From 882cb91ae00b311e673b253db584e8f9772897d7 Mon Sep 17 00:00:00 2001 From: Jesse <2302541+Kangaroux@users.noreply.github.com> Date: Wed, 8 Jul 2020 04:03:41 -0400 Subject: [PATCH] Check recaptcha response from google API --- server/szurubooru/api/user_api.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/server/szurubooru/api/user_api.py b/server/szurubooru/api/user_api.py index a6196cb8..ee555117 100644 --- a/server/szurubooru/api/user_api.py +++ b/server/szurubooru/api/user_api.py @@ -1,6 +1,8 @@ from typing import Any, Dict -from szurubooru import model, rest, search +import requests + +from szurubooru import config, model, rest, search from szurubooru.func import auth, serialization, users, versions _search_executor = search.Executor(search.configs.UserSearchConfig()) @@ -31,11 +33,28 @@ def get_users( def create_user( ctx: rest.Context, _params: Dict[str, str] = {} ) -> rest.Response: + expect_recaptcha = False + if ctx.user.user_id is None: + expect_recaptcha = True auth.verify_privilege(ctx.user, "users:create:self") else: auth.verify_privilege(ctx.user, "users:create:any") + # Verify if the recaptcha was correct. + if expect_recaptcha: + resp = requests.post("https://www.google.com/recaptcha/api/siteverify", data={ + "secret": config.config["recaptcha_secret"], + "response": ctx.get_param_as_string("recaptchaToken", default=""), + }) + + # Raise a 400 error if the recaptcha wasn't OK. + if not resp.json()["success"]: + raise rest.errors.HttpBadRequest( + "ValidationError", + "Recaptcha response was invalid." + ) + name = ctx.get_param_as_string("name") password = ctx.get_param_as_string("password") email = ctx.get_param_as_string("email", default="")