# frozen_string_literal: true
class Auth::ConfirmationsController < Devise::ConfirmationsController
+ include CaptchaConcern
+
layout 'auth'
before_action :set_body_classes
before_action :set_pack
+ before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
before_action :require_unconfirmed!
+ before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
+ before_action :require_captcha_if_needed!, only: [:show]
+
skip_before_action :require_functional!
def new
resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
end
+ def show
+ clear_captcha!
+
+ old_session_values = session.to_hash
+ reset_session
+ session.update old_session_values.except('session_id')
+
+ super
+ end
+
+ def confirm_captcha
+ check_captcha! do |message|
+ flash.now[:alert] = message
+ render :captcha
+ return
+ end
+
+ show
+ end
+
private
+ def require_captcha_if_needed!
+ render :captcha if captcha_required?
+ end
+
+ def set_confirmation_user!
+ # We need to reimplement looking up the user because
+ # Devise::ConfirmationsController#show looks up and confirms in one
+ # step.
+ confirmation_token = params[:confirmation_token]
+ return if confirmation_token.nil?
+ @confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
+ end
+
+ def captcha_user_bypass?
+ return true if @confirmation_user.nil? || @confirmation_user.confirmed?
+
+ invite = Invite.find(@confirmation_user.invite_id) if @confirmation_user.invite_id.present?
+ invite.present? && !invite.max_uses.nil?
+ end
+
+ def captcha_context
+ 'email-confirmation'
+ end
+
def set_pack
use_pack 'auth'
end
end
def captcha_enabled?
- captcha_available? && Setting.captcha_enabled
+ captcha_available? && Setting.captcha_mode == captcha_context
end
def captcha_recently_passed?
session[:captcha_passed_at].present? && session[:captcha_passed_at] >= CAPTCHA_TIMEOUT.ago
end
+ def captcha_user_bypass?
+ current_user.present? || (@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?)
+ end
+
def captcha_required?
return false if ENV['OMNIAUTH_ONLY'] == 'true'
return false unless Setting.registrations_mode != 'none' || @invite&.valid_for_use?
- captcha_enabled? && !current_user && !(@invite.present? && @invite.valid_for_use? && !@invite.max_uses.nil?) && !captcha_recently_passed?
+ captcha_enabled? && !captcha_user_bypass? && !captcha_recently_passed?
end
def clear_captcha!
hcaptcha_tags
end
+
+ def captcha_context
+ 'registration-form'
+ end
end
noindex
outgoing_spoilers
require_invite_text
- captcha_enabled
+ captcha_mode
).freeze
BOOLEAN_KEYS = %i(
trendable_by_default
noindex
require_invite_text
- captcha_enabled
).freeze
UPLOAD_KEYS = %i(
validates :bootstrap_timeline_accounts, existing_username: { multiple: true }
validates :show_domain_blocks, inclusion: { in: %w(disabled users all) }
validates :show_domain_blocks_rationale, inclusion: { in: %w(disabled users all) }
+ validates :captcha_mode, inclusion: { in: %w(disabled registration-form email-confirmation) }
def initialize(_attributes = {})
super
end
def captcha_enabled?
- ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_enabled
+ ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present? && Setting.captcha_mode == 'registration-form'
end
end
- if captcha_available?
.fields-group
- = f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
+ = f.input :captcha_mode, as: :radio_buttons, collection: %w(disabled registration-form email-confirmation), include_blank: false, wrapper: :with_block_label, label_method: ->(type) { safe_join([t("admin.settings.captcha.#{type}.title"), content_tag(:span, t("admin.settings.captcha.#{type}.desc_html"), class: 'hint')])}, label: t('admin.settings.captcha.title'), hint: t('admin.settings.captcha.desc_html')
%hr.spacer/
--- /dev/null
+- content_for :page_title do
+ = t('auth.confirm_captcha')
+
+= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
+ = hidden_field_tag :confirmation_token, params[:confirmation_token]
+
+ .field-group
+ = render_captcha_if_needed
+
+ .actions
+ %button.button= t('challenge.continue')
en:
admin:
settings:
- captcha_enabled:
- desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when signing up. Note that this disables app-based registration, may prevent your instance from being listed as having open registrations, and requires third-party scripts from hCaptcha to be embedded in the registration pages. This may have security and privacy concerns.
- title: Require new users to go through a CAPTCHA to sign up
+ captcha:
+ desc_html: Configure hCaptcha integration, relying on third-party scripts. This may have security and privacy implications.
+ email-confirmation:
+ desc_html: Require new users to go through hCaptcha at the e-mail validation step. Bots will not be deterred from creating accounts, but they may be prevented from confirming them, leaving them to be automatically cleaned up after a couple days. This does not interfere with app-based registrations.
+ title: CAPTCHA on email validation
+ disabled:
+ desc_html: Do not require a CAPTCHA
+ title: Disabled
+ registration-form:
+ desc_html: Require new users to go through hCaptcha on the registration form, so that CAPTCHA requirement is immediately apparent to them. This disables app-based registrations and may prevent your instance from being listed as having open registrations.
+ title: CAPTCHA on registration forms
+ title: CAPTCHA configuration
enable_keybase:
desc_html: Allow your users to prove their identity via keybase
title: Enable keybase integration
show_replies_in_public_timelines:
desc_html: In addition to public self-replies (threads), show public replies in local and public timelines.
title: Show replies in public timelines
+ auth:
+ confirm_captcha: User verification
generic:
use_this: Use this
settings:
resource :setup, only: [:show, :update], controller: :setup
resource :challenge, only: [:create], controller: :challenges
get 'sessions/security_key_options', to: 'sessions#webauthn_options'
+ post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
end
end
show_domain_blocks_rationale: 'disabled'
outgoing_spoilers: ''
require_invite_text: false
- captcha_enabled: false
+ captcha_mode: 'disabled'
development:
<<: *defaults
cat aescling's git repositories / mastodon.git / commitdiff