recaptcha fixes to avoid lockout

This commit is contained in:
Pliable Pixels 2015-09-24 15:44:35 -04:00
parent 25ab1f6ddd
commit 23b549a471
4 changed files with 52 additions and 10 deletions

View File

@ -22,6 +22,7 @@
// PP - POST request handler for PHP which does not need extensions
// credit: http://wezfurlong.org/blog/2006/nov/http-post-from-php-without-curl/
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
@ -67,8 +68,14 @@ if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST[
if ( !empty($action) )
{
// if true, a popup will display after login
// PP - lets validate reCaptcha if it exists
if (ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY && ZM_OPT_GOOG_RECAPTCHA_SITEKEY)
if ( defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
&& ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY
&& ZM_OPT_GOOG_RECAPTCHA_SITEKEY)
{
$url = 'https://www.google.com/recaptcha/api/siteverify';
$fields = array (
@ -78,12 +85,32 @@ if ( !empty($action) )
);
$res= do_post_request($url, http_build_query($fields));
$result = json_decode($res);
if ($result->success != 'true')
$responseData = json_decode($res,true);
// PP - credit: https://github.com/google/recaptcha/blob/master/src/ReCaptcha/Response.php
// if recaptcha resulted in error, we might have to deny login
if (isset($responseData['success']) && $responseData['success'] == false)
{
// PP - before we deny auth, let's make sure the error was not 'invalid secret'
// because that means the user did not configure the secret key correctly
// in this case, we prefer to let him login in and display a message to correct
// the key. Unfortunately, there is no way to check for invalid site key in code
// as it produces the same error as when you don't answer a recaptcha
if (isset($responseData['error-codes']) && is_array($responseData['error-codes']))
{
if (!in_array('invalid-input-secret',$responseData['error-codes']))
{
userLogout();
$view='login';
$refreshParent = true;
}
else
{
//Let them login but show an error
echo "<script type='text/javascript'>alert('Really annoying pop-up!');</script>";
$recaptchaWarning = true;
}
}
}

View File

@ -578,6 +578,7 @@ $SLANG = array(
'Progress' => 'Progress',
'Protocol' => 'Protocol',
'Rate' => 'Rate',
'RecaptchaWarning' => 'Your reCaptcha secret key is invalid. Please correct it, or reCaptcha will not work', // added Sep 24 2015 - PP
'Real' => 'Real',
'Record' => 'Record',
'RefImageBlendPct' => 'Reference Image Blend %ge',

View File

@ -26,3 +26,14 @@ elseif ( ZM_DYN_SHOW_DONATE_REMINDER )
?>
var showVersionPopup = <?php echo isset($showVersionPopup )?'true':'false' ?>;
var showDonatePopup = <?php echo isset($showDonatePopup )?'true':'false' ?>;
//PP - display popup if during login, it was found that secret was invalid
var recaptchaWarning = <?php echo isset($recaptchaWarning)?'true':'false' ?>;
if ( recaptchaWarning )
{
alert( "<?php echo translate('RecaptchaWarning') ?>" );
}

View File

@ -22,7 +22,7 @@ xhtmlHeaders(__FILE__, translate('Login') );
?>
<!-- PP: Add recaptcha script if enabled -->
<?php
if (!empty(ZM_OPT_USE_GOOG_RECAPTCHA))
if (defined('ZM_OPT_USE_GOOG_RECAPTCHA') && ZM_OPT_USE_GOOG_RECAPTCHA)
{
echo "<head> <script src='https://www.google.com/recaptcha/api.js'></script> </head>";
}
@ -52,7 +52,10 @@ xhtmlHeaders(__FILE__, translate('Login') );
<input type="submit" value="<?php echo translate('Login') ?>"/>
<!-- PP: Added recaptcha widget if enabled -->
<?php
if (!empty(ZM_OPT_USE_GOOG_RECAPTCHA) && !empty(ZM_OPT_GOOG_RECAPTCHA_SITEKEY) && !empty(ZM_OPT_GOOGLE_RECAPTCHA_SECRETKEY))
if (defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SITEKEY && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY)
{
echo "<br/><br/><center> <div class='g-recaptcha' data-sitekey='".ZM_OPT_GOOG_RECAPTCHA_SITEKEY."'></div> </center>";
}