Add recaptcha protection for password resets (#12)

cmyui · web-flow · commit f35ac27872e3 · 2025-06-10T20:21:59.000-04:00
* Add recaptcha protection for password resets

* move recaptcha to init

* bool conv
diff --git a/app/adapters/recaptcha.py b/app/adapters/recaptcha.py
@@ -0,0 +1,40 @@
+import logging
+
+import httpx
+
+from app import settings
+
+recaptcha_http_client = httpx.AsyncClient(
+    base_url="https://www.google.com/recaptcha",
+)
+
+
+async def verify_recaptcha(
+    *,
+    recaptcha_token: str,
+    client_ip_address: str,
+) -> bool:
+    try:
+        response = await recaptcha_http_client.post(
+            "/api/siteverify",
+            data={
+                "secret": settings.RECAPTCHA_SECRET_KEY,
+                "response": recaptcha_token,
+                "remoteip": client_ip_address,  # https://stackoverflow.com/a/51920956
+            },
+        )
+        response.raise_for_status()
+        response_data = response.json()
+        if not isinstance(response_data, dict):
+            raise ValueError("Invalid response from recaptcha")
+        return response_data.get("success", False) is True
+
+    except Exception:
+        logging.exception(
+            "Failed to verify recaptcha",
+            extra={
+                "recaptcha_token": recaptcha_token,
+                "client_ip_address": client_ip_address,
+            },
+        )
+        return False
diff --git a/app/api/public/authentication.py b/app/api/public/authentication.py
@@ -107,6 +107,7 @@ async def logout(
 
 class InitializePasswordResetRequest(BaseModel):
     username: str
+    recaptcha_token: str
 
 
 @router.post("/public/api/v1/init-password-reset")
@@ -117,6 +118,7 @@ async def initialize_password_reset(
 ) -> Response:
     response = await authentication.initialize_password_reset(
         username=args.username,
+        recaptcha_token=args.recaptcha_token,
         client_ip_address=client_ip_address,
         client_user_agent=client_user_agent,
     )
diff --git a/app/settings.py b/app/settings.py
@@ -39,3 +39,5 @@ def read_bool(s: str) -> bool:
 MAILGUN_BASE_URL = os.environ["MAILGUN_BASE_URL"]
 MAILGUN_DOMAIN_NAME = os.environ["MAILGUN_DOMAIN_NAME"]
 MAILGUN_API_KEY = os.environ["MAILGUN_API_KEY"]
+
+RECAPTCHA_SECRET_KEY = os.environ["RECAPTCHA_SECRET_KEY"]
diff --git a/app/usecases/authentication.py b/app/usecases/authentication.py
@@ -5,6 +5,7 @@
 
 from app import security
 from app.adapters import mailgun
+from app.adapters import recaptcha
 from app.common_types import UserPrivileges
 from app.errors import Error
 from app.errors import ErrorCode
@@ -115,9 +116,19 @@ async def logout(
 async def initialize_password_reset(
     *,
     username: str,
+    recaptcha_token: str,
     client_ip_address: str,
     client_user_agent: str,
 ) -> None | Error:
+    if not await recaptcha.verify_recaptcha(
+        recaptcha_token=recaptcha_token,
+        client_ip_address=client_ip_address,
+    ):
+        return Error(
+            error_code=ErrorCode.INCORRECT_CREDENTIALS,
+            user_feedback="Invalid reCAPTCHA token.",
+        )
+
     user = await users.fetch_one_by_username(username)
     if user is None:
         return Error(
