Merge branch 'dblessing_missing_captchas' into 'master'

Add reCAPTCHA to password reset and confirmation email forms See merge request gitlab-org/gitlab!72331

Merge branch 'dblessing_missing_captchas' into 'master'
Add reCAPTCHA to password reset and confirmation email forms See merge request gitlab-org/gitlab!72331
c0c00782 · Vitaly Slobodin · ee68fd89 · 6fa2efdf · c0c00782 · c0c00782
Commit c0c00782 authored Nov 02, 2021 by Vitaly Slobodin
10 changed files
--- a/app/controllers/concerns/gitlab_recaptcha.rb
+++ b/app/controllers/concerns/gitlab_recaptcha.rb
+# frozen_string_literal: true
+module GitlabRecaptcha
+  extend ActiveSupport::Concern
+  include Recaptcha::Verify
+  include RecaptchaHelper
+  def load_recaptcha
+    recaptcha_enabled? && Gitlab::Recaptcha.load_configurations!
+  end
+  def check_recaptcha
+    return unless load_recaptcha
+    return if verify_recaptcha
+    flash[:alert] = _('There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.')
+    flash.delete :recaptcha_error
+    self.resource = resource_class.new
+    render action: 'new'
+  end
+end
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@@ -2,6 +2,10 @@
 class ConfirmationsController < Devise::ConfirmationsController
  include AcceptsPendingInvitations
+  include GitlabRecaptcha
+  prepend_before_action :check_recaptcha, only: :create
+  before_action :load_recaptcha, only: :new
  feature_category :users
@@ -31,6 +35,12 @@ class ConfirmationsController < Devise::ConfirmationsController
    end
  end
+  def check_recaptcha
+    return unless resource_params[:email].present?
+    super
+  end
  def after_sign_in(resource)
    after_sign_in_path_for(resource)
  end

--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
 # frozen_string_literal: true
 class PasswordsController < Devise::PasswordsController
+  include GitlabRecaptcha
  skip_before_action :require_no_authentication, only: [:edit, :update]
+  prepend_before_action :check_recaptcha, only: :create
+  before_action :load_recaptcha, only: :new
  before_action :resource_from_email, only: [:create]
  before_action :check_password_authentication_available, only: [:create]
  before_action :throttle_reset, only: [:create]
@@ -59,6 +63,12 @@ class PasswordsController < Devise::PasswordsController
      alert: _("Password authentication is unavailable.")
  end
+  def check_recaptcha
+    return unless resource_params[:email].present?
+    super
+  end
  def throttle_reset
    return unless resource && resource.recently_sent_password_reset?

--- a/app/helpers/recaptcha_helper.rb
+++ b/app/helpers/recaptcha_helper.rb
 # frozen_string_literal: true
 module RecaptchaHelper
-  def show_recaptcha_sign_up?
+  def recaptcha_enabled?
    !!Gitlab::Recaptcha.enabled?
  end
+  alias_method :show_recaptcha_sign_up?, :recaptcha_enabled?
 end
 RecaptchaHelper.prepend_mod
--- a/app/views/devise/confirmations/new.html.haml
+++ b/app/views/devise/confirmations/new.html.haml
@@ -7,7 +7,12 @@
      .form-group
        = f.label :email
        = f.email_field :email, class: "form-control gl-form-input", required: true, title: _('Please provide a valid email address.'), value: nil
-      .clearfix
+      %div
+      - if recaptcha_enabled?
+        = recaptcha_tags nonce: content_security_policy_nonce
+      .gl-mt-5
        = f.submit _("Resend"), class: 'gl-button btn btn-confirm'
 .clearfix.prepend-top-20

--- a/app/views/devise/passwords/new.html.haml
+++ b/app/views/devise/passwords/new.html.haml
@@ -8,7 +8,12 @@
        = f.email_field :email, class: "form-control gl-form-input", required: true, value: params[:user_email], autofocus: true, title: _('Please provide a valid email address.')
        .form-text.text-muted
          = _('Requires your primary GitLab email address.')
-      .clearfix
+      %div
+      - if recaptcha_enabled?
+        = recaptcha_tags nonce: content_security_policy_nonce
+      .gl-mt-5
        = f.submit _("Reset password"), class: "gl-button btn-confirm btn"
 .clearfix.prepend-top-20

--- a/spec/controllers/confirmations_controller_spec.rb
+++ b/spec/controllers/confirmations_controller_spec.rb
@@ -123,4 +123,45 @@ RSpec.describe ConfirmationsController do
      end
    end
  end
+  describe '#create' do
+    let(:user) { create(:user) }
+    subject(:perform_request) { post(:create, params: { user: { email: user.email } }) }
+    context 'when reCAPTCHA is disabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+      end
+      it 'successfully sends password reset when reCAPTCHA is not solved' do
+        perform_request
+        expect(response).to redirect_to(dashboard_projects_path)
+      end
+    end
+    context 'when reCAPTCHA is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+      end
+      it 'displays an error when the reCAPTCHA is not solved' do
+        Recaptcha.configuration.skip_verify_env.delete('test')
+        perform_request
+        expect(response).to render_template(:new)
+        expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+      end
+      it 'successfully sends password reset when reCAPTCHA is solved' do
+        Recaptcha.configuration.skip_verify_env << 'test'
+        perform_request
+        expect(response).to redirect_to(dashboard_projects_path)
+      end
+    end
+  end
 end
--- a/spec/controllers/passwords_controller_spec.rb
+++ b/spec/controllers/passwords_controller_spec.rb
@@ -91,4 +91,47 @@ RSpec.describe PasswordsController do
      end
    end
  end
+  describe '#create' do
+    let(:user) { create(:user) }
+    subject(:perform_request) { post(:create, params: { user: { email: user.email } }) }
+    context 'when reCAPTCHA is disabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+      end
+      it 'successfully sends password reset when reCAPTCHA is not solved' do
+        perform_request
+        expect(response).to redirect_to(new_user_session_path)
+        expect(flash[:notice]).to include 'If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.'
+      end
+    end
+    context 'when reCAPTCHA is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+      end
+      it 'displays an error when the reCAPTCHA is not solved' do
+        Recaptcha.configuration.skip_verify_env.delete('test')
+        perform_request
+        expect(response).to render_template(:new)
+        expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+      end
+      it 'successfully sends password reset when reCAPTCHA is solved' do
+        Recaptcha.configuration.skip_verify_env << 'test'
+        perform_request
+        expect(response).to redirect_to(new_user_session_path)
+        expect(flash[:notice]).to include 'If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.'
+      end
+    end
+  end
 end
--- a/spec/features/users/confirmation_spec.rb
+++ b/spec/features/users/confirmation_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'User confirmation' do
+  describe 'resend confirmation instructions' do
+    context 'when recaptcha is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+        allow(Gitlab::Recaptcha).to receive(:load_configurations!)
+        visit new_user_confirmation_path
+      end
+      it 'renders recaptcha' do
+        expect(page).to have_css('.g-recaptcha')
+      end
+    end
+    context 'when recaptcha is not enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+        visit new_user_confirmation_path
+      end
+      it 'does not render recaptcha' do
+        expect(page).not_to have_css('.g-recaptcha')
+      end
+    end
+  end
+end
--- a/spec/features/users/password_spec.rb
+++ b/spec/features/users/password_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'User password' do
+  describe 'send password reset' do
+    context 'when recaptcha is enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: true)
+        allow(Gitlab::Recaptcha).to receive(:load_configurations!)
+        visit new_user_password_path
+      end
+      it 'renders recaptcha' do
+        expect(page).to have_css('.g-recaptcha')
+      end
+    end
+    context 'when recaptcha is not enabled' do
+      before do
+        stub_application_setting(recaptcha_enabled: false)
+        visit new_user_password_path
+      end
+      it 'does not render recaptcha' do
+        expect(page).not_to have_css('.g-recaptcha')
+      end
+    end
+  end
+end