hcaptcha validation on password login (#1398)

2025-07-01 08:02:49 -05:00 · 2021-06-16 12:47:41 -04:00
parent 1796b1dd8e
commit d2e48a5c2c
8 changed files with 189 additions and 25 deletions
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -20,6 +20,7 @@ namespace Bit.Core.IdentityServer
        private UserManager<User> _userManager;
        private readonly IUserService _userService;
        private readonly ICurrentContext _currentContext;
+        private readonly ICaptchaValidationService _captchaValidationService;

        public ResourceOwnerPasswordValidator(
            UserManager<User> userManager,
@ -35,7 +36,8 @@ namespace Bit.Core.IdentityServer
            ILogger<ResourceOwnerPasswordValidator> logger,
            ICurrentContext currentContext,
            GlobalSettings globalSettings,
-            IPolicyRepository policyRepository)
+            IPolicyRepository policyRepository,
+            ICaptchaValidationService captchaValidationService)
            : base(userManager, deviceRepository, deviceService, userService, eventService,
                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
@ -43,10 +45,39 @@ namespace Bit.Core.IdentityServer
            _userManager = userManager;
            _userService = userService;
            _currentContext = currentContext;
+            _captchaValidationService = captchaValidationService;
        }

        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
+            // Uncomment whenever we want to require the `auth-email` header
+            //
+            //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
+            //    _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
+            //{
+            //    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
+            //        "Auth-Email header invalid.");
+            //    return;
+            //}
+
+            if (_captchaValidationService.ServiceEnabled && _currentContext.IsBot)
+            {
+                var captchaResponse = context.Request.Raw["CaptchaResponse"]?.ToString();
+                if (string.IsNullOrWhiteSpace(captchaResponse))
+                {
+                    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.");
+                    return;
+                }
+
+                var captchaValid = await _captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse,
+                    _currentContext.IpAddress);
+                if (!captchaValid)
+                {
+                    await BuildErrorResultAsync("Captcha is invalid.", false, context, null);
+                    return;
+                }
+            }
+
            await ValidateAsync(context, context.Request);
        }

@ -57,14 +88,6 @@ namespace Bit.Core.IdentityServer
                return (null, false);
            }

-            // Uncomment whenever we want to require the `auth-email` header
-            //
-            //if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email") ||
-            //    _currentContext.HttpContext.Request.Headers["Auth-Email"] != context.UserName)
-            //{
-            //    return (null, false);
-            //}
-
            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
            if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
            {