Implement utils.testCaptcha and utils.testValidation

Author: grishka

src/main/java/smithereen/SmithereenApplication.java

@@ -1024,6 +1024,8 @@ public static void main(String[] args){
 			options("/uploadAttachmentPhoto", ApiRoutes::apiCallPreflight);
 			options("/uploadAlbumPhoto", ApiRoutes::apiCallPreflight);
 			options("/uploadAvatar", ApiRoutes::apiCallPreflight);
+			get("/captcha/:sid", ApiRoutes::captcha);
+			get("/testValidation", ApiRoutes::testValidation);
 		});
 		path("/oauth", ()->{
 			get("/authorize", ApiRoutes::oauthAuthorize);
@@ -1269,7 +1271,7 @@ public void sessionDestroyed(HttpSessionEvent se){
 		MaintenanceScheduler.runPeriodically(()->context.getWallController().removeExpiredGuids(), 1, TimeUnit.HOURS);
 		MaintenanceScheduler.runPeriodically(()->context.getCommentsController().removeExpiredGuids(), 1, TimeUnit.HOURS);
 		MaintenanceScheduler.runPeriodically(()->context.getMailController().removeExpiredGuids(), 1, TimeUnit.HOURS);
-		MaintenanceScheduler.runPeriodically(ApiUtils::removeOldUploadUrlIDs, 10, TimeUnit.MINUTES);
+		MaintenanceScheduler.runPeriodically(ApiUtils::doCleanupTasks, 10, TimeUnit.MINUTES);
 		context.getUsersController().loadPresenceFromDatabase();
 
 		Runtime.getRuntime().addShutdownHook(new Thread(()->{

src/main/java/smithereen/Utils.java

@@ -421,6 +421,8 @@ public static String getLastPathSegment(URI uri){
 	}
 
 	public static SessionInfo sessionInfo(Request req){
+		if(req.pathInfo().startsWith("/api/"))
+			return null;
 		Session sess=req.session(false);
 		if(sess==null)
 			return null;
@@ -980,7 +982,7 @@ public static void verifyCaptcha(Request req){
 		CaptchaInfo info=captchas.remove(sid);
 		if(info==null)
 			throw new UserErrorException("err_wrong_captcha");
-		if(!info.answer().equals(captcha) || System.currentTimeMillis()-info.generatedAt().toEpochMilli()<3000)
+		if(!info.answer().equals(captcha) || System.currentTimeMillis()-info.generatedAt().toEpochMilli()<1500)
 			throw new UserErrorException("err_wrong_captcha");
 	}
 
@@ -1011,5 +1013,13 @@ public static boolean isValidBirthDate(LocalDate date){
 		return date.isBefore(LocalDate.now().plusDays(1)) && date.isAfter(LocalDate.of(1900, 1, 1));
 	}
 
+	public static byte[] tryDecodeBase64Url(String s){
+		try{
+			return Base64.getUrlDecoder().decode(s);
+		}catch(IllegalArgumentException x){
+			return null;
+		}
+	}
+
 	private record EmailConfirmationCodeInfo(String code, EmailCodeActionType actionType, Instant sentAt){}
 }

src/main/java/smithereen/api/ApiDispatcher.java

@@ -89,6 +89,8 @@ public class ApiDispatcher{
 		registerMethod("utils.getServerTime", UtilsMethods::getServerTime, false);
 		registerMethod("utils.loadRemoteObject", UtilsMethods::loadRemoteObject, true);
 		registerMethod("utils.resolveScreenName", UtilsMethods::resolveScreenName, false);
+		registerMethod("utils.testCaptcha", UtilsMethods::testCaptcha, true);
+		registerMethod("utils.testValidation", UtilsMethods::testValidation, true);
 
 		registerMethod("server.getInfo", ServerMethods::getInfo, false);
 		registerMethod("server.getRestrictedServers", ServerMethods::getRestrictedServers, false);

src/main/java/smithereen/api/methods/ApiUtils.java

@@ -12,10 +12,13 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Base64;
 import java.util.BitSet;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -28,9 +31,13 @@
 import java.util.stream.Collectors;
 
 import smithereen.ApplicationContext;
+import smithereen.Config;
+import smithereen.Utils;
 import smithereen.activitypub.objects.Actor;
 import smithereen.activitypub.objects.LocalImage;
 import smithereen.api.ApiCallContext;
+import smithereen.api.ApiErrorException;
+import smithereen.api.model.ApiCaptchaError;
 import smithereen.api.model.ApiComment;
 import smithereen.api.model.ApiErrorType;
 import smithereen.api.model.ApiGroup;
@@ -67,6 +74,8 @@
 import smithereen.model.viewmodel.CommentViewModel;
 import smithereen.model.viewmodel.PostViewModel;
 import smithereen.text.FormattedTextFormat;
+import smithereen.util.ByteArrayMapKey;
+import smithereen.util.CaptchaGenerator;
 import smithereen.util.CryptoUtils;
 import smithereen.util.JsonObjectBuilder;
 import smithereen.util.UriBuilder;
@@ -78,6 +87,7 @@ public class ApiUtils{
 	public static final byte[] EXTERNAL_MEDIA_KEY=CryptoUtils.randomBytes(16);
 	public static final HashMap<Integer, Long> uploadUrlIDs=new HashMap<>();
 	public static final AtomicInteger lastUploadUrlID=new AtomicInteger();
+	private static final HashMap<ByteArrayMapKey, CaptchaInfo> captchas=new HashMap<>();
 
 	@NotNull
 	@Unmodifiable
@@ -723,11 +733,14 @@ public static String getUploadURL(ApiCallContext actx, String path, Map<String,
 				.toString();
 	}
 
-	public static void removeOldUploadUrlIDs(){
+	public static void doCleanupTasks(){
+		long now=System.currentTimeMillis();
 		synchronized(uploadUrlIDs){
-			long now=System.currentTimeMillis();
 			uploadUrlIDs.values().removeIf(v->now-v>60_000);
 		}
+		synchronized(captchas){
+			captchas.values().removeIf(ci->now-ci.requestedAt.toEpochMilli()>600_000);
+		}
 	}
 
 	public static @NotNull FormattedTextFormat getTextFormat(@NotNull ApiCallContext actx){
@@ -772,6 +785,61 @@ public static String getExternalMediaHash(Map<String, String> params){
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(CryptoUtils.sha256(buf.toByteArray()));
 	}
 
-	public record InputAttachments(@NotNull List<String> ids, @NotNull Map<String, String> altTexts, @Nullable Poll poll){
+	public static void enforceCaptcha(ApplicationContext ctx, ApiCallContext actx){
+		if(actx.self==null)
+			throw new IllegalArgumentException("This method requires an account");
+		List<String> paramsHashSource=new ArrayList<>();
+		actx.params.forEach((k, v)->{
+			if(!"captcha_sid".equals(k) && !"captcha_answer".equals(k))
+				paramsHashSource.add(k+"="+v);
+		});
+		Collections.sort(paramsHashSource);
+		byte[] paramsHash=CryptoUtils.sha256(String.join("\n", paramsHashSource).getBytes(StandardCharsets.UTF_8));
+		if(actx.hasParam("captcha_sid") && actx.hasParam("captcha_answer")){
+			byte[] sid=Utils.tryDecodeBase64Url(actx.requireParamString("captcha_sid"));
+			if(sid!=null && sid.length==16){
+				CaptchaInfo info;
+				ByteArrayMapKey key=new ByteArrayMapKey(sid);
+				synchronized(captchas){
+					info=captchas.remove(key);
+				}
+				String answer=actx.requireParamString("captcha_answer");
+				if(info!=null && Arrays.equals(info.accessToken, actx.token.id()) && Arrays.equals(info.paramsHash, paramsHash) && answer.equals(info.answer)){
+					long now=System.currentTimeMillis();
+					if(now-info.generatedAt.toEpochMilli()>1500 && now-info.requestedAt.toEpochMilli()<600_000)
+						return;
+				}
+			}
+		}
+
+		byte[] sid=CryptoUtils.randomBytes(16);
+		synchronized(captchas){
+			captchas.put(new ByteArrayMapKey(sid), new CaptchaInfo(actx.token.id(), paramsHash, Instant.now(), null, null));
+		}
+		ApiCaptchaError error=new ApiCaptchaError(ApiErrorType.CAPTCHA_NEEDED, null, actx.params);
+		String encodedSid=Base64.getUrlEncoder().withoutPadding().encodeToString(sid);
+		error.captcha=new ApiCaptchaError.Captcha(Config.localURI("/api/captcha/"+encodedSid+".png").toString(), CaptchaGenerator.IMG_WIDTH, CaptchaGenerator.IMG_HEIGHT, encodedSid, actx.lang.get("captcha_hint"));
+		throw new ApiErrorException(error);
 	}
+
+	public static CaptchaInfo getCaptchaInfo(byte[] sid){
+		CaptchaInfo info=captchas.get(new ByteArrayMapKey(sid));
+		if(info==null || System.currentTimeMillis()-info.requestedAt.toEpochMilli()>600_000)
+			return null;
+		return info;
+	}
+
+	public static void updateCaptchaInfo(byte[] sid, String answer){
+		ByteArrayMapKey key=new ByteArrayMapKey(sid);
+		synchronized(captchas){
+			CaptchaInfo info=captchas.get(key);
+			if(info==null)
+				return;
+			captchas.put(key, new CaptchaInfo(info.accessToken, info.paramsHash, info.requestedAt, Instant.now(), answer));
+		}
+	}
+
+	public record InputAttachments(@NotNull List<String> ids, @NotNull Map<String, String> altTexts, @Nullable Poll poll){}
+
+	public record CaptchaInfo(byte[] accessToken, byte[] paramsHash, Instant requestedAt, Instant generatedAt, String answer){}
 }

src/main/java/smithereen/api/methods/UtilsMethods.java

@@ -1,8 +1,14 @@
 package smithereen.api.methods;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
 import smithereen.ApplicationContext;
+import smithereen.Config;
 import smithereen.api.ApiCallContext;
+import smithereen.api.ApiErrorException;
 import smithereen.api.model.ApiErrorType;
+import smithereen.api.model.ApiValidationError;
 import smithereen.controllers.ObjectLinkResolver;
 import smithereen.exceptions.RemoteObjectFetchException;
 import smithereen.model.Group;
@@ -12,6 +18,7 @@
 import smithereen.model.comments.Comment;
 import smithereen.model.photos.Photo;
 import smithereen.model.photos.PhotoAlbum;
+import smithereen.util.CryptoUtils;
 
 public class UtilsMethods{
 	public static Object getServerTime(ApplicationContext ctx, ApiCallContext actx){
@@ -57,4 +64,16 @@ record ScreenNameResult(String type, long id){}
 			case APPLICATION -> "application";
 		}, res.localID());
 	}
+
+	public static Object testCaptcha(ApplicationContext ctx, ApiCallContext actx){
+		ApiUtils.enforceCaptcha(ctx, actx);
+		return true;
+	}
+
+	public static Object testValidation(ApplicationContext ctx, ApiCallContext actx){
+		String successStr=Base64.getUrlEncoder().withoutPadding().encodeToString(CryptoUtils.sha256("Success!".getBytes(StandardCharsets.UTF_8)));
+		if(!successStr.equals(actx.optParamString("validation_key")))
+			throw new ApiErrorException(new ApiValidationError(ApiErrorType.VALIDATION_NEEDED, null, actx.params, Config.localURI("/api/testValidation?this_parameter=should%20be%20kept%20intact&this_one=as%20well").toString()));
+		return true;
+	}
 }

src/main/java/smithereen/api/model/ApiCaptchaError.java

@@ -0,0 +1,13 @@
+package smithereen.api.model;
+
+import java.util.Map;
+
+public class ApiCaptchaError extends ApiError{
+	public Captcha captcha;
+
+	public ApiCaptchaError(ApiErrorType type, String message, Map<String, Object> params){
+		super(type, message, params);
+	}
+
+	public record Captcha(String url, int width, int height, String sid, String hint){}
+}

src/main/java/smithereen/api/model/ApiErrorType.java

@@ -14,9 +14,9 @@ public enum ApiErrorType{
 	INTERNAL_SERVER_ERROR(10, "Internal server error", 500),
 	EXECUTE_COMPILE_FAILED(12, "Code compilation failed", 422),
 	EXECUTE_RUNTIME_ERROR(13, "Runtime error occurred", 422),
-	CAPTCHA_NEEDED(14, "Captcha needed"),
+	CAPTCHA_NEEDED(14, "Captcha needed", 429),
 	ACCESS_DENIED(15, "Access denied", 403),
-	VALIDATION_NEEDED(17, "Validation required"),
+	VALIDATION_NEEDED(17, "Validation required", 401),
 	ACCOUNT_SUSPENDED(18, "Account banned", 403),
 	//STANDALONE_APPS_ONLY(20, "Permission to perform this action is denied for non-standalone applications"),
 	//CONFIRMATION_NEEDED(24, "Confirmation required"),

src/main/java/smithereen/api/model/ApiValidationError.java

@@ -0,0 +1,12 @@
+package smithereen.api.model;
+
+import java.util.Map;
+
+public class ApiValidationError extends ApiError{
+	public final String validationUrl;
+
+	public ApiValidationError(ApiErrorType type, String message, Map<String, Object> params, String validationUrl){
+		super(type, message, params);
+		this.validationUrl=validationUrl;
+	}
+}

src/main/java/smithereen/routes/ApiRoutes.java

@@ -12,6 +12,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLEncoder;
@@ -30,6 +32,8 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import javax.imageio.ImageIO;
+
 import smithereen.ApplicationContext;
 import smithereen.Config;
 import smithereen.activitypub.objects.LocalImage;
@@ -46,6 +50,7 @@
 import smithereen.exceptions.FloodControlViolationException;
 import smithereen.exceptions.ObjectNotFoundException;
 import smithereen.exceptions.UserActionNotAllowedException;
+import smithereen.exceptions.UserErrorException;
 import smithereen.http.HttpContentType;
 import smithereen.lang.Lang;
 import smithereen.model.Account;
@@ -60,6 +65,7 @@
 import smithereen.scripting.ScriptValueGsonTypeAdapterFactory;
 import smithereen.storage.MediaStorageUtils;
 import smithereen.templates.RenderedTemplateResponse;
+import smithereen.util.CaptchaGenerator;
 import smithereen.util.CryptoUtils;
 import smithereen.util.FloodControl;
 import smithereen.util.JsonObjectBuilder;
@@ -544,4 +550,50 @@ private static Object uploadPhoto(Request req, Response resp, String method, Med
 			return new JsonObjectBuilder().add("error", "Field 'photo' not found").build();
 		}
 	}
+
+	public static Object captcha(Request req, Response resp) throws IOException{
+		String rawSid=req.params(":sid");
+		if(!rawSid.endsWith(".png"))
+			return null;
+		byte[] sid=tryDecodeBase64Url(rawSid.substring(0, rawSid.length()-4));
+		if(sid==null)
+			return null;
+		ApiUtils.CaptchaInfo info=ApiUtils.getCaptchaInfo(sid);
+		if(info==null)
+			return null;
+
+		CaptchaGenerator.Captcha captcha=CaptchaGenerator.generate();
+		ApiUtils.updateCaptchaInfo(sid, captcha.answer());
+		resp.type("image/png");
+		ByteArrayOutputStream out=new ByteArrayOutputStream();
+		ImageIO.write(captcha.image(), "png", out);
+		return out.toByteArray();
+	}
+
+	public static Object testValidation(Request req, Response resp){
+		req.attribute("popup", Boolean.TRUE);
+		try{
+			if(!"should be kept intact".equals(req.queryParams("this_parameter")) || !"as well".equals(req.queryParams("this_one")))
+				throw new UserErrorException("You accidentally removed the existing query parameters from the URL while adding your own.");
+			String rawUrl=req.queryParams("redirect_url");
+			if(StringUtils.isEmpty(rawUrl))
+				throw new UserErrorException("The redirect_url parameter is absent or empty.");
+			URI url;
+			try{
+				url=new URI(rawUrl);
+			}catch(URISyntaxException x){
+				throw new UserErrorException("redirect_url is not a valid URL.");
+			}
+			if(StringUtils.isEmpty(url.getScheme()) || StringUtils.isEmpty(url.getAuthority()))
+				throw new UserErrorException("redirect_url must have at least scheme and authority parts.");
+
+			String successStr=Base64.getUrlEncoder().withoutPadding().encodeToString(CryptoUtils.sha256("Success!".getBytes(StandardCharsets.UTF_8)));
+			return new RenderedTemplateResponse("validation_test", req)
+					.with("successURL", new UriBuilder(url).fragment("success=1&key="+successStr).build().toString())
+					.with("failureURL", new UriBuilder(url).fragment("error=1").build().toString())
+					.pageTitle("API validation test");
+		}catch(UserErrorException x){
+			return new RenderedTemplateResponse("generic_error", req).with("error", x.getMessage()).with("title", lang(req).get("error"));
+		}
+	}
 }

src/main/java/smithereen/templates/Templates.java

@@ -95,12 +95,8 @@ public static void addGlobalParamsToTemplate(Request req, RenderedTemplateRespon
 		ApplicationContext ctx=Utils.context(req);
 		Lang lang=Utils.lang(req);
 		if(req.session(false)!=null){
-			SessionInfo info=req.session().attribute("info");
-			if(info==null){
-				info=new SessionInfo();
-				req.session().attribute("info", info);
-			}
-			Account account=info.account;
+			SessionInfo info=Utils.sessionInfo(req);
+			Account account=info==null ? null : info.account;
 			if(account!=null){
 				model.with("currentUser", account.user);
 				model.with("csrf", info.csrfToken);