feat(passport): add google reCAPTCHA

Author: duanhongyi

rootfs/api/context_processors.py

@@ -0,0 +1,7 @@
+from django.conf import settings
+
+
+def legal(request):
+    return {
+        'LEGAL_ENABLED': settings.LEGAL_ENABLED,
+    }

rootfs/api/forms.py

@@ -1,9 +1,15 @@
+import requests
+from django import forms
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from django.core.exceptions import ValidationError
-from django.contrib.auth.forms import AuthenticationForm as _AuthenticationForm
+from django.contrib.auth import get_user_model
+from django.contrib.auth.forms import UserCreationForm, AuthenticationForm as _AuthenticationForm
 
 from api.utils import send_activation_email
 
+User = get_user_model()
+
 
 class AuthenticationForm(_AuthenticationForm):
 
@@ -15,3 +21,32 @@ def confirm_login_allowed(self, user):
                 code="inactive",
             )
         return super().confirm_login_allowed(user)
+
+
+class RegistrationForm(UserCreationForm):
+
+    recaptcha_token = forms.CharField(
+        label=_("reCAPTCHA token"),
+        widget=forms.HiddenInput(attrs={"name": "g-recaptcha-response"}),
+        strip=False,
+        required=False,
+        help_text=_("Google recaptcha token hidden field"),
+    )
+
+    def clean_recaptcha_token(self):
+        recaptcha_token = self.data.get("g-recaptcha-response")
+        if settings.GOOGLE_RE_CAPTCHA_KEY and settings.GOOGLE_RE_CAPTCHA_SECRET:
+            success = requests.post('https://www.recaptcha.net/recaptcha/api/siteverify', data={
+                'secret': settings.GOOGLE_RE_CAPTCHA_SECRET,
+                'response': recaptcha_token,
+            }).json()["success"]
+            if not success:
+                raise ValidationError(
+                    _('Error verifying reCAPTCHA, please try again.'),
+                    code="captcha_invalid",
+                )
+        return recaptcha_token
+
+    class Meta(UserCreationForm.Meta):
+        model = User
+        fields = ('username', 'email', 'password1', 'password2')

rootfs/api/oauth2_validators.py

@@ -0,0 +1,17 @@
+from oauth2_provider.oauth2_validators import OAuth2Validator
+
+
+class CustomOAuth2Validator(OAuth2Validator):
+
+    def get_additional_claims(self, request):
+        claims = super().get_additional_claims(request)
+        claims["id"] = request.user.id
+        claims["name"] = request.user.username
+        claims["username"] = request.user.username
+        claims["email"] = request.user.email
+        claims["first_name"] = request.user.first_name
+        claims["last_name"] = request.user.last_name
+        claims["is_staff"] = request.user.is_staff
+        claims["is_active"] = request.user.is_active
+        claims["is_superuser"] = request.user.is_superuser
+        return claims

rootfs/api/serializers.py

@@ -4,10 +4,8 @@
 import logging
 
 from django.contrib.admin.models import LogEntry
-from django.contrib.auth.forms import UserCreationForm
 from django.contrib.auth import get_user_model
 from oauth2_provider.models import Grant, AccessToken
-from oauth2_provider.oauth2_validators import OAuth2Validator
 from rest_framework import serializers
 
 from api.utils import timestamp2datetime
@@ -16,12 +14,6 @@
 logger = logging.getLogger(__name__)
 
 
-class RegistrationForm(UserCreationForm):
-    class Meta(UserCreationForm.Meta):
-        model = User
-        fields = ('username', 'email', 'password1', 'password2')
-
-
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
@@ -81,19 +73,3 @@ class Meta:
         fields = '__all__'
         read_only_fields = ['action_time', 'user', 'content_type', 'object_id',
                             'object_repr', 'action_flag', 'change_message']
-
-
-class CustomOAuth2Validator(OAuth2Validator):
-
-    def get_additional_claims(self, request):
-        claims = super().get_additional_claims(request)
-        claims["id"] = request.user.id
-        claims["name"] = request.user.username
-        claims["username"] = request.user.username
-        claims["email"] = request.user.email
-        claims["first_name"] = request.user.first_name
-        claims["last_name"] = request.user.last_name
-        claims["is_staff"] = request.user.is_staff
-        claims["is_active"] = request.user.is_active
-        claims["is_superuser"] = request.user.is_superuser
-        return claims

rootfs/api/settings/production.py

@@ -20,6 +20,9 @@
 # will be suppressed, and exceptions will propagate upwards
 # https://docs.djangoproject.com/en/2.2/ref/settings/#debug-propagate-exceptions
 DEBUG_PROPAGATE_EXCEPTIONS = True
+
+# Enable Legal
+LEGAL_ENABLED = bool(strtobool(os.environ.get('LEGAL_ENABLED', 'false')))
 # Enable Django admin
 ADMIN_ENABLED = bool(strtobool(os.environ.get('ADMIN_ENABLED', 'false')))
 # Enable Registration
@@ -64,6 +67,7 @@
         'APP_DIRS': True,
         'OPTIONS': {
             'context_processors': [
+                "api.context_processors.legal",
                 "django.contrib.auth.context_processors.auth",
                 "django.template.context_processors.debug",
                 "django.template.context_processors.i18n",
@@ -285,7 +289,7 @@
 OAUTH2_PROVIDER = {
     "OIDC_ENABLED": True,
     "OIDC_RSA_PRIVATE_KEY": OIDC_RSA_PRIVATE_KEY,
-    "OAUTH2_VALIDATOR_CLASS": "api.serializers.CustomOAuth2Validator",
+    "OAUTH2_VALIDATOR_CLASS": "api.oauth2_validators.CustomOAuth2Validator",
     "PKCE_REQUIRED": False,
     "ALLOWED_REDIRECT_URI_SCHEMES": ["http", "https"],
     "ACCESS_TOKEN_EXPIRE_SECONDS": int(os.environ.get('ACCESS_TOKEN_EXPIRE_SECONDS', 30 * 86400)),  # noqa
@@ -386,4 +390,4 @@
 EMAIL_USE_SSL = bool(strtobool(os.environ.get('EMAIL_USE_SSL', 'false')))
 
 GOOGLE_RE_CAPTCHA_KEY = os.environ.get("GOOGLE_RE_CAPTCHA_KEY")
-GOOGLE_RE_CAPTCHA_SECRET = os.environ.get("GOOGLE_RE_CAPTCHA_SECRET")
+GOOGLE_RE_CAPTCHA_SECRET = os.environ.get("GOOGLE_RE_CAPTCHA_SECRET")

rootfs/api/static/css/main.css

@@ -27,7 +27,7 @@ body {
     position: relative;
     height: 100%;
     text-align: center;
-    padding-top: 10%;
+    padding-top: 2%;
 }
 
 h1.logo {
@@ -62,10 +62,6 @@ h1.logo a:before {
     border-image: initial;
 }
 
-.panel div {
-    margin-top: 30px
-}
-
 .panel .h3 {
     margin: 40px 20px 0;
     line-height: 1.5;

rootfs/api/templates/base/footer.html

@@ -0,0 +1,17 @@
+<footer class="logo-sfdc">
+    <ul class="legal">
+        {% if LEGAL_ENABLED %}
+        <li><a href="https://drycc.cc" rel="nofollow">Drycc Documents</a></li>
+        <li><a href="https://legal.doopai.com/#/cloud-services-terms" rel="nofollow">Terms of Service</a></li>
+        <li><a href="https://legal.doopai.com/#/doopai-privacy-policy" rel="nofollow">Privacy</a></li>
+        <li><a href="https://legal.doopai.com/#/doopai-cookie-policy" rel="nofollow">Cookies</a></li>
+        <li>© {% now 'Y' %} drycc.com</li>
+        {% else %}
+        <li><a href="https://drycc.cc" rel="nofollow">Drycc Documents</a></li>
+        <li><a href="https://github.com/drycc" rel="nofollow">Open Source</a></li>
+        <li><a href="https://drycc.slack.com/" rel="nofollow">Community</a></li>
+        <li><a href="https://github.com/drycc/workflow/issues" rel="nofollow">Support</a></li>
+        <li>© {% now 'Y' %} drycc.cc</li>
+        {% endif %}
+    </ul>
+</footer>

rootfs/api/templates/oauth2_provider/authorize.html

@@ -39,5 +39,6 @@ <h2 class="h3">{{ error.error }}</h2>
                 {% endif %}
             </div>
         </div>
+        {% include "base/footer.html" %}
     </div>
 </body>

rootfs/api/templates/user/footer.html

@@ -29,12 +29,14 @@ <h2 class="h3">Log in to your account</h2>
                 <input type="hidden" name="next" value={{ next }}>
             </form>
             {% if registration_enabled %}
-            <a class="panel-footer" href="/user/registration/"><span>Sign Up</span></a>
+            <a class="panel-footer" href="/user/registration/">New to Drycc?  <span>Sign Up</span></a>
             {% endif %}
         </div>
         {% if password_reset_enabled %}
-        <a href="/user/password_reset/" class="white-link">Forgot your password?</a>
+        <div>
+            <a href="/user/password_reset/" class="white-link">Forgot your password?</a>
+        </div>
         {% endif %}
     </div>
-    {% include "user/footer.html" %}
+    {% include "base/footer.html" %}
 </div>