Add reCAPTCHA to password reset and confirmation email forms

The global password reset and confirmation email forms previously had no reCAPTCHA and could be abused. This adds reCAPTCHA to both to reduce/prevent abuse. Changelog: security

Add reCAPTCHA to password reset and confirmation email forms
The global password reset and confirmation email forms previously had no reCAPTCHA and could be abused. This adds reCAPTCHA to both to reduce/prevent abuse. Changelog: security
6fa2efdf · Drew Blessing · 4866cbed · 6fa2efdf · 6fa2efdf · 6fa2efdf
Commit 6fa2efdf authored Sep 27, 2021 by Drew Blessing
10 changed files
--- a/app/controllers/concerns/gitlab_recaptcha.rb
+++ b/app/controllers/concerns/gitlab_recaptcha.rb
+# frozen_string_literal: true
+
+module GitlabRecaptcha
+  extend ActiveSupport::Concern
+  include Recaptcha::Verify
+  include RecaptchaHelper
+
+  def load_recaptcha
+    recaptcha_enabled? && Gitlab::Recaptcha.load_configurations!
+  end
+
+  def check_recaptcha
+    return unless load_recaptcha
+    return if verify_recaptcha
+
+    flash[:alert] = _('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.')
+    flash.delete :recaptcha_error
+
+    self.resource = resource_class.new
+    render action: 'new'
+  end
+end
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@@ -2,6 +2,10 @@

 class ConfirmationsController < Devise::ConfirmationsController
  include AcceptsPendingInvitations
+  include GitlabRecaptcha
+
+  prepend_before_action :check_recaptcha, only: :create
+  before_action :load_recaptcha, only: :new

  feature_category :users

@@ -31,6 +35,12 @@ class ConfirmationsController < Devise::ConfirmationsController
    end
  end

+  def check_recaptcha
+    return unless resource_params[:email].present?
+
+    super
+  end
+
  def after_sign_in(resource)
    after_sign_in_path_for(resource)
  end

--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
 # frozen_string_literal: true

 class PasswordsController < Devise::PasswordsController
+  include GitlabRecaptcha
+
  skip_before_action :require_no_authentication, only: [:edit, :update]

+  prepend_before_action :check_recaptcha, only: :create
+  before_action :load_recaptcha, only: :new
  before_action :resource_from_email, only: [:create]
  before_action :check_password_authentication_available, only: [:create]
  before_action :throttle_reset, only: [:create]
@@ -59,6 +63,12 @@ class PasswordsController < Devise::PasswordsController
      alert: _("Password authentication is unavailable.")
  end

+  def check_recaptcha
+    return unless resource_params[:email].present?
+
+    super
+  end
+
  def throttle_reset
    return unless resource && resource.recently_sent_password_reset?


--- a/app/helpers/recaptcha_helper.rb
+++ b/app/helpers/recaptcha_helper.rb
 # frozen_string_literal: true

 module RecaptchaHelper
-  def show_recaptcha_sign_up?
+  def recaptcha_enabled?
    !!Gitlab::Recaptcha.enabled?
  end
+  alias_method :show_recaptcha_sign_up?, :recaptcha_enabled?
 end

 RecaptchaHelper.prepend_mod
--- a/app/views/devise/confirmations/new.html.haml
+++ b/app/views/devise/confirmations/new.html.haml
@@ -7,7 +7,12 @@
      .form-group
        = f.label :email
        = f.email_field :email, class: "form-control gl-form-input", required: true, title: _('Please provide a valid email address.'), value: nil
-      .clearfix
+
+      %div
+      - if recaptcha_enabled?
+        = recaptcha_tags nonce: content_security_policy_nonce
+
+      .gl-mt-5
        = f.submit _("Resend"), class: 'gl-button btn btn-confirm'

 .clearfix.prepend-top-20

--- a/app/views/devise/passwords/new.html.haml
+++ b/app/views/devise/passwords/new.html.haml
@@ -8,7 +8,12 @@
        = f.email_field :email, class: "form-control gl-form-input", required: true, value: params[:user_email], autofocus: true, title: _('Please provide a valid email address.')
        .form-text.text-muted
          = _('Requires your primary GitLab email address.')
-      .clearfix
+
+      %div
+      - if recaptcha_enabled?
+        = recaptcha_tags nonce: content_security_policy_nonce
+
+      .gl-mt-5
        = f.submit _("Reset password"), class: "gl-button btn-confirm btn"

 .clearfix.prepend-top-20

--- a/spec/controllers/confirmations_controller_spec.rb
+++ b/spec/controllers/confirmations_controller_spec.rb
@@ -123,4 +123,45 @@ RSpec.describe ConfirmationsController do
      end
    end
  end
+
+  describe '#create' do
+    let(:user) { create(:user) }
+
+    subject(:perform_request) { post(:create, params: { user: { email: user.email } }) }
+
+    context 'when reCAPTCHA is disabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+      end
+
+      it 'successfully sends password reset when reCAPTCHA is not solved' do
+        perform_request
+
+        expect(response).to redirect_to(dashboard_projects_path)
+      end
+    end
+
+    context 'when reCAPTCHA is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+      end
+
+      it 'displays an error when the reCAPTCHA is not solved' do
+        Recaptcha.configuration.skip_verify_env.delete('test')
+
+        perform_request
+
+        expect(response).to render_template(:new)
+        expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+      end
+
+      it 'successfully sends password reset when reCAPTCHA is solved' do
+        Recaptcha.configuration.skip_verify_env << 'test'
+
+        perform_request
+
+        expect(response).to redirect_to(dashboard_projects_path)
+      end
+    end
+  end
 end
--- a/spec/controllers/passwords_controller_spec.rb
+++ b/spec/controllers/passwords_controller_spec.rb
@@ -91,4 +91,47 @@ RSpec.describe PasswordsController do
      end
    end
  end
+
+  describe '#create' do
+    let(:user) { create(:user) }
+
+    subject(:perform_request) { post(:create, params: { user: { email: user.email } }) }
+
+    context 'when reCAPTCHA is disabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+      end
+
+      it 'successfully sends password reset when reCAPTCHA is not solved' do
+        perform_request
+
+        expect(response).to redirect_to(new_user_session_path)
+        expect(flash[:notice]).to include 'If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.'
+      end
+    end
+
+    context 'when reCAPTCHA is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+      end
+
+      it 'displays an error when the reCAPTCHA is not solved' do
+        Recaptcha.configuration.skip_verify_env.delete('test')
+
+        perform_request
+
+        expect(response).to render_template(:new)
+        expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+      end
+
+      it 'successfully sends password reset when reCAPTCHA is solved' do
+        Recaptcha.configuration.skip_verify_env << 'test'
+
+        perform_request
+
+        expect(response).to redirect_to(new_user_session_path)
+        expect(flash[:notice]).to include 'If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.'
+      end
+    end
+  end
 end
--- a/spec/features/users/confirmation_spec.rb
+++ b/spec/features/users/confirmation_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'User confirmation' do
+  describe 'resend confirmation instructions' do
+    context 'when recaptcha is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+        allow(Gitlab::Recaptcha).to receive(:load_configurations!)
+        visit new_user_confirmation_path
+      end
+
+      it 'renders recaptcha' do
+        expect(page).to have_css('.g-recaptcha')
+      end
+    end
+
+    context 'when recaptcha is not enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+        visit new_user_confirmation_path
+      end
+
+      it 'does not render recaptcha' do
+        expect(page).not_to have_css('.g-recaptcha')
+      end
+    end
+  end
+end
--- a/spec/features/users/password_spec.rb
+++ b/spec/features/users/password_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'User password' do
+  describe 'send password reset' do
+    context 'when recaptcha is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+        allow(Gitlab::Recaptcha).to receive(:load_configurations!)
+        visit new_user_password_path
+      end
+
+      it 'renders recaptcha' do
+        expect(page).to have_css('.g-recaptcha')
+      end
+    end
+
+    context 'when recaptcha is not enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+        visit new_user_password_path
+      end
+
+      it 'does not render recaptcha' do
+        expect(page).not_to have_css('.g-recaptcha')
+      end
+    end
+  end
+end