From 882cb91ae00b311e673b253db584e8f9772897d7 Mon Sep 17 00:00:00 2001
From: Jesse <2302541+Kangaroux@users.noreply.github.com>
Date: Wed, 8 Jul 2020 04:03:41 -0400
Subject: [PATCH] Check recaptcha response from google API

---
 server/szurubooru/api/user_api.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/server/szurubooru/api/user_api.py b/server/szurubooru/api/user_api.py
index a6196cb8..ee555117 100644
--- a/server/szurubooru/api/user_api.py
+++ b/server/szurubooru/api/user_api.py
@@ -1,6 +1,8 @@
 from typing import Any, Dict
 
-from szurubooru import model, rest, search
+import requests
+
+from szurubooru import config, model, rest, search
 from szurubooru.func import auth, serialization, users, versions
 
 _search_executor = search.Executor(search.configs.UserSearchConfig())
@@ -31,11 +33,28 @@ def get_users(
 def create_user(
     ctx: rest.Context, _params: Dict[str, str] = {}
 ) -> rest.Response:
+    expect_recaptcha = False
+
     if ctx.user.user_id is None:
+        expect_recaptcha = True
         auth.verify_privilege(ctx.user, "users:create:self")
     else:
         auth.verify_privilege(ctx.user, "users:create:any")
 
+    # Verify if the recaptcha was correct.
+    if expect_recaptcha:
+        resp = requests.post("https://www.google.com/recaptcha/api/siteverify", data={
+            "secret": config.config["recaptcha_secret"],
+            "response": ctx.get_param_as_string("recaptchaToken", default=""),
+        })
+
+        # Raise a 400 error if the recaptcha wasn't OK.
+        if not resp.json()["success"]:
+            raise rest.errors.HttpBadRequest(
+                "ValidationError",
+                "Recaptcha response was invalid."
+            )
+
     name = ctx.get_param_as_string("name")
     password = ctx.get_param_as_string("password")
     email = ctx.get_param_as_string("email", default="")