add support for humanity checking on create user page

Author: stepcut

happstack-authenticate.cabal

@@ -1,6 +1,6 @@
 Cabal-version:       2.2
 Name:                happstack-authenticate
-Version:             3.1.1
+Version:             3.2.0
 Synopsis:            Happstack Authentication Library
 Description:         A themeable authentication library with support for username+password
 Homepage:            http://www.happstack.com/

messages/password/error/en.msg

@@ -9,6 +9,7 @@ InvalidResetToken: Invalid reset token
 ExpiredResetToken: The password reset link you used has expired. You must request a new reset link.
 PasswordInternalError: Your request could not be processed. You probably need to contact technical support to resolve this issue.
 PasswordMismatch: Passwords do not match
+HumanityCheckFailed: Humanity checked failed. Are you sure you are not a robot?
 SendmailError: A server configuration error prevented an email from being sent. Please contact us directly
 UnacceptablePassword msg@Text: Unacceptable Password. #{msg}
 CoreError e@CoreError: #{renderMessage HappstackAuthenticateI18N ["en"] e}

src/Happstack/Authenticate/Client.hs

@@ -48,7 +48,7 @@ import Dominator.DOMC
 import Dominator.JSDOM
 import GHCJS.Marshal(toJSVal, fromJSVal)
 import GHCJS.Foreign.Export (Export, export, derefExport)
-import GHCJS.Foreign.Callback (Callback, syncCallback1, OnBlocked(ContinueAsync))
+import GHCJS.Foreign.Callback (OnBlocked(..), Callback, syncCallback1, OnBlocked(ContinueAsync))
 import GHCJS.Nullable (Nullable(..), nullableToMaybe, maybeToNullable)
 import GHCJS.Types (JSVal, jsval)
 import Happstack.Authenticate.Core (ClientInitData(..), Email(..), User(..), Username(..), AuthenticateURL(AmAuthenticated, AuthenticationMethods, InitClient, Logout), AuthenticationMethod(..), JSONResponse(..), Status(..), jsonOptions)
@@ -107,6 +107,7 @@ data AuthenticateModel = AuthenticateModel
   , _postLoginRedirectURL      :: Maybe Text
   , _postSignupRedirectURL     :: Maybe Text
   , _redraws                   :: [AuthenticateModel -> IO ()]
+  , _turnstileToken            :: Maybe Text
   }
 makeLenses ''AuthenticateModel
 
@@ -143,6 +144,7 @@ initAuthenticateModel = AuthenticateModel
  , _postLoginRedirectURL      = Nothing
  , _postSignupRedirectURL     = Nothing
  , _redraws                   = []
+ , _turnstileToken            = Nothing
  }
 
 data SignupPlugin = forall a. SignupPlugin
@@ -188,10 +190,14 @@ dummyPlugin = SignupPlugin
 signupPasswordForm :: [(Text, SignupPlugin)] -> JSDocument -> IO (JSNode, AuthenticateModel -> IO ())
 signupPasswordForm sps =
   [domc|
+    <div>
+     <div id="cf-turnstile-widget" class="cf-turnstile"></div>
+
       <d-if cond="isJust (_muser model)">
         <p>
           <span>You are currently logged in as </span><span>{{ maybe "Unknown" (Text.unpack . _unUsername . _username) (_muser model) }}</span><span>. To create a new account you must first </span><a data-ha-action="logout" href="#">{{ render LogoutMsg }}</a>
         </p>
+
         <form role="form">
          <div class="form-group error">{{_signupError model}}</div>
          <div class="form-group">
@@ -215,7 +221,9 @@ signupPasswordForm sps =
           <input class="form-control" type="submit" value="{{render SignUpMsg}}" />
          </div>
         </form>
+
       </d-if>
+     </div>
         |]
     where
       pluginList :: JSDocument -> IO (JSNode,  SignupPlugin -> IO ())
@@ -615,11 +623,15 @@ signupHandler :: (AuthenticateURL -> Text) -> [(Text, SignupPlugin)] -> JSElemen
 signupHandler routeFn sps rootNode inputUsername inputEmail inputPassword inputPasswordConfirm modelTV e =
   do preventDefault e
      stopPropagation e
+
      musername        <- getValue inputUsername
      memail           <- getValue inputEmail
      mpassword        <- getValue inputPassword
      mpasswordConfirm <- getValue inputPasswordConfirm
-     debugStrLn $ "signupHandler - " ++ show (musername, memail, mpassword, mpasswordConfirm)
+
+     token            <- atomically $ fmap _turnstileToken (readTVar modelTV )
+     debugStrLn $ "signupHandler - " ++ show (musername, memail, mpassword, mpasswordConfirm, token)
+
      case (musername, memail, mpassword, mpasswordConfirm) of
        (Just username, Just email, Just password, Just passwordConfirm) ->
          do let newAccountData =
@@ -629,6 +641,7 @@ signupHandler routeFn sps rootNode inputUsername inputEmail inputPassword inputP
                                                   }
                                  , _naPassword        = textFromJSString password
                                  , _naPasswordConfirm = textFromJSString passwordConfirm
+                                 , _naTurnstileToken  = token
                                  }
 
             -- validate plugins
@@ -858,9 +871,22 @@ clearUser routeFn modelTV =
      send xhr
      doRedraws modelTV
 
+-- foreign import javascript unsafe "turnstile.render($1, { sitekey: $2, callback: function(token) {console.log('turnstile success', token);} })"
+foreign import javascript unsafe "turnstile.render($1, { sitekey: $2, callback: $3 })"
+  js_turnstileRender :: JSString -> JSString -> Callback (JSVal -> IO ()) -> IO JSVal
+
+-- NOTE: instead of selector, render can also take an implementation of HTMLElement
+-- we should implement a binding to that version as well
+turnstileRender :: Text -> Text -> (JSString -> IO ()) -> IO JSVal
+turnstileRender turnstileId turnstileSiteKey onSuccess =
+  do cb <- syncCallback1 ThrowWouldBlock (\jsval ->
+                                            do (Just token) <- fromJSVal (jsval :: JSVal)
+                                               onSuccess token)
+     js_turnstileRender (textToJSString turnstileId) (textToJSString turnstileSiteKey) cb
+
 -- FIXME: what happens if this is called twice?
-initHappstackAuthenticateClient :: Text -> [(Text, SignupPlugin)] -> IO ()
-initHappstackAuthenticateClient baseURL sps =
+initHappstackAuthenticateClient :: Text -> Maybe Text -> [(Text, SignupPlugin)] -> IO ()
+initHappstackAuthenticateClient baseURL mTurnstileKey sps =
   do debugStrLn "initHappstackAuthenticateClient"
      hSetBuffering stdout LineBuffering
      (Just d) <- currentDocument
@@ -955,6 +981,18 @@ initHappstackAuthenticateClient baseURL sps =
                        let (Just newElem) = fromJSNode @JSElement newNode
                        addEventListener newNode (ev @Submit) (signupHandler (\url -> baseURL <> toPathInfo url) sps newElem inputUsername inputEmail inputPassword inputPasswordConfirm modelTV) False
                        addEventListener newNode (ev @Click) (logoutHandler (\url -> baseURL <> toPathInfo url) update modelTV) False
+
+                       -- add turnstile widget
+                       let addTurnstileToken :: JSString -> IO ()
+                           addTurnstileToken token =
+                             do debugStrLn "Adding turnstile token"
+                                atomically $ modifyTVar' modelTV $  \m -> m { _turnstileToken = Just (textFromJSString token) }
+
+                       case mTurnstileKey of
+                         Nothing -> pure ()
+                         (Just siteKey) ->
+                           do tId <- turnstileRender "#cf-turnstile-widget" siteKey addTurnstileToken
+                              pure ()
                        pure update
 --                     addEventListener newNode (ev @Click) (logoutHandler (\url -> baseURL <> toPathInfo url) update modelTV) False
                      -- listen for changes to local storage
@@ -1190,8 +1228,10 @@ clientMain sps =
          (Just script) ->
            do mUrl <- getData (toJSNode script) "baseUrl"
               debugStrLn $ "mUrl = " ++ show mUrl
+              mTurnstileKey <- getData (toJSNode script) "turnstileKey"
+              debugStrLn $ "turnstileKey = " ++ show mTurnstileKey
               case mUrl of
                 Nothing    -> debugStrLn "could not find base url"
                 (Just url) ->
                   do mapM_ (debugStrLn . Text.unpack . fst) sps
-                     initHappstackAuthenticateClient (textFromJSString url) sps
+                     initHappstackAuthenticateClient (textFromJSString url) (fmap textFromJSString mTurnstileKey) sps

src/Happstack/Authenticate/Handlers.hs

@@ -146,19 +146,43 @@ deriveSafeCopy 1 'base ''NewAccountMode
 -- AuthenticateState
 ------------------------------------------------------------------------------
 
+data Turnstile = Turnstile
+  { turnstileSiteKey   :: Text
+  , turnstileSecretKey :: Text
+  }
+ deriving (Eq, Show, Typeable, Generic)
+deriveSafeCopy 1 'base ''Turnstile
+makeLenses ''Turnstile
+
 -- | this acid-state value contains the state common to all
 -- authentication methods
+data AuthenticateState_1 = AuthenticateState_1
+    { _sharedSecrets_1             :: SharedSecrets
+    , _users_1                     :: IxUser
+    , _nextUserId_1                :: UserId
+    , _defaultSessionTimeout_1     :: Int     -- ^ default session time out in seconds
+    , _newAccountMode_1            :: NewAccountMode
+    }
+    deriving (Eq, Show, Typeable, Generic)
+deriveSafeCopy 1 'base ''AuthenticateState_1
+makeLenses ''AuthenticateState_1
+
 data AuthenticateState = AuthenticateState
     { _sharedSecrets             :: SharedSecrets
     , _users                     :: IxUser
     , _nextUserId                :: UserId
     , _defaultSessionTimeout     :: Int     -- ^ default session time out in seconds
     , _newAccountMode            :: NewAccountMode
+    , _turnstile                 :: Maybe Turnstile
     }
     deriving (Eq, Show, Typeable, Generic)
-deriveSafeCopy 1 'base ''AuthenticateState
+deriveSafeCopy 2 'extension ''AuthenticateState
 makeLenses ''AuthenticateState
 
+instance Migrate AuthenticateState where 
+  type MigrateFrom AuthenticateState = AuthenticateState_1
+  migrate (AuthenticateState_1 ss us nui dst nam) = AuthenticateState ss us nui dst nam Nothing
+
 -- | a reasonable initial 'AuthenticateState'
 initialAuthenticateState :: AuthenticateState
 initialAuthenticateState = AuthenticateState
@@ -167,6 +191,7 @@ initialAuthenticateState = AuthenticateState
     , _nextUserId                = UserId 1
     , _defaultSessionTimeout     = 60*60
     , _newAccountMode            = OpenRegistration
+    , _turnstile                 = Nothing
     }
 
 ------------------------------------------------------------------------------
@@ -216,6 +241,19 @@ getNewAccountMode :: Query AuthenticateState NewAccountMode
 getNewAccountMode =
   view newAccountMode
 
+------------------------------------------------------------------------------
+-- Turnstile AcidState Methods
+------------------------------------------------------------------------------
+
+-- | set 'Turnstile' data
+setTurnstile :: Maybe Turnstile
+             -> Update AuthenticateState ()
+setTurnstile t =
+  turnstile .= t
+
+getTurnstile :: Query AuthenticateState (Maybe Turnstile)
+getTurnstile = view turnstile
+
 ------------------------------------------------------------------------------
 -- User related AcidState Methods
 ------------------------------------------------------------------------------
@@ -328,6 +366,8 @@ makeAcidic ''AuthenticateState
     , 'getUserByEmail
     , 'getUsersByEmail
     , 'getAuthenticateState
+    , 'setTurnstile
+    , 'getTurnstile
     ]
 
 ------------------------------------------------------------------------------

src/Happstack/Authenticate/Password/Core.hs

@@ -66,6 +66,7 @@ data PasswordError
   | PasswordInternalError
   | PasswordMismatch
   | SendmailError
+  | HumanityCheckFailed
   | UnacceptablePassword { passwordErrorMessageMsg :: Text }
   | CoreError { passwordErrorMessageE :: CoreError }
     deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
@@ -144,6 +145,7 @@ data NewAccountData = NewAccountData
     { _naUser            :: User
     , _naPassword        :: Text
     , _naPasswordConfirm :: Text
+    , _naTurnstileToken  :: Maybe Text
     }
     deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
 makeLenses ''NewAccountData

src/Happstack/Authenticate/Password/Handlers.hs

@@ -41,6 +41,7 @@ import Happstack.Authenticate.Password.Core
 import Happstack.Server
 import HSP.JMacro
 import Language.Javascript.JMacro
+import Network.HTTP.Simple             (Request(..), httpJSON, getResponseBody, parseRequest, setRequestBodyJSON, setRequestMethod)
 import Network.HTTP.Types              (toQuery, renderQuery)
 import Network.Mail.Mime               (Address(..), Mail(..), simpleMail', renderAddress, renderMail', renderSendMail, renderSendMailCustom, sendmail)
 import System.FilePath                 (combine)
@@ -166,6 +167,29 @@ verifyPassword authenticateState passwordState username password =
          (Just user) ->
              query' passwordState (VerifyPasswordForUserId (view userId user) password)
 
+
+verifyTurnstileToken :: Text -> Maybe Text -> IO (Either (Maybe Value) ())
+verifyTurnstileToken _ Nothing = pure (Left Nothing)
+verifyTurnstileToken secret (Just token) =
+  do initReq <- parseRequest "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+     let reqJson = Object (HashMap.fromList [ ( "secret", String secret)
+                                            , ("response", String token)
+                                            ])
+         req = setRequestMethod "POST" $
+               setRequestBodyJSON reqJson $
+               initReq
+     resp <- httpJSON req
+     let json = getResponseBody resp
+     -- liftIO $ print resp
+     case json of
+       (Object obj) ->
+         case HashMap.lookup "success" obj of
+           Nothing -> pure (Left (Just json))
+           (Just success) | success == (Bool True)   -> pure (Right ())
+                          | otherwise -> pure (Left (Just json))
+       _ -> pure (Left (Just json))
+
+
 -- | account handler
 account :: (Happstack m) =>
            AcidState AuthenticateState
@@ -182,32 +206,52 @@ account authenticateState passwordState authenticateConfig passwordConfig Nothin
      case Aeson.decode body of
        Nothing               -> badRequest (Left $ CoreError JSONDecodeFailed)
        (Just newAccount) ->
-           case (authenticateConfig ^. usernameAcceptable) (newAccount ^. naUser ^. username) of
-             (Just e) -> return $ Left (CoreError e)
-             Nothing ->
-                 case validEmail (authenticateConfig ^. requireEmail) (newAccount ^. naUser ^. email) of
-                   (Just e) -> return $ Left e
-                   Nothing ->
-                         if (newAccount ^. naPassword /= newAccount ^. naPasswordConfirm)
-                         then ok $ Left PasswordMismatch
-                         else case (passwordConfig ^. passwordAcceptable) (newAccount ^. naPassword) of
-                                (Just passwdError) -> ok $ Left (UnacceptablePassword passwdError)
-                                Nothing -> do
-                                  eUser <- update' authenticateState (CreateUser $ _naUser newAccount)
-                                  case eUser of
-                                    (Left e) -> return $ Left (CoreError e)
-                                    (Right user) -> do
-                                       hashed <- mkHashedPass (_naPassword newAccount)
-                                       update' passwordState (SetPassword (user ^. userId) hashed)
-                                       case (authenticateConfig ^. createUserCallback) of
-                                         Nothing -> pure ()
-                                         (Just callback) -> liftIO $ callback user
+            -- is username acceptable
+         do case (authenticateConfig ^. usernameAcceptable) (newAccount ^. naUser ^. username) of
+              (Just e) -> return $ Left (CoreError e)
+              Nothing ->
+                -- does email appear to be valid
+                case validEmail (authenticateConfig ^. requireEmail) (newAccount ^. naUser ^. email) of
+                  (Just e) -> return $ Left e
+                  Nothing ->
+                    -- do the passwords match
+                    if (newAccount ^. naPassword /= newAccount ^. naPasswordConfirm)
+                    then ok $ Left PasswordMismatch
+                    -- is the password acceptable
+                    else case (passwordConfig ^. passwordAcceptable) (newAccount ^. naPassword) of
+                           (Just passwdError) -> ok $ Left (UnacceptablePassword passwdError)
+                           Nothing -> do
+                             mUser <- query' authenticateState (GetUserByUsername (newAccount ^. naUser ^. username))
+                             -- is the username aready in use
+                             case mUser of
+                               (Just _) -> return $ Left (CoreError UsernameAlreadyExists)
+                               Nothing -> do
+                                 mTurnstile <- query' authenticateState GetTurnstile
+                                 isHuman <-
+                                   case mTurnstile of
+                                     Nothing -> pure (Right ())
+                                     (Just turnstile) ->
+                                       liftIO $ verifyTurnstileToken (turnstileSecretKey turnstile) (newAccount ^. naTurnstileToken)
+                                 case isHuman of
+                                   (Left mError) ->
+                                     do -- liftIO $ print mError
+                                        pure $ Left HumanityCheckFailed
+                                   (Right ()) -> do
+                                     eUser <- update' authenticateState (CreateUser $ _naUser newAccount)
+                                     case eUser of
+                                       (Left e) -> return $ Left (CoreError e)
+                                       (Right user) -> do
+                                         hashed <- mkHashedPass (_naPassword newAccount)
+                                         update' passwordState (SetPassword (user ^. userId) hashed)
+                                         case (authenticateConfig ^. createUserCallback) of
+                                           Nothing -> pure ()
+                                           (Just callback) -> liftIO $ callback user
 --                                       ok $ (Right (user ^. userId))
-                                       addTokenCookie authenticateState authenticateConfig user
+                                         addTokenCookie authenticateState authenticateConfig user
 #if MIN_VERSION_aeson(2,0,0)
-                                       resp 201 $ Right (Object $ KM.fromList      [("token", toJSON (Token user))])
+                                         resp 201 $ Right (Object $ KM.fromList      [("token", toJSON (Token user))])
 #else
-                                       resp 201 $ Right (Object $ HashMap.fromList [("token", toJSON (Token user))])
+                                         resp 201 $ Right (Object $ HashMap.fromList [("token", toJSON (Token user))])
 #endif
     where
       validEmail :: Bool -> Maybe Email -> Maybe PasswordError