From 89ac7f2ce42387d956e85ad5c58d3f8a19598b15 Mon Sep 17 00:00:00 2001
From: Scott Gould <greysilly7@gmail.com>
Date: Tue, 23 Aug 2022 13:18:36 -0400
Subject: Check Captcha

---
 src/api/routes/auth/login.ts    | 22 +++++++++++++++++++---
 src/api/routes/auth/register.ts | 20 ++++++++++++++++++--
 2 files changed, 37 insertions(+), 5 deletions(-)

(limited to 'src/api/routes/auth')

diff --git a/src/api/routes/auth/login.ts b/src/api/routes/auth/login.ts
index 5923708c..f5415a56 100644
--- a/src/api/routes/auth/login.ts
+++ b/src/api/routes/auth/login.ts
@@ -1,7 +1,8 @@
-import { route } from "@fosscord/api";
+import { route, getIpAdress } from "@fosscord/api";
 import { adjustEmail, Config, FieldErrors, generateToken, LoginSchema, User } from "@fosscord/util";
 import crypto from "crypto";
 import { Request, Response, Router } from "express";
+import fetch from "node-fetch";
 
 let bcrypt: any;
 try {
@@ -17,12 +18,13 @@ export default router;
 router.post("/", route({ body: "LoginSchema" }), async (req: Request, res: Response) => {
 	const { login, password, captcha_key, undelete } = req.body as LoginSchema;
 	const email = adjustEmail(login);
+	const ip = getIpAdress(req);
 
 	const config = Config.get();
 
 	if (config.login.requireCaptcha && config.security.captcha.enabled) {
+		const { sitekey, secret, service } = config.security.captcha;
 		if (!captcha_key) {
-			const { sitekey, service } = config.security.captcha;
 			return res.status(400).json({
 				captcha_key: ["captcha-required"],
 				captcha_sitekey: sitekey,
@@ -30,7 +32,21 @@ router.post("/", route({ body: "LoginSchema" }), async (req: Request, res: Respo
 			});
 		}
 
-		// TODO: check captcha
+
+		let captchaUrl = "";
+		if (service === "recaptcha") {
+			captchaUrl = `https://www.google.com/recaptcha/api/siteverify=${sitekey}?secret=${secret}&response=${captcha_key}&remoteip=${ip}`;
+		} else if (service === "hcaptcha") {
+			captchaUrl = `https://hcaptcha.com/siteverify?sitekey=${sitekey}&secret=${secret}&response=${captcha_key}&remoteip=${ip}`;
+		}
+		const response: { success: boolean; "error-codes": string[] } = await (await fetch(captchaUrl, { method: "POST" })).json();
+		if (!response.success) {
+			return res.status(400).json({
+				captcha_key: response["error-codes"],
+				captcha_sitekey: sitekey,
+				captcha_service: service
+			});
+		}
 	}
 
 	const user = await User.findOneOrFail({
diff --git a/src/api/routes/auth/register.ts b/src/api/routes/auth/register.ts
index 7d0f5f57..7ff691d0 100644
--- a/src/api/routes/auth/register.ts
+++ b/src/api/routes/auth/register.ts
@@ -1,6 +1,7 @@
 import { getIpAdress, IPAnalysis, isProxy, route } from "@fosscord/api";
 import { adjustEmail, Config, FieldErrors, generateToken, HTTPError, Invite, RegisterSchema, User } from "@fosscord/util";
 import { Request, Response, Router } from "express";
+import fetch from "node-fetch";
 
 let bcrypt: any;
 try {
@@ -44,8 +45,9 @@ router.post("/", route({ body: "RegisterSchema" }), async (req: Request, res: Re
 	}
 
 	if (register.requireCaptcha && security.captcha.enabled) {
+		const { sitekey, secret, service } = security.captcha;
+
 		if (!body.captcha_key) {
-			const { sitekey, service } = security.captcha;
 			return res?.status(400).json({
 				captcha_key: ["captcha-required"],
 				captcha_sitekey: sitekey,
@@ -53,7 +55,21 @@ router.post("/", route({ body: "RegisterSchema" }), async (req: Request, res: Re
 			});
 		}
 
-		// TODO: check captcha
+
+		let captchaUrl = "";
+		if (service === "recaptcha") {
+			captchaUrl = `https://www.google.com/recaptcha/api/siteverify=${sitekey}?secret=${secret}&response=${body.captcha_key}&remoteip=${ip}`;
+		} else if (service === "hcaptcha") {
+			captchaUrl = `https://hcaptcha.com/siteverify?sitekey=${sitekey}&secret=${secret}&response=${body.captcha_key}&remoteip=${ip}`;
+		}
+		const response: { success: boolean; "error-codes": string[] } = await (await fetch(captchaUrl, { method: "POST" })).json();
+		if (!response.success) {
+			return res.status(400).json({
+				captcha_key: response["error-codes"],
+				captcha_sitekey: sitekey,
+				captcha_service: service
+			});
+		}
 	}
 
 	if (!register.allowMultipleAccounts) {
-- 
cgit 1.4.1