Plug a hole (#1881)

* If not running captcha it's still there *(even prior to the refactor... saw it in a .user.js a while back)*
* Fix non-captcha'd site forks
* Refocus on SITEKEY instead of SECRET ... don't want accidental exposure from other devs.

Post #944 #1867

NOTE:
* Special thanks to datinginfos *(a spammer)* for confirming. ;) :)

Auto-merge

Author: Martii

controllers/auth.js

@@ -84,7 +84,6 @@ exports.preauth = function (aReq, aRes, aNext) {
   var authedUser = aReq.session.user;
 
   var username = aReq.body.username;
-  var SECRET = process.env.HCAPTCHA_SECRET_KEY;
   var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
 
   if (!authedUser) {
@@ -115,19 +114,28 @@ exports.preauth = function (aReq, aRes, aNext) {
           return;
         }
 
-        if (aUser || !SECRET) {
+        if (aUser) {
           // Ensure that casing is identical so we still have it, correctly, when they
           // get back from authentication
           aReq.body.username = aUser.name;
 
-          // Skip captcha for known individual and not implemented
+          if (aUser) {
+            aReq.knownUser = true;
+          }
+
+          // Skip captcha for known individual
           exports.auth(aReq, aRes, aNext);
         } else {
           // Match cleansed name and this is the casing they have chosen
           aReq.body.username = username;
 
           // Validate captcha for unknown individual
-          aNext();
+          if (!SITEKEY) {
+            // Skip captcha for not implemented
+            exports.auth(aReq, aRes, aNext);
+          } else {
+            aNext();
+          }
         }
     });
   } else {
@@ -197,6 +205,10 @@ exports.auth = function (aReq, aRes, aNext) {
     // Save redirect url from the form submission on the session
     aReq.session.redirectTo = aReq.body.redirectTo || getRedirect(aReq);
 
+    // Save the known user on the session and remove
+    aReq.session.knownUser = aReq.knownUser;
+    delete aReq.knownUser;
+
     // Save the token from the captcha on the session and remove from body
     if (captchaToken) {
       aReq.session.captchaToken = captchaToken;
@@ -301,8 +313,17 @@ exports.callback = function (aReq, aRes, aNext) {
   var strategy = aReq.params.strategy;
   var username = aReq.session.username;
   var newstrategy = aReq.session.newstrategy;
+  var knownUser = aReq.session.knownUser;
+  var captchaToken = aReq.session.captchaToken;
   var strategyInstance = null;
   var doneUri = aReq.session.user ? '/user/preferences' : '/';
+  var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
+
+
+  if (SITEKEY && !knownUser && !captchaToken) {
+    aRes.redirect('/login?fail');
+    return;
+  }
 
   // The callback was called improperly or sesssion expired
   if (!strategy || !username) {

controllers/index.js

@@ -218,7 +218,6 @@ exports.register = function (aReq, aRes) {
   var authedUser = aReq.session.user;
   var tasks = [];
 
-  var SECRET = process.env.HCAPTCHA_SECRET_KEY;
   var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
 
   // If already logged in, go back.
@@ -227,8 +226,7 @@ exports.register = function (aReq, aRes) {
     return;
   }
 
-  options.hasCaptcha = (SECRET ? true : false);
-  options.hcaptchaSiteKey = (SITEKEY ? SITEKEY : '');
+  options.hasCaptcha = (SITEKEY ? SITEKEY : '');
 
   options.redirectTo = getRedirect(aReq);
 
@@ -262,10 +260,9 @@ exports.register = function (aReq, aRes) {
   //
 
   Strategy.find({}, function (aErr, aAvailableStrategies) {
-    var SECRET = process.env.HCAPTCHA_SECRET_KEY;
     var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
     var defaultCSP = ' \'self\'';
-    var captchaCSP = (SECRET ? ' hcaptcha.com *.hcaptcha.com' : '');
+    var captchaCSP = (SITEKEY ? ' hcaptcha.com *.hcaptcha.com' : '');
 
     if (aErr || !aAvailableStrategies) {
       statusCodePage(aReq, aRes, aNext, {
@@ -283,7 +280,7 @@ exports.register = function (aReq, aRes) {
         });
       });
 
-      options.hasCaptcha = (SECRET ? true : false);
+      options.hasCaptcha = (SITEKEY ? SITEKEY : '');
 
       options.nonce = crypto.randomBytes(512).toString('hex');
       defaultCSP += ' \'nonce-' + options.nonce + '\'';

routes.js

@@ -9,8 +9,8 @@ var rateLimit = require('express-rate-limit');
 var MongoStore = require('rate-limit-mongo');
 var exec = require('child_process').exec;
 var hcaptcha = require('express-hcaptcha');
-var SECRET = process.env.HCAPTCHA_SECRET_KEY;
 var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
+var SECRET = process.env.HCAPTCHA_SECRET_KEY;
 
 //
 var main = require('./controllers/index');

views/pages/loginPage.html

@@ -41,7 +41,7 @@ <h3>
           <div style="width: 100%;">
             <div class="input-group-addon">
               {{#hasCaptcha}}
-              <div class="h-captcha" data-sitekey="{{hcaptchaSiteKey}}"></div>
+              <div class="h-captcha" data-sitekey="{{hasCaptcha}}"></div>
               {{/hasCaptcha}}
               <p>
                 <ul class="nav nav-pills nav-justified">