Implement captcha on subscribe page

ThomasTJdev · ThomasTJdev · commit 87e2d80de567 · 2025-09-06T08:22:35.000+02:00
diff --git a/README.md b/README.md
@@ -362,6 +362,13 @@ If the `SMTP_HOST` is specified as an environment variable, then it won't use th
 # 🌐 Environment variables
 The values are customizable within the system and will be saved to the database.
 
+**CAPTCHA**
+If set, the captcha will be enabled on the subscribe page.
+```sh
+export GOOGLE_RECAPTCHA_SECRET=NONE
+export GOOGLE_RECAPTCHA_SITE_KEY=NONE
+```
+
 **Database**
 ```sh
 export PG_HOST=localhost
diff --git a/nimletter.nimble b/nimletter.nimble
@@ -1,6 +1,6 @@
 # Package
 
-version       = "0.6.4"
+version       = "0.6.5"
 author        = "ThomasTJdev"
 description   = "Newsletter"
 license       = "AGPL v3"
diff --git a/nimletter.service b/nimletter.service
@@ -43,6 +43,9 @@ ExecStart=/usr/bin/podman run \
         --label io.containers.autoupdate=registry \
         --log-driver journald \
         --log-opt tag=nimletter \
+        --env ALLOW_GLOBAL_SUBSCRIPTION=false \
+        --env GOOGLE_RECAPTCHA_SECRET=NONE \
+        --env GOOGLE_RECAPTCHA_SITE_KEY=NONE \
         --env RUN_MODE=prod \
         --env PG_HOST=localhost:5432 \
         --env PG_USER=postgres \
diff --git a/src/html/optin.nimf b/src/html/optin.nimf
@@ -48,6 +48,13 @@
             <input type="text" name="name" placeholder="Name">
             <input type="email" name="email" placeholder="Email" required>
             <input type="text" name="username_second" placeholder="Name" class="hideme">
+            # let recaptchaSiteKey = getEnv("GOOGLE_RECAPTCHA_SITE_KEY")
+            # if recaptchaSiteKey.len() > 0 and recaptchaSiteKey != "NONE":
+            <div style="display: flex ; justify-content: center;">
+              <div class="g-recaptcha" data-sitekey="${recaptchaSiteKey}" data-theme="light" style="transform:scale(0.93);-webkit-transform:scale(0.93);transform-origin:0 0;-webkit-transform-origin:0 0;"></div>
+              <script src="https://www.google.com/recaptcha/api.js" async defer></script>
+            </div>
+            # end if
             <div class="buttonArea">
               <button type="submit" class="buttonIcon">
                 <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-6">
@@ -82,14 +89,14 @@
   <body class="mainbody">
     <main>
       <div class="content notLoggedIn">
-        <h1 id="heading" class="center">Nimletter, drip it!</h1>
+        <h1 id="heading" class="center" style="font-weight: 500;">Subscription confirmed!</h1>
         <div id="work subscribe">
-          <div class="mb30" style="display: flex;">
-            <img src="/assets/images/nimletter.png" style="width: 300px;margin: auto;">
-          </div>
           <p class="center">
             Perfect! Glad to have you onboard! 🚀
           </p>
+          <p class="center">
+            You can <a href="#!" onclick="window.close()">close this window</a> now.
+          </p>
         </div>
       </div>
     </main>
diff --git a/src/routes/routes_flows.nim b/src/routes/routes_flows.nim
@@ -206,7 +206,7 @@ proc(request: Request) =
     scheduledTime = if triggerType == "time": @"scheduledTime" else: ""
 
   if name.strip() == "":
-    resp Http400, "Subject is required"
+    resp Http400, "Flow name is required"
 
   if not mailID.isValidInt():
     resp Http400, "Invalid mail ID"
diff --git a/src/routes/routes_optin.nim b/src/routes/routes_optin.nim
@@ -27,6 +27,7 @@ import
   ../email/email_optin,
   ../utils/contacts_utils,
   ../utils/list_utils,
+  ../utils/google_recaptcha,
   ../utils/validate_data,
   ../webhook/webhook_events
 
@@ -145,6 +146,10 @@ proc(request: Request) =
   if not email.isValidEmail():
     resp Http400, nimfOptinSubscribe(true, "Invalid email", "")
 
+  #when not defined(dev):
+  if not checkReCaptcha(@"g-recaptcha-response", request.ip):
+    resp Http400, nimfOptinSubscribe(true, "Invalid captcha", "")
+
 
   var
     userID: string
diff --git a/src/utils/google_recaptcha.nim b/src/utils/google_recaptcha.nim
@@ -0,0 +1,87 @@
+# Copyright Thomas T. Jarløv (TTJ) - ttj@ttj.dk
+
+import
+  std/[
+    httpclient,
+    json,
+    os
+  ]
+
+
+const
+  VerifyUrl: string = "https://www.google.com/recaptcha/api/siteverify"
+
+type
+  ReCaptcha* = object
+    secret: string
+    siteKey: string
+  CaptchaVerificationError* = object of Exception
+
+proc initReCaptcha*(secret, siteKey: string): ReCaptcha =
+  result = ReCaptcha(
+    secret: secret,
+    siteKey: siteKey
+  )
+
+
+proc checkVerification(mpd: MultipartData): bool =
+  let
+    client = newHttpClient()
+    response = client.post(VerifyUrl, multipart=mpd)
+    jsonContent = parseJson(response.body)
+    success = jsonContent.getOrDefault("success")
+    errors = jsonContent.getOrDefault("error-codes")
+
+  if errors != nil:
+    for err in errors.items():
+      case err.getStr()
+      of "missing-input-secret":
+        raise newException(CaptchaVerificationError, "The secret parameter is missing.")
+      of "invalid-input-secret":
+        raise newException(CaptchaVerificationError, "The secret parameter is invalid or malformed.")
+      of "missing-input-response":
+        raise newException(CaptchaVerificationError, "The response parameter is missing.")
+      of "invalid-input-response":
+        raise newException(CaptchaVerificationError, "The response parameter is invalid or malformed.")
+      else: discard
+
+  result = if success != nil: success.getBool() else: false
+
+proc verify*(rc: ReCaptcha, reCaptchaResponse, remoteIp: string): bool =
+  let multiPart = newMultipartData({
+    "secret": rc.secret,
+    "response": reCaptchaResponse,
+    "remoteip": remoteIp
+  })
+  result = checkVerification(multiPart)
+
+proc verify*(rc: ReCaptcha, reCaptchaResponse: string): bool =
+  let multiPart = newMultipartData({
+    "secret": rc.secret,
+    "response": reCaptchaResponse,
+  })
+  result = checkVerification(multiPart)
+
+
+proc checkReCaptcha*(antibot, userIP: string): bool =
+  let secret = getEnv("GOOGLE_RECAPTCHA_SECRET")
+  let siteKey = getEnv("GOOGLE_RECAPTCHA_SITE_KEY")
+
+  if secret == "" or siteKey == "":
+    return true
+  if secret == "NONE" or siteKey == "NONE":
+    return true
+
+  let captcha = initReCaptcha(secret, siteKey)
+
+
+  var captchaValid: bool = false
+  try:
+    captchaValid = captcha.verify(antibot, userIP)
+  except:
+    echo("checkReCaptcha(): Error checking captcha. UserIP: " & userIP & " - ErrMsg: " & getCurrentExceptionMsg())
+    return false
+
+  return captchaValid
+
+
