feat: add captcha to verify and token endpoints (supabase#520)

* fix: add captcha to verify and token endpoints * don't enable captcha on refresh token grant_type * refactor: rename hcaptcha_token to captcha_token for generalizability
LashaJini · Nov 13, 2024 · c4935c1 · c4935c1
1 parent dab2dd5
commit c4935c1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/api/api.go b/api/api.go
@@ -127,7 +127,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 			tollbooth.NewLimiter(api.config.RateLimitTokenRefresh/(60*5), &limiter.ExpirableOptions{
 				DefaultExpirationTTL: time.Hour,
 			}).SetBurst(30),
-		)).Post("/token", api.Token)
+		)).With(api.verifyCaptcha).Post("/token", api.Token)
 
 		r.With(api.limitHandler(
 			// Allow requests at the specified rate per 5 minutes.
@@ -136,7 +136,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 			}).SetBurst(30),
 		)).Route("/verify", func(r *router) {
 			r.Get("/", api.Verify)
-			r.Post("/", api.Verify)
+			r.With(api.verifyCaptcha).Post("/", api.Verify)
 		})
 
 		r.With(api.requireAuthentication).Post("/logout", api.Logout)

diff --git a/api/middleware_test.go b/api/middleware_test.go
@@ -48,7 +48,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaValid() {
 		"email":    "test@example.com",
 		"password": "secret",
 		"gotrue_meta_security": map[string]interface{}{
-			"hcaptcha_token": HCaptchaResponse,
+			"captcha_token": HCaptchaResponse,
 		},
 	}))
 
@@ -75,7 +75,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaValid() {
 		"email":    "test@example.com",
 		"password": "secret",
 		"gotrue_meta_security": map[string]interface{}{
-			"hcaptcha_token": HCaptchaResponse,
+			"captcha_token": HCaptchaResponse,
 		},
 	}))
 
@@ -129,7 +129,7 @@ func (ts *MiddlewareTestSuite) TestVerifyCaptchaInvalid() {
 				"email":    "test@example.com",
 				"password": "secret",
 				"gotrue_meta_security": map[string]interface{}{
-					"hcaptcha_token": HCaptchaResponse,
+					"captcha_token": HCaptchaResponse,
 				},
 			}))
 			req := httptest.NewRequest(http.MethodPost, "http://localhost", &buffer)

diff --git a/security/hcaptcha.go b/security/hcaptcha.go
@@ -22,7 +22,7 @@ type GotrueRequest struct {
 }
 
 type GotrueSecurity struct {
-	Token string `json:"hcaptcha_token"`
+	Token string `json:"captcha_token"`
 }
 
 type VerificationResponse struct {
@@ -56,6 +56,10 @@ func init() {
 }
 
 func VerifyRequest(r *http.Request, secretKey string) (VerificationResult, error) {
+	if r.FormValue("grant_type") == "refresh_token" {
+		// captcha shouldn't be enabled on requests to refresh the token
+		return SuccessfullyVerified, nil
+	}
 	res := GotrueRequest{}
 	bodyBytes, err := ioutil.ReadAll(r.Body)
 	if err != nil {