Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace App\Services;
|
|
|
|
|
|
|
|
|
|
use App\Models\Setting;
|
|
|
|
|
|
|
|
|
|
class CaptchaService
|
|
|
|
|
{
|
|
|
|
|
private Setting $settingModel;
|
|
|
|
|
private array $captchaSettings;
|
|
|
|
|
|
|
|
|
|
// Verification endpoints
|
|
|
|
|
private const RECAPTCHA_VERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify';
|
|
|
|
|
private const TURNSTILE_VERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
|
|
|
|
|
|
|
|
|
|
public function __construct()
|
|
|
|
|
{
|
|
|
|
|
$this->settingModel = new Setting();
|
|
|
|
|
$this->captchaSettings = $this->settingModel->getCaptchaSettings();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verify CAPTCHA response based on configured provider
|
|
|
|
|
*
|
|
|
|
|
* @param string|null $response CAPTCHA response token from client
|
|
|
|
|
* @param string|null $remoteIp Remote IP address of the user
|
|
|
|
|
* @return array ['success' => bool, 'error' => string|null, 'score' => float|null]
|
|
|
|
|
*/
|
|
|
|
|
public function verifyCaptcha(?string $response, ?string $remoteIp = null): array
|
|
|
|
|
{
|
|
|
|
|
$provider = $this->captchaSettings['provider'] ?? 'disabled';
|
|
|
|
|
|
|
|
|
|
// If CAPTCHA is disabled, always return success
|
|
|
|
|
if ($provider === 'disabled') {
|
|
|
|
|
return ['success' => true, 'error' => null, 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate that response token is provided
|
|
|
|
|
if (empty($response)) {
|
|
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification failed. Please try again.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify based on provider
|
|
|
|
|
switch ($provider) {
|
|
|
|
|
case 'recaptcha_v2':
|
|
|
|
|
return $this->verifyRecaptchaV2($response, $remoteIp);
|
|
|
|
|
|
|
|
|
|
case 'recaptcha_v3':
|
|
|
|
|
return $this->verifyRecaptchaV3($response, $remoteIp);
|
|
|
|
|
|
|
|
|
|
case 'turnstile':
|
|
|
|
|
return $this->verifyTurnstile($response, $remoteIp);
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
// Unknown provider - allow through but log
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->warning('Unknown CAPTCHA provider', ['provider' => $provider]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => true, 'error' => null, 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verify reCAPTCHA v2 response
|
|
|
|
|
*/
|
|
|
|
|
private function verifyRecaptchaV2(string $response, ?string $remoteIp): array
|
|
|
|
|
{
|
|
|
|
|
$secretKey = $this->captchaSettings['secret_key'] ?? '';
|
|
|
|
|
|
|
|
|
|
if (empty($secretKey)) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->error('reCAPTCHA v2 secret key is not configured');
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA is misconfigured. Please contact administrator.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$data = [
|
|
|
|
|
'secret' => $secretKey,
|
|
|
|
|
'response' => $response
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
if ($remoteIp) {
|
|
|
|
|
$data['remoteip'] = $remoteIp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$result = $this->sendVerificationRequest(self::RECAPTCHA_VERIFY_URL, $data);
|
|
|
|
|
|
|
|
|
|
if ($result === null) {
|
|
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification service unavailable. Please try again later.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!isset($result['success']) || !$result['success']) {
|
|
|
|
|
$errorCodes = $result['error-codes'] ?? [];
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->warning('reCAPTCHA v2 verification failed', ['error_codes' => $errorCodes]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification failed. Please try again.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ['success' => true, 'error' => null, 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verify reCAPTCHA v3 response (score-based)
|
|
|
|
|
*/
|
|
|
|
|
private function verifyRecaptchaV3(string $response, ?string $remoteIp): array
|
|
|
|
|
{
|
|
|
|
|
$secretKey = $this->captchaSettings['secret_key'] ?? '';
|
|
|
|
|
$threshold = floatval($this->captchaSettings['score_threshold'] ?? 0.5);
|
|
|
|
|
|
|
|
|
|
if (empty($secretKey)) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->error('reCAPTCHA v3 secret key is not configured');
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA is misconfigured. Please contact administrator.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$data = [
|
|
|
|
|
'secret' => $secretKey,
|
|
|
|
|
'response' => $response
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
if ($remoteIp) {
|
|
|
|
|
$data['remoteip'] = $remoteIp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$result = $this->sendVerificationRequest(self::RECAPTCHA_VERIFY_URL, $data);
|
|
|
|
|
|
|
|
|
|
if ($result === null) {
|
|
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification service unavailable. Please try again later.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!isset($result['success']) || !$result['success']) {
|
|
|
|
|
$errorCodes = $result['error-codes'] ?? [];
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->warning('reCAPTCHA v3 verification failed', ['error_codes' => $errorCodes]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification failed. Please try again.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check score
|
|
|
|
|
$score = floatval($result['score'] ?? 0);
|
|
|
|
|
|
|
|
|
|
if ($score < $threshold) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->warning('reCAPTCHA v3 score too low', [
|
|
|
|
|
'score' => $score,
|
|
|
|
|
'threshold' => $threshold,
|
|
|
|
|
'ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown'
|
|
|
|
|
]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'Security verification failed. Please try again or contact support.', 'score' => $score];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ['success' => true, 'error' => null, 'score' => $score];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verify Cloudflare Turnstile response
|
|
|
|
|
*/
|
|
|
|
|
private function verifyTurnstile(string $response, ?string $remoteIp): array
|
|
|
|
|
{
|
|
|
|
|
$secretKey = $this->captchaSettings['secret_key'] ?? '';
|
|
|
|
|
|
|
|
|
|
if (empty($secretKey)) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->error('Turnstile secret key is not configured');
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA is misconfigured. Please contact administrator.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$data = [
|
|
|
|
|
'secret' => $secretKey,
|
|
|
|
|
'response' => $response
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
if ($remoteIp) {
|
|
|
|
|
$data['remoteip'] = $remoteIp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$result = $this->sendVerificationRequest(self::TURNSTILE_VERIFY_URL, $data);
|
|
|
|
|
|
|
|
|
|
if ($result === null) {
|
|
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification service unavailable. Please try again later.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!isset($result['success']) || !$result['success']) {
|
|
|
|
|
$errorCodes = $result['error-codes'] ?? [];
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->warning('Turnstile verification failed', ['error_codes' => $errorCodes]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return ['success' => false, 'error' => 'CAPTCHA verification failed. Please try again.', 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ['success' => true, 'error' => null, 'score' => null];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Send verification request to CAPTCHA provider API
|
|
|
|
|
*/
|
|
|
|
|
private function sendVerificationRequest(string $url, array $data): ?array
|
|
|
|
|
{
|
|
|
|
|
$options = [
|
|
|
|
|
'http' => [
|
|
|
|
|
'method' => 'POST',
|
|
|
|
|
'header' => 'Content-Type: application/x-www-form-urlencoded',
|
|
|
|
|
'content' => http_build_query($data),
|
|
|
|
|
'timeout' => 10
|
|
|
|
|
]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$context = stream_context_create($options);
|
|
|
|
|
$response = @file_get_contents($url, false, $context);
|
|
|
|
|
|
|
|
|
|
if ($response === false) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->error('Failed to connect to CAPTCHA verification service', ['url' => $url]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$result = json_decode($response, true);
|
|
|
|
|
|
|
|
|
|
if (json_last_error() !== JSON_ERROR_NONE) {
|
2025-11-18 13:22:49 +02:00
|
|
|
$logger = new \App\Services\Logger();
|
|
|
|
|
$logger->error('Failed to parse CAPTCHA verification response', [
|
|
|
|
|
'error' => json_last_error_msg()
|
|
|
|
|
]);
|
Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
2025-10-10 00:04:12 +03:00
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get current CAPTCHA settings for view rendering
|
|
|
|
|
*/
|
|
|
|
|
public function getCaptchaSettings(): array
|
|
|
|
|
{
|
|
|
|
|
return $this->captchaSettings;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if CAPTCHA is enabled
|
|
|
|
|
*/
|
|
|
|
|
public function isEnabled(): bool
|
|
|
|
|
{
|
|
|
|
|
$provider = $this->captchaSettings['provider'] ?? 'disabled';
|
|
|
|
|
return $provider !== 'disabled';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
