[ADD] fastapi_captcha

Author: paradoxxxzero

fastapi_captcha/README.rst

@@ -0,0 +1,98 @@
+===============
+Fastapi Captcha
+===============
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:a507efff5b29eb67557d6283c396db18daddc1e48115ede431daff7f686594b6
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Frest--framework-lightgray.png?logo=github
+    :target: https://github.com/OCA/rest-framework/tree/16.0/fastapi_captcha
+    :alt: OCA/rest-framework
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/rest-framework-16-0/rest-framework-16-0-fastapi_captcha
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/rest-framework&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module provides a simple way to protect several fastapi endpoints
+routes with a captcha.
+
+It curreently supports the following captcha providers:
+
+- `Google reCAPTCHA <https://www.google.com/recaptcha>`__
+- `hCaptcha <https://www.hcaptcha.com/>`__
+- `Altcha <https://altcha.org/>`__
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Usage
+=====
+
+Check the ``Use Captcha`` checkbox in your FastAPI endpoint to enable
+captcha validation, then enter your captcha provider, secret key and an
+array of route url regex.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/rest-framework/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/rest-framework/issues/new?body=module:%20fastapi_captcha%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Akretion
+
+Contributors
+------------
+
+- Florian Mounier florian.mounier@akretion.com
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-paradoxxxzero| image:: https://github.com/paradoxxxzero.png?size=40px
+    :target: https://github.com/paradoxxxzero
+    :alt: paradoxxxzero
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-paradoxxxzero| 
+
+This module is part of the `OCA/rest-framework <https://github.com/OCA/rest-framework/tree/16.0/fastapi_captcha>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

fastapi_captcha/__init__.py

@@ -0,0 +1 @@
+from . import models

fastapi_captcha/__manifest__.py

@@ -0,0 +1,20 @@
+# Copyright 2025 Akretion (http://www.akretion.com).
+# @author Florian Mounier <florian.mounier@akretion.com>
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Fastapi Captcha",
+    "version": "16.0.1.0.0",
+    "author": "Akretion, Odoo Community Association (OCA)",
+    "summary": "Add a captcha to your FastAPI routes",
+    "category": "Tools",
+    "depends": ["fastapi"],
+    "website": "https://github.com/OCA/rest-framework",
+    "data": [
+        "views/fastapi_endpoint_views.xml",
+    ],
+    "maintainers": ["paradoxxxzero"],
+    "demo": [],
+    "installable": True,
+    "license": "AGPL-3",
+}

fastapi_captcha/captcha_middleware.py

@@ -0,0 +1,36 @@
+# Copyright 2025 Akretion (http://www.akretion.com).
+# @author Florian Mounier <florian.mounier@akretion.com>
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from odoo import _
+from odoo.exceptions import AccessError
+
+from odoo.addons.fastapi.context import odoo_env_ctx
+
+
+class CaptchaMiddleware(BaseHTTPMiddleware):
+    def __init__(self, app, endpoint_id, root_path, routes_regex=None):
+        super().__init__(app)
+        self.endpoint_id = endpoint_id
+        self.root_path = root_path
+        self.routes_regex = routes_regex
+
+    async def dispatch(self, request, call_next):
+        url = request.url.path.replace(self.root_path, "", 1)
+        if self.routes_regex and not any(
+            rex.fullmatch(url) for rex in self.routes_regex
+        ):
+            return await call_next(request)
+
+        env = odoo_env_ctx.get()
+        endpoint = env["fastapi.endpoint"].sudo().browse(self.endpoint_id)
+        token = request.headers.get("X-Captcha-Token")
+        if not token:
+            raise AccessError(
+                _("Captcha token not found in headers"),
+            )
+        endpoint.validate_captcha(token)
+        response = await call_next(request)
+        return response

fastapi_captcha/models/__init__.py

@@ -0,0 +1 @@
+from . import fastapi_endpoint

fastapi_captcha/models/fastapi_endpoint.py

@@ -0,0 +1,213 @@
+# Copyright 2025 Akretion (http://www.akretion.com).
+# @author Florian Mounier <florian.mounier@akretion.com>
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import re
+from typing import Annotated
+
+import requests
+from starlette.middleware import Middleware
+
+from odoo import _, api, fields, models
+from odoo.exceptions import AccessError, UserError, ValidationError
+
+from fastapi import Depends, Header
+
+from ..captcha_middleware import CaptchaMiddleware
+
+
+class FastapiEndpoint(models.Model):
+    _inherit = "fastapi.endpoint"
+
+    use_captcha = fields.Boolean(
+        help="If checked, this endpoint will be protected by a captcha",
+    )
+
+    captcha_type = fields.Selection(
+        [
+            ("recaptcha", "Recaptcha"),
+            ("hcaptcha", "Hcaptcha"),
+            ("altcha", "Altcha"),
+        ],
+        help="Type of captcha to use for this endpoint",
+    )
+
+    captcha_secret_key = fields.Char(
+        help="Secret key to use for the captcha validation",
+        groups="base.group_system",
+    )
+
+    captcha_routes_regex = fields.Char(
+        help="Regexes to match against routes url that should be protected "
+        "by this captcha, comma separated. If empty, all routes will be protected",
+    )
+
+    captcha_minimum_score = fields.Float(
+        default=0.5,
+        help="Minimum score to accept the captcha if a score is provided by the "
+        "captcha service.",
+    )
+
+    @property
+    def _server_env_fields(self):
+        fields = getattr(super(), "_server_env_fields", None) or {}
+        fields["captcha_secret_key"] = {}
+        return fields
+
+    @api.constrains("captcha_routes_regex")
+    def _check_captcha_routes_regex(self):
+        """Check that the captcha routes regex is valid"""
+        for record in self:
+            if record.captcha_routes_regex:
+                for rex in record.captcha_routes_regex.split(","):
+                    rex = rex.strip()
+                    if not rex:
+                        continue
+                    # Check that the regex is valid
+                    try:
+                        re.compile(rex)
+                    except re.error as e:
+                        raise ValidationError(
+                            _(
+                                "Invalid regex for captcha routes: %(regex)s (error: %(error)s)"
+                            )
+                            % {
+                                "regex": rex,
+                                "error": str(e),
+                            }
+                        ) from e
+
+    def _get_fastapi_app_middlewares(self):
+        # Add the captcha middleware to the list of middlewares if enabled
+        middlewares = super()._get_fastapi_app_middlewares()
+        if self.use_captcha:
+            middlewares.append(
+                Middleware(
+                    CaptchaMiddleware,
+                    endpoint_id=self.id,
+                    root_path=self.root_path,
+                    routes_regex=[
+                        re.compile(rex) for rex in self.captcha_routes_regex.split(",")
+                    ]
+                    if self.captcha_routes_regex
+                    else None,
+                )
+            )
+        return middlewares
+
+    def _get_fastapi_app_dependencies(self):
+        # Add the captcha header to the list of dependencies
+        dependencies = super()._get_fastapi_app_dependencies()
+        if self.use_captcha:
+            dependencies.append(Depends(captcha_token))
+
+        return dependencies
+
+    def validate_captcha(self, captcha_response):
+        """Validate the captcha response."""
+        secret_key = self.captcha_secret_key
+        if not secret_key:
+            raise UserError(_("No secret key found for this endpoint"))
+
+        if self.captcha_type == "recaptcha":
+            return self._validate_recaptcha(captcha_response, secret_key)
+        elif self.captcha_type == "hcaptcha":
+            return self._validate_hcaptcha(captcha_response, secret_key)
+        elif self.captcha_type == "altcha":
+            return self._validate_altcha(captcha_response, secret_key)
+
+    def _validate_recaptcha(self, captcha_response, secret_key):
+        """Validate the recaptcha response"""
+        data = {
+            "secret": secret_key,
+            "response": captcha_response,
+        }
+        response = requests.post(
+            "https://www.google.com/recaptcha/api/siteverify",
+            data=data,
+            timeout=10,
+        )
+        result = response.json()
+        success = result.get("success", False)
+        if not success:
+            error_codes = result.get("error-codes", ["?"])
+            raise AccessError(
+                _("Recaptcha validation failed: %s") % ", ".join(error_codes)
+            )
+        score = result.get("score", 1)
+        if score < self.captcha_minimum_score:
+            raise AccessError(
+                _("Recaptcha validation failed: score %(score)s < %(min_score)s")
+                % {
+                    "score": score,
+                    "min_score": self.captcha_minimum_score,
+                }
+            )
+
+    def _validate_hcaptcha(self, captcha_response, secret_key):
+        """Validate the hcaptcha response"""
+
+        data = {
+            "secret": secret_key,
+            "response": captcha_response,
+        }
+        response = requests.post(
+            "https://api.hcaptcha.com/siteverify", data=data, timeout=10
+        )
+        result = response.json()
+        success = result.get("success", False)
+        if not success:
+            error_codes = result.get("error-codes", ["?"])
+            raise AccessError(
+                _("Hcaptcha validation failed: %s") % ", ".join(error_codes)
+            )
+        score = result.get("score", 1)
+        if score < self.captcha_minimum_score:
+            raise AccessError(
+                _(
+                    "Hcaptcha validation failed: score %(score)s < %(min_score)s (%(reason)s)"
+                )
+                % {
+                    "score": score,
+                    "min_score": self.captcha_minimum_score,
+                    "reason": result.get("score_reason", ""),
+                }
+            )
+
+    def _validate_altcha(self, captcha_response, secret_key):
+        """Validate the altcha response"""
+        data = {
+            "apiKey": secret_key,
+            "payload": captcha_response,
+        }
+        response = requests.post(
+            "https://eu.altcha.org/api/v1/challenge/verify",
+            data=data,
+            timeout=10,
+        )
+        result = response.json()
+        success = result.get("verified", False)
+        if not success:
+            error = result.get("error", "?")
+            raise AccessError(_("Altcha validation failed: %s") % error)
+
+    @api.model
+    def _fastapi_app_fields(self):
+        # We need to reload fastapi app when we change these captcha fields
+        fields = super()._fastapi_app_fields()
+        return [
+            "use_captcha",
+            "captcha_routes_regex",
+        ] + fields
+
+
+def captcha_token(
+    captcha_token: Annotated[
+        str | None,
+        Header(
+            alias="X-Captcha-Token",
+            description="The X-Captcha-Token header is used to specify the captcha ",
+        ),
+    ] = None,
+) -> str:
+    return captcha_token

fastapi_captcha/readme/CONTRIBUTORS.md

@@ -0,0 +1 @@
+- Florian Mounier <florian.mounier@akretion.com>

fastapi_captcha/readme/DESCRIPTION.md

@@ -0,0 +1,8 @@
+This module provides a simple way to protect several fastapi endpoints routes with a
+captcha.
+
+It curreently supports the following captcha providers:
+
+- [Google reCAPTCHA](https://www.google.com/recaptcha)
+- [hCaptcha](https://www.hcaptcha.com/)
+- [Altcha](https://altcha.org/)

fastapi_captcha/readme/USAGE.md

@@ -0,0 +1,2 @@
+Check the `Use Captcha` checkbox in your FastAPI endpoint to enable captcha validation,
+then enter your captcha provider, secret key and an array of route url regex.