From cbdc0dacd62bf66fbf26c4b071e420df0199f47c Mon Sep 17 00:00:00 2001
From: Genaro Contreras Gutierrez <genaro_contreras@hotmail.com>
Date: Wed, 19 Feb 2020 14:04:20 -0800
Subject: [PATCH] Auth Form wiht Google reCAPTCHA  (#87)

* reCaptcha config

* config reCaptcha

* check reCAPTCHA

* add reCAPTCHA to form login

* config attributes for reCAPTCHA

* Function to verify request with reCAPTCHA

* doc reCaptcha
---
 config/config.php.example | 15 ++++++++++
 htdocs/login.php          | 59 +++++++++++++++++++++++++--------------
 htdocs/login_form.php     |  7 +++++
 lib/config_default.php    | 14 ++++++++++
 lib/functions.php         | 26 +++++++++++++++++
 5 files changed, 100 insertions(+), 21 deletions(-)

diff --git a/config/config.php.example b/config/config.php.example
index 973eef3..6f2d5d9 100644
--- a/config/config.php.example
+++ b/config/config.php.example
@@ -573,4 +573,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
 $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
+
+
+/***********************************************************************************
+ * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
+ * Remove the commented lines and use this section as a template for all           *
+ * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
+ *                                                                                 *
+ * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
+ ***********************************************************************************/
+
+
+$config->custom->session['reCAPTCHA-enable'] = false;
+$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
+$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
+
 ?>
diff --git a/htdocs/login.php b/htdocs/login.php
index 48f9e2e..5cc96b1 100644
--- a/htdocs/login.php
+++ b/htdocs/login.php
@@ -11,27 +11,44 @@
 
 require './common.php';
 
-$user = array();
-$user['login'] = get_request('login');
-$user['password'] = get_request('login_pass');
+$pass = true;
+if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+    $pass = !IsRobot(get_request('g-recaptcha-response'));
+}
 
-if ($user['login'] && ! strlen($user['password']))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('You left the password blank.'),
-		'type'=>'warn'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
+if ($pass) {
+    $user             = array();
+    $user['login']    = get_request('login');
+    $user['password'] = get_request('login_pass');
+
+    if ($user['login'] && !strlen($user['password'])) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('You left the password blank.'),
+            'type'  => 'warn'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+    if ($app['server']->login($user['login'], $user['password'], 'user')) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('Successfully logged into server.'),
+            'type'  => 'info'),
+            sprintf('cmd.php?server_id=%s', get_request('server_id', 'REQUEST')));
+    } else {
+        system_message(array(
+            'title' => _('Failed to Authenticate to server'),
+            'body'  => _('Invalid Username or Password.'),
+            'type'  => 'error'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+} else {
+    system_message(array(
+        'title' => _('Authenticate to server'),
+        'body'  => _('Incorrect captcha.'),
+        'type'  => 'warn'),
+        sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+}
 
-if ($app['server']->login($user['login'],$user['password'],'user'))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('Successfully logged into server.'),
-		'type'=>'info'),
-		sprintf('cmd.php?server_id=%s',get_request('server_id','REQUEST')));
-else
-	system_message(array(
-		'title'=>_('Failed to Authenticate to server'),
-		'body'=>_('Invalid Username or Password.'),
-		'type'=>'error'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
 ?>
diff --git a/htdocs/login_form.php b/htdocs/login_form.php
index 6add50d..91c252c 100644
--- a/htdocs/login_form.php
+++ b/htdocs/login_form.php
@@ -90,6 +90,13 @@ if ($app['server']->getAuthType() == 'http') {
 	echo '<tr><td><input type="password" id="password" size="40" value="" name="login_pass" /></td></tr>';
 	echo '<tr><td colspan="2">&nbsp;</td></tr>';
 
+	#reCAPTCHA
+	if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+		echo '<script src="https://www.google.com/recaptcha/api.js"></script>';
+		echo '<tr><td><div class="g-recaptcha" data-sitekey="'.$_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-key-site').'"></div></td></tr>';
+		echo '<tr><td colspan="2">&nbsp;</td></tr>';
+	}
+
 	# If Anon bind allowed, then disable the form if the user choose to bind anonymously.
 	if ($app['server']->isAnonBindAllowed())
 		printf('<tr><td colspan="2"><small><b>%s</b></small> <input type="checkbox" name="anonymous_bind" onclick="form_field_toggle_enable(this,[\'login\',\'password\'],\'login\')" id="anonymous_bind_checkbox" /></td></tr>',
diff --git a/lib/config_default.php b/lib/config_default.php
index b0c05ca..d85140f 100644
--- a/lib/config_default.php
+++ b/lib/config_default.php
@@ -574,6 +574,20 @@ class Config {
 		$this->default->search['time_limit'] = array(
 			'desc'=>'Maximum time to allow unlimited size_limit searches to the ldap server',
 			'default'=>120);
+
+		/* reCAPTCHA Login */
+
+		$this->default->session['reCAPTCHA-enable'] = array(
+			'desc'=>'Status reCAPTCHA (true | false)',
+			'default'=>false);
+
+		$this->default->session['reCAPTCHA-key-site'] = array(
+			'desc'=>'Site Key',
+			'default'=>"<put-here-key-site>");
+
+		$this->default->session['reCAPTCHA-key-server'] = array(
+			'desc'=>'Server key',
+			'default'=>"<put-here-key-server>");
 	}
 
 	/**
diff --git a/lib/functions.php b/lib/functions.php
index bad1ee9..784efc9 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -3217,4 +3217,30 @@ function isAjaxEnabled() {
 	else
 		return false;
 }
+/**
+* Check if user is a robot with reCAPTCHA
+**/
+function IsRobot($gResponse){
+	$isRobot = true;
+	$url = 'https://www.google.com/recaptcha/api/siteverify';
+	$data = array(
+		'secret' => $_SESSION[APPCONFIG]->getValue('session','reCAPTCHA-key-server'),
+		'response' => $gResponse
+	);
+	$options = array(
+		'http' => array (
+			'method' => 'POST','header' =>
+	        'Content-Type: application/x-www-form-urlencoded',
+			'content' => http_build_query($data)
+		)
+	);
+	$context  = stream_context_create($options);
+	$verify = file_get_contents($url, false, $context);
+	$captcha_success = json_decode($verify);
+	if ($captcha_success->success) {
+		$isRobot = false;
+	}
+	return $isRobot;
+
+}
 ?>