Catch a late binding forgery

Post OpenUserJS#944 OpenUserJS#1867

Author: Martii

controllers/auth.js

@@ -213,10 +213,6 @@ exports.auth = function (aReq, aRes, aNext) {
     if (captchaToken) {
       aReq.session.captchaToken = captchaToken;
       aReq.session.captchaSuccess = aReq.hcaptcha;
-
-      delete aReq.body['g-captcha-response'];
-      delete aReq.body['h-captcha-response'];
-      delete aReq.hcaptcha;
     }
   }
 
@@ -314,12 +310,14 @@ exports.callback = function (aReq, aRes, aNext) {
   var username = aReq.session.username;
   var newstrategy = aReq.session.newstrategy;
   var knownUser = aReq.session.knownUser;
-  var captchaToken = aReq.session.captchaToken;
+  var sessionCaptchaToken = aReq.session.captchaToken;
+  var captchaToken = aReq.body['g-captcha-response'] ?? aReq.body['h-captcha-response'];
+
   var strategyInstance = null;
   var doneUri = aReq.session.user ? '/user/preferences' : '/';
   var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
 
-  if (SITEKEY && !knownUser && !captchaToken) {
+  if (SITEKEY && !knownUser && captchaToken !== sessionCaptchaToken) {
     aRes.redirect('/login?authfail');
     return;
   }