Add captcha for user signup (#1822)

TG1999 · web-flow · commit a6e81c1f08c3 · 2025-03-20T15:12:14.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/requirements.txt b/requirements.txt
@@ -31,6 +31,7 @@ Django==4.2.17
 django-crispy-forms==2.3
 django-environ==0.11.2
 django-filter==24.3
+django-recaptcha==4.0.0
 django-widget-tweaks==1.5.0
 djangorestframework==3.15.2
 doc8==0.11.1
diff --git a/setup.cfg b/setup.cfg
@@ -99,6 +99,8 @@ install_requires =
     python-dotenv
     texttable
 
+    django-recaptcha>=4.0.0
+
 
 [options.extras_require]
 dev =
diff --git a/vulnerabilities/forms.py b/vulnerabilities/forms.py
@@ -9,6 +9,8 @@
 
 from django import forms
 from django.core.validators import validate_email
+from django_recaptcha.fields import ReCaptchaField
+from django_recaptcha.widgets import ReCaptchaV2Checkbox
 
 from vulnerabilities.models import ApiUser
 
@@ -38,6 +40,10 @@ class ApiUserCreationForm(forms.ModelForm):
     Support a simplified creation for API-only users directly from the UI.
     """
 
+    captcha = ReCaptchaField(
+        error_messages={"required": ("Captcha is required")}, widget=ReCaptchaV2Checkbox
+    )
+
     class Meta:
         model = ApiUser
         fields = (
diff --git a/vulnerabilities/templates/api_user_creation_form.html b/vulnerabilities/templates/api_user_creation_form.html
@@ -14,11 +14,17 @@
         </article>
       {% endfor %}
       <div id="form-errors" class="message is-danger {% if not form.errors %}is-hidden{% endif %}">
-        {% for field_name, errors in form.errors.items %}
+        {% if form.errors.captcha %}
         <div class="message-body">
-          {{ errors }}
+            {{ form.errors.captcha }}
         </div>
-        {% endfor %}
+        {% else %}
+        <div class="message-body">
+            {% for error in form.errors.values %}
+                {{ error }}
+            {% endfor %}
+        </div>
+        {% endif %}
       </div>
     <h2 class="subtitle mb-0 pt-2 mb-2">
       <b>VulnerableCode API key request</b>
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
@@ -83,8 +83,15 @@
     "drf_spectacular",
     # required for Django collectstatic discovery
     "drf_spectacular_sidecar",
+    "django_recaptcha",
 )
 
+RECAPTCHA_PUBLIC_KEY = env.str("RECAPTCHA_PUBLIC_KEY", "")
+RECAPTCHA_PRIVATE_KEY = env.str("RECAPTCHA_PRIVATE_KEY", "")
+SILENCED_SYSTEM_CHECKS = ["captcha.recaptcha_test_key_error"]
+RECAPTCHA_DOMAIN = env.str("RECAPTCHA_DOMAIN", "www.recaptcha.net")
+
+
 MIDDLEWARE = (
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
