From dcd495f4e4192268fe9b53c56489b9fa08ecb870 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Tue, 2 May 2017 19:17:59 -0600
Subject: [PATCH] Add reCAPTCHA support, fix bug that allowed logins with only
 a username and 2fa code

---
 index.php             | 73 ++++++++++++++++++++++++++++---------------
 lang/en_us.php        |  1 +
 lib/login.php         | 26 +++++++++++++++
 settings.template.php |  6 ++++
 4 files changed, 80 insertions(+), 26 deletions(-)

diff --git a/index.php b/index.php
index 1eab30a..f7cd0df 100644
--- a/index.php
+++ b/index.php
@@ -3,42 +3,56 @@ require_once __DIR__ . "/required.php";
 
 require_once __DIR__ . "/lib/login.php";
 
+// if we're logged in, we don't need to be here.
+if ($_SESSION['loggedin']) {
+    header('Location: app.php');
+}
+
 /* Authenticate user */
 $userpass_ok = false;
 $multiauth = false;
 if (checkLoginServer()) {
     if ($VARS['progress'] == "1") {
-        if (authenticate_user($VARS['username'], $VARS['password'])) {
-            switch (get_account_status($VARS['username'])) {
-                case "LOCKED_OR_DISABLED":
-                    $alert = lang("account locked", false);
-                    break;
-                case "TERMINATED":
-                    $alert = lang("account terminated", false);
-                    break;
-                case "CHANGE_PASSWORD":
-                    $alert = lang("password expired", false);
-                case "NORMAL":
-                    $userpass_ok = true;
-                    break;
-                case "ALERT_ON_ACCESS":
-                    sendLoginAlertEmail($VARS['username']);
-                    $userpass_ok = true;
-                    break;
-            }
-            if ($userpass_ok) {
-                if (userHasTOTP($VARS['username'])) {
-                    $multiauth = true;
-                } else {
-                    doLoginUser($VARS['username'], $VARS['password']);
-                    header('Location: app.php');
-                    die("Logged in, go to app.php");
+        if (!RECAPTCHA_ENABLED || (RECAPTCHA_ENABLED && verifyReCaptcha($VARS['g-recaptcha-response']))) {
+            if (authenticate_user($VARS['username'], $VARS['password'])) {
+                switch (get_account_status($VARS['username'])) {
+                    case "LOCKED_OR_DISABLED":
+                        $alert = lang("account locked", false);
+                        break;
+                    case "TERMINATED":
+                        $alert = lang("account terminated", false);
+                        break;
+                    case "CHANGE_PASSWORD":
+                        $alert = lang("password expired", false);
+                    case "NORMAL":
+                        $userpass_ok = true;
+                        break;
+                    case "ALERT_ON_ACCESS":
+                        sendLoginAlertEmail($VARS['username']);
+                        $userpass_ok = true;
+                        break;
                 }
+                if ($userpass_ok) {
+                    $_SESSION['passok'] = true; // stop logins using only username and authcode
+                    if (userHasTOTP($VARS['username'])) {
+                        $multiauth = true;
+                    } else {
+                        doLoginUser($VARS['username'], $VARS['password']);
+                        header('Location: app.php');
+                        die("Logged in, go to app.php");
+                    }
+                }
+            } else {
+                $alert = lang("login incorrect", false);
             }
         } else {
-            $alert = lang("login incorrect", false);
+            $alert = lang("captcha error", false);
         }
     } else if ($VARS['progress'] == "2") {
+        if ($_SESSION['passok'] !== true) {
+            // stop logins using only username and authcode
+            sendError("Password integrity check failed!");
+        }
         if (verifyTOTP($VARS['username'], $VARS['authcode'])) {
             if (doLoginUser($VARS['username'])) {
                 header('Location: app.php');
@@ -66,6 +80,9 @@ if (checkLoginServer()) {
         <link href="static/css/bootstrap.min.css" rel="stylesheet">
         <link href="static/css/font-awesome.min.css" rel="stylesheet">
         <link href="static/css/app.css" rel="stylesheet">
+        <?php if (RECAPTCHA_ENABLED) { ?>
+            <script src='https://www.google.com/recaptcha/api.js'></script>
+        <?php } ?>
     </head>
     <body>
         <div class="container">
@@ -97,6 +114,10 @@ if (checkLoginServer()) {
                                     ?>
                                     <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br />
                                     <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br />
+                                    <?php if (RECAPTCHA_ENABLED) { ?>
+                                        <div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
+                                        <br />
+                                    <?php } ?>
                                     <input type="hidden" name="progress" value="1" />
                                     <?php
                                 } else if ($multiauth) {
diff --git a/lang/en_us.php b/lang/en_us.php
index 0fd8203..0c69d14 100644
--- a/lang/en_us.php
+++ b/lang/en_us.php
@@ -23,5 +23,6 @@ define("STRINGS", [
     "invalid parameters" => "Invalid request parameters.",
     "login server error" => "The login server returned an error: {arg}",
     "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
+    "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
     "home" => "Home",
 ]);
\ No newline at end of file
diff --git a/lib/login.php b/lib/login.php
index f77eb7a..1442478 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -192,6 +192,32 @@ function simLogin($username, $password) {
     }
 }
 
+function verifyReCaptcha($code) {
+    try {
+        $client = new GuzzleHttp\Client();
+
+        $response = $client
+                ->request('POST', "https://www.google.com/recaptcha/api/siteverify", [
+            'form_params' => [
+                'secret' => RECAPTCHA_SECRET_KEY,
+                'response' => $code
+            ]
+        ]);
+
+        if ($response->getStatusCode() != 200) {
+            return false;
+        }
+
+        $resp = json_decode($response->getBody(), TRUE);
+        if ($resp['success'] === true) {
+            return true;
+        }
+        return false;
+    } catch (Exception $e) {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                          2-factor authentication                           //
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/settings.template.php b/settings.template.php
index 8bfd650..f370277 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -38,6 +38,12 @@ define("TIMEZONE", "America/Denver");
 // Base URL for site links.
 define('URL', 'http://localhost:8000/');
 
+// Use reCAPTCHA on login screen
+// https://www.google.com/recaptcha/
+define("RECAPTCHA_ENABLED", FALSE);
+define('RECAPTCHA_SITE_KEY', '');
+define('RECAPTCHA_SECRET_KEY', '');
+
 // See lang folder for language options
 define('LANGUAGE', "en_us");