hCaptcha Support

custom/conf/app.example.ini

@@ -575,10 +575,11 @@ ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ENABLE_REVERSE_PROXY_EMAIL = false
 ; Enable captcha validation for registration
 ENABLE_CAPTCHA = false
-; Type of captcha you want to use. Options: image, recaptcha
+; Type of captcha you want to use. Options: image, recaptcha, hcaptcha
 CAPTCHA_TYPE = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
+; For hCaptcha, create an account at https://accounts.hcaptcha.com/login to get your keys
 RECAPTCHA_SECRET  =
 RECAPTCHA_SITEKEY =
 ; Change this to use recaptcha.net or other recaptcha service

go.mod

@@ -98,6 +98,7 @@ require (
 	github.com/yuin/goldmark v1.2.1
 	github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
 	github.com/yuin/goldmark-meta v0.0.0-20191126180153-f0638e958b60
+	go.jolheiser.com/hcaptcha v0.0.3
 	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d

go.sum

@@ -914,6 +914,8 @@ github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wK
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.jolheiser.com/hcaptcha v0.0.3 h1:eeKSzTavVSl1C6ts0XfxzgdoHmyVhWkM3bnh0JacSBQ=
+go.jolheiser.com/hcaptcha v0.0.3/go.mod h1:aw32WQOxnQZ6E06C0LypCf+sxNxPACyOnq+ZGnrIYho=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.1 h1:Sq1fR+0c58RME5EoqKdjkiQAmPjmfHlZOoRI6fTUOcs=
 go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=

modules/auth/user_form.go

@@ -83,6 +83,7 @@ type RegisterForm struct {
 	Password           string `binding:"MaxSize(255)"`
 	Retype             string
 	GRecaptchaResponse string `form:"g-recaptcha-response"`
+	HcaptchaResponse   string `form:"h-captcha-response"`
 }
 
 // Validate validates the fields

modules/auth/user_form_auth_openid.go

@@ -25,6 +25,7 @@ type SignUpOpenIDForm struct {
 	UserName           string `binding:"Required;AlphaDashDot;MaxSize(40)"`
 	Email              string `binding:"Required;Email;MaxSize(254)"`
 	GRecaptchaResponse string `form:"g-recaptcha-response"`
+	HcaptchaResponse   string `form:"h-captcha-response"`
 }
 
 // Validate validates the fields

modules/hcaptcha/hcaptcha.go

@@ -0,0 +1,28 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package hcaptcha
+
+import (
+	"code.gitea.io/gitea/modules/setting"
+
+	"go.jolheiser.com/hcaptcha"
+)
+
+// Verify calls hCaptcha API to verify token
+func Verify(response string) (bool, error) {
+	client, err := hcaptcha.New(setting.Service.RecaptchaSecret)
+	if err != nil {
+		return false, err
+	}
+
+	resp, err := client.Verify(response, hcaptcha.PostOptions{
+		Sitekey: setting.Service.RecaptchaSitekey,
+	})
+	if err != nil {
+		return false, err
+	}
+
+	return resp.Success, resp.ErrorCodes[0]
+}

modules/recaptcha/recaptcha.go

@@ -18,10 +18,10 @@ import (
 
 // Response is the structure of JSON returned from API
 type Response struct {
-	Success     bool      `json:"success"`
-	ChallengeTS time.Time `json:"challenge_ts"`
-	Hostname    string    `json:"hostname"`
-	ErrorCodes  []string  `json:"error-codes"`
+	Success     bool        `json:"success"`
+	ChallengeTS time.Time   `json:"challenge_ts"`
+	Hostname    string      `json:"hostname"`
+	ErrorCodes  []ErrorCode `json:"error-codes"`
 }
 
 const apiURL = "api/siteverify"
@@ -44,5 +44,32 @@ func Verify(response string) (bool, error) {
 		return false, fmt.Errorf("Failed to parse CAPTCHA response: %s", err)
 	}
 
-	return jsonResponse.Success, nil
+	return jsonResponse.Success, jsonResponse.ErrorCodes[0]
+}
+
+// ErrorCode is a reCaptcha error
+type ErrorCode string
+
+// String fulfills the Stringer interface
+func (e ErrorCode) String() string {
+	switch e {
+	case "missing-input-secret":
+		return "The secret parameter is missing."
+	case "invalid-input-secret":
+		return "The secret parameter is invalid or malformed."
+	case "missing-input-response":
+		return "The response parameter is missing."
+	case "invalid-input-response":
+		return "The response parameter is invalid or malformed."
+	case "bad-request":
+		return "The request is invalid or malformed."
+	case "timeout-or-duplicate":
+		return "The response is no longer valid: either is too old or has been used previously."
+	}
+	return string(e)
+}
+
+// Error fulfills the error interface
+func (e ErrorCode) Error() string {
+	return e.String()
 }

modules/setting/setting.go

@@ -61,6 +61,7 @@ const (
 const (
 	ImageCaptcha = "image"
 	ReCaptcha    = "recaptcha"
+	HCaptcha     = "hcaptcha"
 )
 
 // settings

routers/user/auth.go

@@ -17,6 +17,7 @@ import (
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/eventsource"
+	"code.gitea.io/gitea/modules/hcaptcha"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/recaptcha"
@@ -896,15 +897,21 @@ func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form au
 
 	if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha {
 		var valid bool
+		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
 			valid = cpt.VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
-			valid, _ = recaptcha.Verify(form.GRecaptchaResponse)
+			valid, err = recaptcha.Verify(form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			valid, err = hcaptcha.Verify(form.HcaptchaResponse)
 		default:
 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
 			return
 		}
+		if err != nil {
+			log.Debug(err.Error())
+		}
 
 		if !valid {
 			ctx.Data["Err_Captcha"] = true
@@ -1073,15 +1080,21 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 
 	if setting.Service.EnableCaptcha {
 		var valid bool
+		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
 			valid = cpt.VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
-			valid, _ = recaptcha.Verify(form.GRecaptchaResponse)
+			valid, err = recaptcha.Verify(form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			valid, err = hcaptcha.Verify(form.HcaptchaResponse)
 		default:
 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
 			return
 		}
+		if err != nil {
+			log.Debug(err.Error())
+		}
 
 		if !valid {
 			ctx.Data["Err_Captcha"] = true

routers/user/auth_openid.go

@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/generate"
+	"code.gitea.io/gitea/modules/hcaptcha"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/recaptcha"
 	"code.gitea.io/gitea/modules/setting"
@@ -363,20 +364,29 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
 
 	if setting.Service.EnableCaptcha {
 		var valid bool
+		var err error
 		switch setting.Service.CaptchaType {
 		case setting.ImageCaptcha:
 			valid = cpt.VerifyReq(ctx.Req)
 		case setting.ReCaptcha:
-			err := ctx.Req.ParseForm()
-			if err != nil {
+			if err := ctx.Req.ParseForm(); err != nil {
 				ctx.ServerError("", err)
 				return
 			}
-			valid, _ = recaptcha.Verify(form.GRecaptchaResponse)
+			valid, err = recaptcha.Verify(form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			if err := ctx.Req.ParseForm(); err != nil {
+				ctx.ServerError("", err)
+				return
+			}
+			valid, err = hcaptcha.Verify(form.HcaptchaResponse)
 		default:
 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
 			return
 		}
+		if err != nil {
+			log.Debug(err.Error())
+		}
 
 		if !valid {
 			ctx.Data["Err_Captcha"] = true

templates/base/footer.tmpl

@@ -28,6 +28,9 @@
 	{{if eq .CaptchaType "recaptcha"}}
 		<script src='{{ URLJoin .RecaptchaURL "api.js"}}' async></script>
 	{{end}}
+	{{if eq .CaptchaType "hcaptcha"}}
+		<script src='https://hcaptcha.com/1/api.js' async></script>
+	{{end}}
 {{end}}
 	<script src="{{StaticUrlPrefix}}/js/index.js?v={{MD5 AppVer}}"></script>
 {{template "custom/footer" .}}

templates/user/auth/signup_inner.tmpl

@@ -51,6 +51,11 @@
 								<div class="g-recaptcha" data-sitekey="{{ .RecaptchaSitekey }}"></div>
 							</div>
 						{{end}}
+						{{if and .EnableCaptcha (eq .CaptchaType "hcaptcha")}}
+							<div class="inline field required">
+								<div class="h-captcha" data-sitekey="{{ .RecaptchaSitekey }}"></div>
+							</div>
+						{{end}}
 
 						<div class="inline field">
 							<label></label>

templates/user/auth/signup_openid_register.tmpl

@@ -35,6 +35,11 @@
 							<div class="g-recaptcha" data-sitekey="{{ .RecaptchaSitekey }}"></div>
 						</div>
 					{{end}}
+					{{if and .EnableCaptcha (eq .CaptchaType "hcaptcha")}}
+						<div class="inline field required">
+							<div class="h-captcha" data-sitekey="{{ .RecaptchaSitekey }}"></div>
+						</div>
+					{{end}}
 					<div class="inline field">
 						<label for="openid">OpenID URI</label>
 						<input id="openid" value="{{ .OpenID }}" readonly>