WordPress.org

Making WordPress.org

Changeset 9147


Ignore:
Timestamp:
09/23/2019 06:26:14 AM (2 years ago)
Author:
dd32
Message:

Login: Add reCaptcha v3 in logging-only mode for registration.

See #4739.

Location:
sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

    r9146 r9147  
    66    }
    77
    8     $verify = array(
    9         'secret'   => RECAPTCHA_INVIS_PRIVKEY,
    10         'remoteip' => $_SERVER['REMOTE_ADDR'],
    11         'response' => $_POST['g-recaptcha-response'],
    12     );
    13 
    14     $resp = wp_remote_post( 'https://www.google.com/recaptcha/api/siteverify', array( 'body' => $verify ) );
    15     if ( is_wp_error( $resp ) || 200 != wp_remote_retrieve_response_code( $resp ) ) {
    16         return false;
    17     }
    18 
    19     $result = json_decode( wp_remote_retrieve_body( $resp ), true );
    20 
     8    $result = wporg_login_recaptcha_api(
     9        $_POST['g-recaptcha-response'],
     10        RECAPTCHA_INVIS_PRIVKEY
     11    );
     12
     13    if ( ! $result ) {
     14        return false;
     15    }
    2116    return (bool) $result['success'];
    2217}
     
    5550    );
    5651
     52    // reCaptcha v3 logging.
     53    if ( isset( $_POST['_reCaptcha_v3_token'] ) ) {
     54        $recaptcha_api = wporg_login_recaptcha_api(
     55            $_POST['_reCaptcha_v3_token'],
     56            RECAPTCHA_V3_PRIVKEY
     57        );
     58        $pending_user['scores']['pending'] = -1;
     59        if ( $recaptcha_api && $recaptcha_api['success'] && 'register' == $recaptcha_api['action'] ) {
     60            $pending_user['scores']['pending'] = $recaptcha_api['score'];
     61        }
     62       
     63    }
     64
    5765    $inserted = wporg_update_pending_user( $pending_user );
    5866    if ( ! $inserted ) {
     
    168176    $pending_user['created_date'] = gmdate( 'Y-m-d H:i:s' );
    169177    $pending_user['meta']['confirmed_ip'] = $_SERVER['REMOTE_ADDR']; // Spam/Fraud purposes, will be deleted once not needed.
     178
     179    // reCaptcha v3 logging.
     180    if ( isset( $_POST['_reCaptcha_v3_token'] ) ) {
     181        $recaptcha_api = wporg_login_recaptcha_api(
     182            $_POST['_reCaptcha_v3_token'],
     183            RECAPTCHA_V3_PRIVKEY
     184        );
     185        $pending_user['scores']['create'] = -1;
     186        if ( $recaptcha_api && $recaptcha_api['success'] && 'pending_create' == $recaptcha_api['action'] ) {
     187            $pending_user['scores']['create'] = $recaptcha_api['score'];
     188        }
     189    }
     190
    170191    wporg_update_pending_user( $pending_user );
    171192
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions.php

    r9146 r9147  
    8181        'rest_url' => esc_url_raw( rest_url( "wporg/v1" ) )
    8282    ) );
     83
     84    // reCaptcha v3 is loaded on all login pages, not just the registration flow.
     85    wp_enqueue_script( 'recaptcha-api-v3', 'https://www.google.com/recaptcha/api.js?onload=reCaptcha_v3_init&render=' . RECAPTCHA_V3_PUBKEY, array(), '3' );
     86    wp_add_inline_script(
     87        'recaptcha-api-v3',
     88        'function reCaptcha_v3_init() {
     89            grecaptcha.execute(' .
     90                json_encode( RECAPTCHA_V3_PUBKEY ) .
     91                ', {action: ' . json_encode(
     92                    str_replace( '-', '_', WP_WPOrg_SSO::$matched_route ?: 'login' ) // Must match ^[a-Z_ ]$, but we use -
     93                ) .' }
     94            ).then( function( token ) {
     95                // Add the token to the "primary" form
     96                var input = document.createElement( "input" );
     97                input.setAttribute( "type", "hidden" );
     98                input.setAttribute( "name", "_reCaptcha_v3_token" );
     99                input.setAttribute( "value", token );
     100
     101                document.getElementsByTagName("form")[0].appendChild( input );
     102            });
     103        }'
     104    );
    83105}
    84106add_action( 'init', 'wporg_login_register_scripts' );
     
    273295add_action( 'wp_footer', 'wporg_login_language_switcher', 1 );
    274296add_action( 'login_footer', 'wporg_login_language_switcher', 1 );
     297
     298/**
     299 * Simple API for accessing the reCaptcha verify api.
     300 */
     301function wporg_login_recaptcha_api( $token, $key ) {
     302    $verify = array(
     303        'secret'   => $key,
     304        'remoteip' => $_SERVER['REMOTE_ADDR'],
     305        'response' => $token,
     306    );
     307
     308    $resp = wp_remote_post( 'https://www.google.com/recaptcha/api/siteverify', array( 'body' => $verify ) );
     309    if ( is_wp_error( $resp ) || 200 != wp_remote_retrieve_response_code( $resp ) ) {
     310        return false;
     311    }
     312
     313    return json_decode( wp_remote_retrieve_body( $resp ), true );
     314}
Note: See TracChangeset for help on using the changeset viewer.