessor :default_env, :skip_verify_env, :secret_key, :site_key, :proxy, :handle_timeouts_gracefully, :hostname
     attr_writer :api_server_url, :verify_url
 
     def initialize #:nodoc:
+      @default_env = ENV['RAILS_ENV'] || ENV['RACK_ENV'] || (Rails.env if defined? Rails.env)
       @skip_verify_env = %w[test cucumber]
-      @handle_timeouts_gracefully = HANDLE_TIMEOUTS_GRACEFULLY
+      @handle_timeouts_gracefully = true
 
       @secret_key = ENV['RECAPTCHA_SECRET_KEY']
       @site_key = ENV['RECAPTCHA_SITE_KEY']
@@ -52,11 +58,11 @@ module Recaptcha
     end
 
     def api_server_url
-      @api_server_url || CONFIG.fetch('server_url')
+      @api_server_url || DEFAULTS.fetch('server_url')
     end
 
     def verify_url
-      @verify_url || CONFIG.fetch('verify_url')
+      @verify_url || DEFAULTS.fetch('verify_url')
     end
   end
 end

data/lib/recaptcha/helpers.rb

@@ -0,0 +1,298 @@
+# frozen_string_literal: true
+
+module Recaptcha
+  module Helpers
+    DEFAULT_ERRORS = {
+      recaptcha_unreachable: 'Oops, we failed to validate your reCAPTCHA response. Please try again.',
+      verification_failed: 'reCAPTCHA verification failed, please try again.'
+    }.freeze
+
+    def self.recaptcha_v3(options = {})
+      site_key = options[:site_key] ||= Recaptcha.configuration.site_key!
+      action = options.delete(:action) || raise(Recaptcha::RecaptchaError, 'action is required')
+      id   = options.delete(:id)   || "g-recaptcha-response-" + dasherize_action(action)
+      name = options.delete(:name) || "g-recaptcha-response[#{action}]"
+      options[:render] = site_key
+      options[:script_async] ||= false
+      options[:script_defer] ||= false
+      element = options.delete(:element)
+      element = element == false ? false : :input
+      if element == :input
+        callback = options.delete(:callback) || recaptcha_v3_default_callback_name(action)
+      end
+      options[:class] = "g-recaptcha-response #{options[:class]}"
+
+      html, tag_attributes = components(options)
+      if recaptcha_v3_inline_script?(options)
+        html << recaptcha_v3_inline_script(site_key, action, callback, id, options)
+      end
+      case element
+      when :input
+        html << %(<input type="hidden" name="#{name}" id="#{id}" #{tag_attributes}/>\n)
+      when false
+        # No tag
+        nil
+      else
+        raise(RecaptchaError, "ReCAPTCHA element `#{options[:element]}` is not valid.")
+      end
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.recaptcha_tags(options)
+      if options.key?(:stoken)
+        raise(RecaptchaError, "Secure Token is deprecated. Please remove 'stoken' from your calls to recaptcha_tags.")
+      end
+      if options.key?(:ssl)
+        raise(RecaptchaError, "SSL is now always true. Please remove 'ssl' from your calls to recaptcha_tags.")
+      end
+
+      noscript = options.delete(:noscript)
+
+      html, tag_attributes, fallback_uri = components(options.dup)
+      html << %(<div #{tag_attributes}></div>\n)
+
+      if noscript != false
+        html << <<-HTML
+          <noscript>
+            <div>
+              <div style="width: 302px; height: 422px; position: relative;">
+                <div style="width: 302px; height: 422px; position: absolute;">
+                  <iframe
+                    src="#{fallback_uri}"
+                    name="ReCAPTCHA"
+                    style="width: 302px; height: 422px; border-style: none; border: 0; overflow: hidden;">
+                  </iframe>
+                </div>
+              </div>
+              <div style="width: 300px; height: 60px; border-style: none;
+                bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px;
+                background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
+                <textarea id="g-recaptcha-response" name="g-recaptcha-response"
+                  class="g-recaptcha-response"
+                  style="width: 250px; height: 40px; border: 1px solid #c1c1c1;
+                  margin: 10px 25px; padding: 0px; resize: none;">
+                </textarea>
+              </div>
+            </div>
+          </noscript>
+        HTML
+      end
+
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.invisible_recaptcha_tags(custom)
+      options = {callback: 'invisibleRecaptchaSubmit', ui: :button}.merge(custom)
+      text = options.delete(:text)
+      html, tag_attributes = components(options.dup)
+      html << default_callback(options) if default_callback_required?(options)
+
+      case options[:ui]
+      when :button
+        html << %(<button type="submit" #{tag_attributes}>#{text}</button>\n)
+      when :invisible
+        html << %(<div data-size="invisible" #{tag_attributes}></div>\n)
+      when :input
+        html << %(<input type="submit" #{tag_attributes} value="#{text}"/>\n)
+      else
+        raise(RecaptchaError, "ReCAPTCHA ui `#{options[:ui]}` is not valid.")
+      end
+      html.respond_to?(:html_safe) ? html.html_safe : html
+    end
+
+    def self.to_error_message(key)
+      default = DEFAULT_ERRORS.fetch(key) { raise ArgumentError "Unknown reCAPTCHA error - #{key}" }
+      to_message("recaptcha.errors.#{key}", default)
+    end
+
+    if defined?(I18n)
+      def self.to_message(key, default)
+        I18n.translate(key, default: default)
+      end
+    else
+      def self.to_message(_key, default)
+        default
+      end
+    end
+
+    private_class_method def self.components(options)
+      html = +''
+      attributes = {}
+      fallback_uri = +''
+
+      options = options.dup
+      env = options.delete(:env)
+      class_attribute = options.delete(:class)
+      site_key = options.delete(:site_key)
+      hl = options.delete(:hl)
+      onload = options.delete(:onload)
+      render = options.delete(:render)
+      script_async = options.delete(:script_async)
+      script_defer = options.delete(:script_defer)
+      nonce = options.delete(:nonce)
+      skip_script = (options.delete(:script) == false) || (options.delete(:external_script) == false)
+      ui = options.delete(:ui)
+
+      data_attribute_keys = [:badge, :theme, :type, :callback, :expired_callback, :error_callback, :size]
+      data_attribute_keys << :tabindex unless ui == :button
+      data_attributes = {}
+      data_attribute_keys.each do |data_attribute|
+        value = options.delete(data_attribute)
+        data_attributes["data-#{data_attribute.to_s.tr('_', '-')}"] = value if value
+      end
+
+      unless Recaptcha.skip_env?(env)
+        site_key ||= Recaptcha.configuration.site_key!
+        script_url = Recaptcha.configuration.api_server_url
+        query_params = hash_to_query(
+          hl: hl,
+          onload: onload,
+          render: render
+        )
+        script_url += "?#{query_params}" unless query_params.empty?
+        async_attr = "async" if script_async != false
+        defer_attr = "defer" if script_defer != false
+        nonce_attr = " nonce='#{nonce}'" if nonce
+        html << %(<script src="#{script_url}" #{async_attr} #{defer_attr} #{nonce_attr}></script>\n) unless skip_script
+        fallback_uri = %(#{script_url.chomp(".js")}/fallback?k=#{site_key})
+        attributes["data-sitekey"] = site_key
+        attributes.merge! data_attributes
+      end
+
+      # The remaining options will be added as attributes on the tag.
+      attributes["class"] = "g-recaptcha #{class_attribute}"
+      tag_attributes = attributes.merge(options).map { |k, v| %(#{k}="#{v}") }.join(" ")
+
+      [html, tag_attributes, fallback_uri]
+    end
+
+    # v3
+
+    # Renders a script that calls `grecaptcha.execute` for the given `site_key` and `action` and
+    # calls the `callback` with the resulting response token.
+    private_class_method def self.recaptcha_v3_inline_script(site_key, action, callback, id, options = {})
+      nonce = options[:nonce]
+      nonce_attr = " nonce='#{nonce}'" if nonce
+
+      <<-HTML
+        <script#{nonce_attr}>
+          // Define function so that we can call it again later if we need to reset it
+          // This executes reCAPTCHA and then calls our callback.
+          function #{recaptcha_v3_execute_function_name(action)}() {
+            grecaptcha.ready(function() {
+              grecaptcha.execute('#{site_key}', {action: '#{action}'}).then(function(token) {
+                //console.log('#{id}', token)
+                #{callback}('#{id}', token)
+              });
+            });
+          };
+          // Invoke immediately
+          #{recaptcha_v3_execute_function_name(action)}()
+
+          // Async variant so you can await this function from another async function (no need for
+          // an explicit callback function then!)
+          // Returns a Promise that resolves with the response token.
+          async function #{recaptcha_v3_async_execute_function_name(action)}() {
+            return new Promise((resolve, reject) => {
+              grecaptcha.ready(async function() {
+                resolve(await grecaptcha.execute('#{site_key}', {action: '#{action}'}))
+              });
+            })
+          };
+
+          #{recaptcha_v3_define_default_callback(callback) if recaptcha_v3_define_default_callback?(callback, action, options)}
+        </script>
+      HTML
+    end
+
+    private_class_method def self.recaptcha_v3_inline_script?(options)
+      !Recaptcha.skip_env?(options[:env]) &&
+      options[:script] != false &&
+      options[:inline_script] != false
+    end
+
+    private_class_method def self.recaptcha_v3_define_default_callback(callback)
+      <<-HTML
+          var #{callback} = function(id, token) {
+            var element = document.getElementById(id);
+            element.value = token;
+          }
+      HTML
+    end
+
+    # Returns true if we should be adding the default callback.
+    # That is, if the given callback name is the default callback name (for the given action) and we
+    # are not skipping inline scripts for any reason.
+    private_class_method def self.recaptcha_v3_define_default_callback?(callback, action, options)
+      callback == recaptcha_v3_default_callback_name(action) &&
+      recaptcha_v3_inline_script?(options)
+    end
+
+    # Returns the name of the JavaScript function that actually executes the reCAPTCHA code (calls
+    # grecaptcha.execute). You can call it again later to reset it.
+    def self.recaptcha_v3_execute_function_name(action)
+      "executeRecaptchaFor#{sanitize_action_for_js(action)}"
+    end
+
+    # Returns the name of an async JavaScript function that executes the reCAPTCHA code.
+    def self.recaptcha_v3_async_execute_function_name(action)
+      "#{recaptcha_v3_execute_function_name(action)}Async"
+    end
+
+    def self.recaptcha_v3_default_callback_name(action)
+      "setInputWithRecaptchaResponseTokenFor#{sanitize_action_for_js(action)}"
+    end
+
+    # v2
+
+    private_class_method def self.default_callback(options = {})
+      nonce = options[:nonce]
+      nonce_attr = " nonce='#{nonce}'" if nonce
+
+      <<-HTML
+        <script#{nonce_attr}>
+          var invisibleRecaptchaSubmit = function () {
+            var closestForm = function (ele) {
+              var curEle = ele.parentNode;
+              while (curEle.nodeName !== 'FORM' && curEle.nodeName !== 'BODY'){
+                curEle = curEle.parentNode;
+              }
+              return curEle.nodeName === 'FORM' ? curEle : null
+            };
+
+            var eles = document.getElementsByClassName('g-recaptcha');
+            if (eles.length > 0) {
+              var form = closestForm(eles[0]);
+              if (form) {
+                form.submit();
+              }
+            }
+          };
+        </script>
+      HTML
+    end
+
+    private_class_method def self.default_callback_required?(options)
+      options[:callback] == 'invisibleRecaptchaSubmit' &&
+      !Recaptcha.skip_env?(options[:env]) &&
+      options[:script] != false &&
+      options[:inline_script] != false
+    end
+
+    # Returns a camelized string that is safe for use in a JavaScript variable/function name.
+    # sanitize_action_for_js('my/action') => 'MyAction'
+    private_class_method def self.sanitize_action_for_js(action)
+      action.to_s.gsub(/\W/, '_').split(/\/|_/).map(&:capitalize).join
+    end
+
+    # Returns a dasherized string that is safe for use as an HTML ID
+    # dasherize_action('my/action') => 'my-action'
+    private_class_method def self.dasherize_action(action)
+      action.to_s.gsub(/\W/, '-').tr('_', '-')
+    end
+
+    private_class_method def self.hash_to_query(hash)
+      hash.delete_if { |_, val| val.nil? || val.empty? }.to_a.map { |pair| pair.join('=') }.join('&')
+    end
+  end
+end