feat(be/fe): enable captcha (#69)

* feat(ui): enable captcha * feat(server): enable captcha * fix(ui): fix login pane layout * fix(config): remove unused config and files * fix(be/fe): clean up code * chore(fe/be): clean up code
2021-08-06 22:27:24 -05:00 · 2021-08-06 22:27:24 -05:00 · 1fcb2223a0
commit 1fcb2223a0
parent 021e5090be
22 changed files with 262 additions and 82 deletions
--- a/src/handlers/multiusers/handlers.go
+++ b/src/handlers/multiusers/handlers.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"time"

+	"github.com/dchest/captcha"
 	"github.com/gin-gonic/gin"
 	"github.com/ihexxa/gocfg"
 	"golang.org/x/crypto/bcrypt"
@ -61,6 +62,8 @@ func NewMultiUsersSvc(cfg gocfg.ICfg, deps *depidx.Deps) (*MultiUsersSvc, error)
 		apiRuleCname(userstore.AdminRole, "DELETE", "/v1/fs/uploadings"):      true,
 		apiRuleCname(userstore.AdminRole, "GET", "/v1/fs/metadata"):           true,
 		apiRuleCname(userstore.AdminRole, "OPTIONS", "/v1/settings/health"):   true,
+		apiRuleCname(userstore.AdminRole, "GET", "/v1/captchas/"):             true,
+		apiRuleCname(userstore.AdminRole, "GET", "/v1/captchas/imgs"):         true,
 		// user rules
 		apiRuleCname(userstore.UserRole, "GET", "/"):                       true,
 		apiRuleCname(userstore.UserRole, "GET", publicPath):                true,
@ -82,6 +85,8 @@ func NewMultiUsersSvc(cfg gocfg.ICfg, deps *depidx.Deps) (*MultiUsersSvc, error)
 		apiRuleCname(userstore.UserRole, "DELETE", "/v1/fs/uploadings"):    true,
 		apiRuleCname(userstore.UserRole, "GET", "/v1/fs/metadata"):         true,
 		apiRuleCname(userstore.UserRole, "OPTIONS", "/v1/settings/health"): true,
+		apiRuleCname(userstore.UserRole, "GET", "/v1/captchas/"):           true,
+		apiRuleCname(userstore.UserRole, "GET", "/v1/captchas/imgs"):       true,
 		// visitor rules
 		apiRuleCname(userstore.VisitorRole, "GET", "/"):                       true,
 		apiRuleCname(userstore.VisitorRole, "GET", publicPath):                true,
@ -90,6 +95,8 @@ func NewMultiUsersSvc(cfg gocfg.ICfg, deps *depidx.Deps) (*MultiUsersSvc, error)
 		apiRuleCname(userstore.VisitorRole, "GET", "/v1/users/self"):          true,
 		apiRuleCname(userstore.VisitorRole, "GET", "/v1/fs/files"):            true,
 		apiRuleCname(userstore.VisitorRole, "OPTIONS", "/v1/settings/health"): true,
+		apiRuleCname(userstore.VisitorRole, "GET", "/v1/captchas/"):           true,
+		apiRuleCname(userstore.VisitorRole, "GET", "/v1/captchas/imgs"):       true,
 	}

 	return &MultiUsersSvc{
@ -122,8 +129,10 @@ func (h *MultiUsersSvc) IsInited() bool {
 }

 type LoginReq struct {
-	User string `json:"user"`
-	Pwd  string `json:"pwd"`
+	User         string `json:"user"`
+	Pwd          string `json:"pwd"`
+	CaptchaID    string `json:"captchaId"`
+	CaptchaInput string `json:"captchaInput"`
 }

 func (h *MultiUsersSvc) Login(c *gin.Context) {
@ -133,6 +142,15 @@ func (h *MultiUsersSvc) Login(c *gin.Context) {
 		return
 	}

+	// TODO: add rate limiter for verifying
+	captchaEnabled := h.cfg.BoolOr("Users.CaptchaEnabled", true)
+	if captchaEnabled {
+		if !captcha.VerifyString(req.CaptchaID, req.CaptchaInput) {
+			c.JSON(q.ErrResp(c, 403, errors.New("login failed")))
+			return
+		}
+	}
+
 	user, err := h.deps.Users().GetUserByName(req.User)
 	if err != nil {
 		c.JSON(q.ErrResp(c, 500, err))