From 606b286b1ea03135fc00dd63c562a90aa57f8976 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Sun, 15 Apr 2018 20:07:01 -0600
Subject: [PATCH] Switch from reCAPTCHA to Captcheck

---
 index.php             | 11 +++++-----
 lib/login.php         | 50 ++++++++++++++++++++-----------------------
 required.php          | 29 ++++++++++++++-----------
 settings.template.php |  9 ++++----
 4 files changed, 48 insertions(+), 51 deletions(-)

diff --git a/index.php b/index.php
index 2398148..9cac721 100644
--- a/index.php
+++ b/index.php
@@ -1,5 +1,4 @@
 <?php
-
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -24,7 +23,7 @@ $multiauth = false;
 $change_password = false;
 if ($VARS['progress'] == "1") {
     engageRateLimit();
-    if (!RECAPTCHA_ENABLED || (RECAPTCHA_ENABLED && verifyReCaptcha($VARS['g-recaptcha-response']))) {
+    if (!CAPTCHA_ENABLED || (CAPTCHA_ENABLED && verifyCaptcheck($VARS['captcheck_session_code'], $VARS['captcheck_selected_answer'], CAPTCHA_SERVER . "/api.php"))) {
         $autherror = "";
         if (user_exists($VARS['username'])) {
             $status = get_account_status($VARS['username'], $error);
@@ -149,8 +148,8 @@ if ($VARS['progress'] == "1") {
         <link href="static/css/font-awesome.min.css" rel="stylesheet">
         <link href="static/css/material-color/material-color.min.css" rel="stylesheet">
         <link href="static/css/app.css" rel="stylesheet">
-        <?php if (RECAPTCHA_ENABLED) { ?>
-            <script src='https://www.google.com/recaptcha/api.js'></script>
+        <?php if (CAPTCHA_ENABLED) { ?>
+            <script src="<?php echo CAPTCHA_SERVER ?>/captcheck.dist.js"></script>
         <?php } ?>
     </head>
     <body>
@@ -202,8 +201,8 @@ if ($VARS['progress'] == "1") {
                                     ?>
                                     <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
                                     <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
-                                    <?php if (RECAPTCHA_ENABLED) { ?>
-                                        <div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
+                                    <?php if (CAPTCHA_ENABLED) { ?>
+                                        <div class="captcheck_container" data-stylenonce="<?php echo $SECURE_NONCE; ?>"></div>
                                         <br />
                                     <?php } ?>
                                     <input type="hidden" name="progress" value="1" />
diff --git a/lib/login.php b/lib/login.php
index 00b8975..b3660f6 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -52,8 +52,8 @@ function adduser($username, $password, $realname, $email = null, $phone1 = "", $
  * @param string $old The current password
  * @param string $new The new password
  * @param string $new2 New password again
- * @param [string] $error If the function returns false, this will have an array 
- * with a message ID from `lang/messages.php` and (depending on the message) an 
+ * @param [string] $error If the function returns false, this will have an array
+ * with a message ID from `lang/messages.php` and (depending on the message) an
  * extra string for that message.
  * @return boolean true if the password is changed, else false
  */
@@ -282,7 +282,7 @@ function doLoginUser($username, $password) {
 
 /**
  * Send an alert email to the system admin
- * 
+ *
  * Used when an account with the status ALERT_ON_ACCESS logs in
  * @param String $username the account username
  * @return Mixed TRUE if successful, error string if not
@@ -296,7 +296,7 @@ function sendLoginAlertEmail($username, $appname = SITE_TITLE) {
     }
 
     $username = strtolower($username);
-    
+
     $mail = new PHPMailer;
 
     if (DEBUG) {
@@ -341,30 +341,26 @@ function insertAuthLog($type, $uid = null, $data = "") {
     $database->insert("authlog", ['logtime' => date("Y-m-d H:i:s"), 'logtype' => $type, 'uid' => $uid, 'ip' => $ip, 'otherdata' => $data]);
 }
 
-function verifyReCaptcha($response) {
-    try {
-        $client = new GuzzleHttp\Client();
-
-        $response = $client
-                ->request('POST', "https://www.google.com/recaptcha/api/siteverify", [
-            'form_params' => [
-                'secret' => RECAPTCHA_SECRET_KEY,
-                'response' => $response
-            ]
-        ]);
-
-        if ($response->getStatusCode() != 200) {
-            return false;
-        }
-
-        $resp = json_decode($response->getBody(), TRUE);
-        if ($resp['success'] === true) {
-            return true;
-        } else {
-            return false;
-        }
-    } catch (Exception $e) {
+function verifyCaptcheck($session, $answer, $url) {
+    $data = [
+        'session_id' => $session,
+        'answer_id' => $answer,
+        'action' => "verify"
+    ];
+    $options = [
+        'http' => [
+            'header' => "Content-type: application/x-www-form-urlencoded\r\n",
+            'method' => 'POST',
+            'content' => http_build_query($data)
+        ]
+    ];
+    $context = stream_context_create($options);
+    $result = file_get_contents($url, false, $context);
+    $resp = json_decode($result, TRUE);
+    if (!$resp['result']) {
         return false;
+    } else {
+        return true;
     }
 }
 
diff --git a/required.php b/required.php
index 790d725..1801afb 100644
--- a/required.php
+++ b/required.php
@@ -8,6 +8,13 @@
  * This file contains global settings and utility functions.
  */
 ob_start(); // allow sending headers after content
+//
+// Composer
+require __DIR__ . '/vendor/autoload.php';
+
+// Settings file
+require __DIR__ . '/settings.php';
+
 // Unicode, solves almost all stupid encoding problems
 header('Content-Type: text/html; charset=utf-8');
 
@@ -27,6 +34,7 @@ session_start(); // stick some cookies in it
 //// renew session cookie
 setcookie(session_name(), session_id(), time() + $session_length);
 
+$captcha_server = (CAPTCHA_ENABLED === true ? preg_replace("/http(s)?:\/\//", "", CAPTCHA_SERVER) : "");
 if ($_SESSION['mobile'] === TRUE) {
     header("Content-Security-Policy: "
             . "default-src 'self';"
@@ -37,7 +45,7 @@ if ($_SESSION['mobile'] === TRUE) {
             . "font-src 'self'; "
             . "connect-src *; "
             . "style-src 'self' 'unsafe-inline'; "
-            . "script-src 'self' 'unsafe-inline'");
+            . "script-src 'self' 'unsafe-inline' $captcha_server");
 } else {
     header("Content-Security-Policy: "
             . "default-src 'self';"
@@ -48,14 +56,9 @@ if ($_SESSION['mobile'] === TRUE) {
             . "font-src 'self'; "
             . "connect-src *; "
             . "style-src 'self' 'nonce-$SECURE_NONCE'; "
-            . "script-src 'self' 'nonce-$SECURE_NONCE'");
+            . "script-src 'self' 'nonce-$SECURE_NONCE' $captcha_server");
 }
-//
-// Composer
-require __DIR__ . '/vendor/autoload.php';
 
-// Settings file
-require __DIR__ . '/settings.php';
 // List of alert messages
 require __DIR__ . '/lang/messages.php';
 // text strings (i18n)
@@ -76,7 +79,7 @@ function sendError($error) {
             . "<h1>A fatal application error has occurred.</h1>"
             . "<i>(This isn't your fault.)</i>"
             . "<h2>Details:</h2>"
-            . "<p>". htmlspecialchars($error) . "</p>");
+            . "<p>" . htmlspecialchars($error) . "</p>");
 }
 
 date_default_timezone_set(TIMEZONE);
@@ -183,7 +186,7 @@ function addLangStrings($strings) {
 }
 
 /**
- * Add strings to the i18n global array.  Accepts an array of language code 
+ * Add strings to the i18n global array.  Accepts an array of language code
  * keys, with the values a key-value array of strings.
  * @param array $strings ['en_us' => ['key' => 'value']]
  */
@@ -417,12 +420,12 @@ function getClientIP() {
 }
 
 /**
- * Check if the client's IP has been doing too many brute-force-friendly 
+ * Check if the client's IP has been doing too many brute-force-friendly
  * requests lately.
- * Kills the script with a "friendly" error and response code 429 
+ * Kills the script with a "friendly" error and response code 429
  * (Too Many Requests) if the last access time in the DB is too near.
- * 
- * Also updates the rate_limit table with the latest data and purges old rows. 
+ *
+ * Also updates the rate_limit table with the latest data and purges old rows.
  * @global type $database
  */
 function engageRateLimit() {
diff --git a/settings.template.php b/settings.template.php
index a91eae4..db9da2e 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -64,11 +64,10 @@ define("MOBILE_ENABLED", TRUE);
 // Base URL for site links.
 define('URL', 'http://localhost/accounthub');
 
-// Use reCAPTCHA on login screen
-// https://www.google.com/recaptcha/
-define("RECAPTCHA_ENABLED", FALSE);
-define('RECAPTCHA_SITE_KEY', '');
-define('RECAPTCHA_SECRET_KEY', '');
+// Use Captcheck on login screen
+// https://captcheck.netsyms.com
+define("CAPTCHA_ENABLED", FALSE);
+define('CAPTCHA_SERVER', 'https://captcheck.netsyms.com');
 
 // API URL and index URL for TaskFloor
 define('TASKFLOOR_API', 'http://localhost/taskfloor/api.php');