feat(resource): add captcha on create contact mutation

Author: sudip-khanal

apps/resources/graphql/inputs.py

@@ -1,12 +1,11 @@
 import strawberry
-import strawberry_django
 
-from apps.resources.models import ContactRequest
 
-
-@strawberry_django.input(ContactRequest)
+@strawberry.input
 class ContactRequestInput:
-    name: strawberry.auto
-    email: strawberry.auto
-    national_society: strawberry.auto
-    content: strawberry.auto
+    name: str
+    email: str
+    national_society: str
+    content: str
+    captcha_hashkey: str
+    captcha_code: str

apps/resources/graphql/mutations.py

@@ -1,21 +1,42 @@
 import strawberry
 import strawberry_django
-from strawberry_django.permissions import IsAuthenticated
+from asgiref.sync import sync_to_async
+from rest_framework.exceptions import ValidationError
 
 from apps.resources.graphql.inputs import ContactRequestInput
 from apps.resources.graphql.types import ContactRequestType
 from apps.resources.serializers import ContactRequestSerializer
 from main.graphql.context import Info
+from utils.common import validate_captcha
 from utils.graphql.mutations import ModelMutation
-from utils.graphql.types import MutationResponseType
+from utils.graphql.types import CustomErrorType, MutationResponseType
 
 
 @strawberry.type
 class Mutation:
-    @strawberry_django.mutation(extensions=[IsAuthenticated()])
+    @strawberry_django.mutation()
     async def create_contact_request(
         self,
         info: Info,
         data: ContactRequestInput,
     ) -> MutationResponseType[ContactRequestType]:
-        return await ModelMutation(ContactRequestSerializer).handle_create_mutation(data, info, None)
+        try:
+            await sync_to_async(validate_captcha)(data.captcha_hashkey, data.captcha_code)
+        except ValidationError as e:
+            return MutationResponseType(
+                ok=False,
+                errors=CustomErrorType(
+                    {
+                        "code": None,
+                        "field": "captch",
+                        "kind": "VALIDATION",
+                        "messages": str(e),
+                    },
+                ),
+                result=None,
+            )
+        return await ModelMutation(ContactRequestSerializer).handle_create_mutation(
+            data,
+            info,
+            None,
+        )

apps/resources/tests/mutation_test.py

@@ -1,5 +1,7 @@
 import typing
 
+from captcha.models import CaptchaStore
+
 from apps.resources.models import ContactRequest
 from apps.user.factories import UserFactory
 from main.tests import TestCase
@@ -49,27 +51,20 @@ def _create_contact_request_mutation(self, data: dict[str, str], **kwargs: typin
         )
 
     def test_create_contact_request(self):
+        # Generates CAPTCHA key and value
+        captcha_key = CaptchaStore.generate_key()
+        captcha_obj = CaptchaStore.objects.get(hashkey=captcha_key)
+        captcha_code = captcha_obj.response
+
         contact_request_data = {
             "name": "John",
             "email": "john@test.com",
             "nationalSociety": "Test National Society",
             "content": "This is test content",
+            "captchaHashkey": captcha_key,
+            "captchaCode": captcha_code,
         }
 
-        # Without authentication
-        content = self._create_contact_request_mutation(contact_request_data)
-
-        assert content["data"]["createContactRequest"]["messages"] == [
-            {
-                "code": None,
-                "field": "createContactRequest",
-                "kind": "PERMISSION",
-                "message": "User is not authenticated.",
-            },
-        ]
-
-        # With authentication
-        self.force_login(self.user)
         content = self._create_contact_request_mutation(data=contact_request_data)
         response_data = content["data"]["createContactRequest"]
 
@@ -84,3 +79,23 @@ def test_create_contact_request(self):
             "content": contact_request.content,
             "nationalSociety": contact_request.national_society,
         }
+
+    def test_create_contact_request_without_captcha(self):
+        contact_request_data = {
+            "name": "John",
+            "email": "john@test.com",
+            "nationalSociety": "Test National Society",
+            "content": "This is test content",
+            "captchaHashkey": "",
+            "captchaCode": "",
+        }
+
+        content = self._create_contact_request_mutation(data=contact_request_data)
+        assert content["data"]["createContactRequest"]["messages"] == [
+            {
+                "code": None,
+                "field": None,
+                "kind": "VALIDATION",
+                "message": "CAPTCHA is required.",
+            },
+        ], content

main/settings.py

@@ -105,6 +105,7 @@
     "djangoql",
     "rest_framework",
     "mdeditor",
+    "captcha",
     # - Health-check
     "health_check",  # required
     "health_check.db",

main/urls.py

@@ -16,6 +16,7 @@
     path("admin/", admin.site.urls),
     path("health-check/", include("health_check.urls")),
     path(r"mdeditor/", include("mdeditor.urls")),
+    path("captcha/", include("captcha.urls")),
     path(
         "graphql/",
         csrf_exempt(

utils/common.py

@@ -8,6 +8,7 @@
 import string
 import typing
 
+from captcha.models import CaptchaStore
 from django.core.exceptions import ValidationError
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
@@ -213,3 +214,19 @@ def to_groups[T](features: list[T], group_size: int, start_index: int = 100):
 
 def get_random_string(length: int) -> str:
     return "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(length))
+
+
+def validate_captcha(hashkey: str, code: str):
+    """Raise ValidationError if captcha invalid."""
+    if not hashkey or not code:
+        raise ValidationError("CAPTCHA is required.")
+
+    try:
+        captcha = CaptchaStore.objects.get(hashkey=hashkey)
+    except CaptchaStore.DoesNotExist:
+        raise ValidationError("Invalid or expired CAPTCHA")  # noqa: B904
+
+    if captcha.response.lower() != code.lower():
+        raise ValidationError("Invalid CAPTCHA")
+
+    captcha.delete()  # NOTE: Delete after successful validation