Additional validation

rowan-m · rowan-m · commit e825699a2dda · 2018-07-31T17:55:06.000+01:00
Add additional validation options for expected:
- hostname
- apk_package_name
- action
- score threshold
- challenge_ts timeout
diff --git a/src/ReCaptcha/ReCaptcha.php b/src/ReCaptcha/ReCaptcha.php
@@ -37,6 +37,54 @@ class ReCaptcha
      */
     const VERSION = 'php_1.2';
 
+    /**
+     * Invalid JSON received
+     * @const string
+     */
+    const E_INVALID_JSON = 'invalid-json';
+
+    /**
+     * Not a success, but no error codes received!
+     * @const string
+     */
+    const E_UNKNOWN_ERROR = 'unknown-error';
+
+    /**
+     * ReCAPTCHA response not provided
+     * @const string
+     */
+    const E_MISSING_INPUT_RESPONSE = 'missing-input-response';
+
+    /**
+     * Expected hostname did not match
+     * @const string
+     */
+    const E_HOSTNAME_MISMATCH = 'hostname-mismatch';
+
+    /**
+     * Expected APK package name did not match
+     * @const string
+     */
+    const E_APK_PACKAGE_NAME_MISMATCH = 'apk_package_name-mismatch';
+
+    /**
+     * Expected action did not match
+     * @const string
+     */
+    const E_ACTION_MISMATCH = 'action-mismatch';
+
+    /**
+     * Score threshold not met
+     * @const string
+     */
+    const E_SCORE_THRESHOLD_NOT_MET = 'score-threshold-not-met';
+
+    /**
+     * Challenge timeout
+     * @const string
+     */
+    const E_CHALLENGE_TIMEOUT = 'challenge-timeout';
+
     /**
      * Shared secret for the site.
      * @var string
@@ -52,7 +100,7 @@ class ReCaptcha
     /**
      * Create a configured instance to use the reCAPTCHA service.
      *
-     * @param string $secret shared secret between site and reCAPTCHA server.
+     * @param string $secret The shared key between your site and reCAPTCHA.
      * @param RequestMethod $requestMethod method used to send the request. Defaults to POST.
      * @throws \RuntimeException if $secret is invalid
      */
@@ -79,20 +127,135 @@ public function __construct($secret, RequestMethod $requestMethod = null)
      * Calls the reCAPTCHA siteverify API to verify whether the user passes
      * CAPTCHA test.
      *
-     * @param string $response The value of 'g-recaptcha-response' in the submitted form.
+     * @param string $response The user response token provided by reCAPTCHA, verifying the user on your site.
      * @param string $remoteIp The end user's IP address.
      * @return Response Response from the service.
      */
     public function verify($response, $remoteIp = null)
     {
         // Discard empty solution submissions
         if (empty($response)) {
-            $recaptchaResponse = new Response(false, array('missing-input-response'));
+            $recaptchaResponse = new Response(false, array(self::E_MISSING_INPUT_RESPONSE));
             return $recaptchaResponse;
         }
 
         $params = new RequestParameters($this->secret, $response, $remoteIp, self::VERSION);
         $rawResponse = $this->requestMethod->submit($params);
         return Response::fromJson($rawResponse);
     }
+
+    /**
+     * Provide a hostname to match against in verifyAndValidate()
+     * This should be without a protocol or trailing slash, e.g. www.google.com
+     *
+     * @param string $hostname Expected hostname
+     * @return ReCaptcha Current instance for fluent interface
+     */
+    public function setExpectedHostname($hostname)
+    {
+        $this->hostname = $hostname;
+        return $this;
+    }
+
+    /**
+     * Provide an APK package name to match against in verifyAndValidate()
+     *
+     * @param string $apkPackageName Expected APK package name
+     * @return ReCaptcha Current instance for fluent interface
+     */
+    public function setExpectedApkPackageName($apkPackageName)
+    {
+        $this->apkPackageName = $apkPackageName;
+        return $this;
+    }
+
+    /**
+     * Provide an action to match against in verifyAndValidate()
+     * This should be set per page.
+     *
+     * @param string $action Expected action
+     * @return ReCaptcha Current instance for fluent interface
+     */
+    public function setExpectedAction($action)
+    {
+        $this->action = $action;
+        return $this;
+    }
+
+    /**
+     * Provide a threshold to meet or exceed in verifyAndValidate()
+     * Threshold should be a float between 0 and 1 which will be tested as response >= threshold.
+     *
+     * @param float $threshold Expected threshold
+     * @return ReCaptcha Current instance for fluent interface
+     */
+    public function setScoreThreshold($threshold)
+    {
+        $this->threshold = floatval($threshold);
+        return $this;
+    }
+
+    /**
+     * Provide a timeout in seconds to test against the challenge timestamp in verifyAndValidate()
+     *
+     * @param int $timeoutSeconds Expected hostname
+     * @return ReCaptcha Current instance for fluent interface
+     */
+    public function setChallengeTimeout($timeoutSeconds)
+    {
+        $this->timeoutSeconds = $timeoutSeconds;
+        return $this;
+    }
+
+    /**
+     * Calls the reCAPTCHA siteverify API to verify whether the user passes
+     * CAPTCHA test and additionally runs any specified additional checks
+     *
+     * @param string $response The user response token provided by reCAPTCHA, verifying the user on your site.
+     * @param string $remoteIp The end user's IP address.
+     * @return Response Response from the service.
+     */
+    public function verifyAndValidate($response, $remoteIp = null)
+    {
+        $initialResponse = $this->verify($response, $remoteIp);
+        $validationErrors = array();
+
+        if (isset($this->hostname) && strcasecmp($this->hostname, $initialResponse->getHostname()) !== 0) {
+            $validationErrors[] = self::E_HOSTNAME_MISMATCH;
+        }
+
+        if (isset($this->apkPackageName) && strcasecmp($this->apkPackageName, $initialResponse->getApkPackageName()) !== 0) {
+            $validationErrors[] = self::E_APK_PACKAGE_NAME_MISMATCH;
+        }
+
+        if (isset($this->action) && strcasecmp($this->action, $initialResponse->getAction()) !== 0) {
+            $validationErrors[] = self::E_ACTION_MISMATCH;
+        }
+
+        if (isset($this->threshold) && $this->threshold > $initialResponse->getScore()) {
+            $validationErrors[] = self::E_SCORE_THRESHOLD_NOT_MET;
+        }
+
+        if (isset($this->timeoutSeconds)) {
+            $challengeTs = strtotime($initialResponse->getChallengeTs());
+
+            if ($challengeTs > 0 && time() - $challengeTs > $this->timeoutSeconds) {
+                $validationErrors[] = self::E_CHALLENGE_TIMEOUT;
+            }
+        }
+
+        if (empty($validationErrors)) {
+            return $initialResponse;
+        }
+
+        return new Response(
+            false,
+            array_merge($initialResponse->getErrorCodes(), $validationErrors),
+            $initialResponse->getHostname(),
+            $initialResponse->getChallengeTs(),
+            $initialResponse->getApkPackageName(),
+            $initialResponse->getScore(),
+            $initialResponse->getAction()
+        );
+    }
 }
diff --git a/tests/ReCaptcha/ReCaptchaTest.php b/tests/ReCaptcha/ReCaptchaTest.php
@@ -56,24 +56,135 @@ public function testVerifyReturnsErrorOnMissingResponse()
         $rc = new ReCaptcha('secret');
         $response = $rc->verify('');
         $this->assertFalse($response->isSuccess());
-        $this->assertEquals(array('missing-input-response'), $response->getErrorCodes());
+        $this->assertEquals(array(Recaptcha::E_MISSING_INPUT_RESPONSE), $response->getErrorCodes());
     }
 
-    public function testVerifyReturnsResponse()
+    private function getMockRequestMethod($responseJson)
     {
         $method = $this->getMockBuilder(\ReCaptcha\RequestMethod::class)
             ->disableOriginalConstructor()
             ->setMethods(array('submit'))
             ->getMock();
-        $method->expects($this->once())
-                ->method('submit')
-                ->with($this->callback(function ($params) {
-                    return true;
-                }))
-                ->will($this->returnValue('{"success": true}'));
-        ;
+        $method->expects($this->any())
+            ->method('submit')
+            ->with($this->callback(function ($params) {
+                return true;
+            }))
+            ->will($this->returnValue($responseJson));
+        return $method;
+    }
+
+    public function testVerifyReturnsResponse()
+    {
+        $method = $this->getMockRequestMethod('{"success": true}');
         $rc = new ReCaptcha('secret', $method);
         $response = $rc->verify('response');
         $this->assertTrue($response->isSuccess());
     }
+
+    public function testVerifyAndValidateReturnsInitialResponseWithoutAdditionalChecks()
+    {
+        $method = $this->getMockRequestMethod('{"success": true}');
+        $rc = new ReCaptcha('secret', $method);
+        $initialResponse = $rc->verify('response');
+        $this->assertEquals($initialResponse, $rc->verifyAndValidate('response'));
+    }
+
+    public function testVerifyAndValidateHostnameMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "hostname": "host.name"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedHostname('host.name')->verifyAndValidate('response');
+        $this->assertTrue($response->isSuccess());
+    }
+
+    public function testVerifyAndValidateHostnameMisMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "hostname": "host.NOTname"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedHostname('host.name')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array(ReCaptcha::E_HOSTNAME_MISMATCH), $response->getErrorCodes());
+    }
+
+    public function testVerifyAndValidateApkPackageNameMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "apk_package_name": "apk.name"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedApkPackageName('apk.name')->verifyAndValidate('response');
+        $this->assertTrue($response->isSuccess());
+    }
+
+    public function testVerifyAndValidateApkPackageNameMisMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "apk_package_name": "apk.NOTname"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedApkPackageName('apk.name')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array(ReCaptcha::E_APK_PACKAGE_NAME_MISMATCH), $response->getErrorCodes());
+    }
+
+    public function testVerifyAndValidateActionMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "action": "action/name"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedAction('action/name')->verifyAndValidate('response');
+        $this->assertTrue($response->isSuccess());
+    }
+
+    public function testVerifyAndValidateActionMisMatch()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "action": "action/NOTname"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setExpectedAction('action/name')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array(ReCaptcha::E_ACTION_MISMATCH), $response->getErrorCodes());
+    }
+
+    public function testVerifyAndValidateAboveThreshold()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "score": "0.9"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setScoreThreshold('0.5')->verifyAndValidate('response');
+        $this->assertTrue($response->isSuccess());
+    }
+
+    public function testVerifyAndValidateBelowThreshold()
+    {
+        $method = $this->getMockRequestMethod('{"success": true, "score": "0.1"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setScoreThreshold('0.5')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array(ReCaptcha::E_SCORE_THRESHOLD_NOT_MET), $response->getErrorCodes());
+    }
+
+    public function testVerifyAndValidateWithinTimeout()
+    {
+        // Responses come back like 2018-07-31T13:48:41Z
+        $challengeTs = date('Y-M-d\TH:i:s\Z', time());
+        $method = $this->getMockRequestMethod('{"success": true, "challenge_ts": "'.$challengeTs.'"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setChallengeTimeout('1000')->verifyAndValidate('response');
+        $this->assertTrue($response->isSuccess());
+    }
+
+    public function testVerifyAndValidateOverTimeout()
+    {
+        // Responses come back like 2018-07-31T13:48:41Z
+        $challengeTs = date('Y-M-d\TH:i:s\Z', time() - 600);
+        $method = $this->getMockRequestMethod('{"success": true, "challenge_ts": "'.$challengeTs.'"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setChallengeTimeout('60')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array(ReCaptcha::E_CHALLENGE_TIMEOUT), $response->getErrorCodes());
+    }
+
+    public function testVerifyAndValidateMergesErrors()
+    {
+        $method = $this->getMockRequestMethod('{"success": false, "error-codes": ["initial-error"], "score": "0.1"}');
+        $rc = new ReCaptcha('secret', $method);
+        $response = $rc->setScoreThreshold('0.5')->verifyAndValidate('response');
+        $this->assertFalse($response->isSuccess());
+        $this->assertEquals(array('initial-error', ReCaptcha::E_SCORE_THRESHOLD_NOT_MET), $response->getErrorCodes());
+    }
 }
