Modified our fork a bit (#1873)

* Whoops... verify happens in parent dep of our fork... so no need to do this in our code. Ahh more time spent learning the hard way. LOL
* Modified fork to accept `SITEKEY` because we expect that to go that way.
* Consolidated the `sessionauth` since that's going to be a future thing with code migration.
* We have the ability to send the IP to them but need to query the establishing owner first.

Post #944 #1867

Auto-merge

Author: Martii

controllers/auth.js

@@ -8,7 +8,6 @@ var isDbg = require('../libs/debug').isDbg;
 //
 
 //--- Dependency inclusions
-var request = require('request');
 var passport = require('passport');
 var url = require('url');
 var colors = require('ansi-colors');
@@ -162,6 +161,18 @@ exports.auth = function (aReq, aRes, aNext) {
     }
   }
 
+  function sessionauth() {
+    // Yet another passport hack.
+    // Initialize the passport session data only when we need it. i.e. late binding
+    if (!aReq.session[passportKey] && aReq._passport.session) {
+      aReq.session[passportKey] = {};
+      aReq._passport.session = aReq.session[passportKey];
+    }
+
+    // Save redirect url from the form submission on the session
+    aReq.session.redirectTo = aReq.body.redirectTo || getRedirect(aReq);
+  }
+
   function anteauth() {
     // Store the useragent always so we still have it when they
     // get back from authentication and/or attaching
@@ -222,41 +233,19 @@ exports.auth = function (aReq, aRes, aNext) {
       return;
     }
 
+    sessionauth();
 
-    // TODO: Send out token and sitekey back to https://hcaptcha.com/siteverify
-    // ... routine with req hcaptcha?
-    // If successful then do below and call anteauth otherwise redirect
-
-      // Yet another passport hack.
-      // Initialize the passport session data only when we need it. i.e. late binding
-      if (!aReq.session[passportKey] && aReq._passport.session) {
-        aReq.session[passportKey] = {};
-        aReq._passport.session = aReq.session[passportKey];
-      }
-
-      // Save redirect url from the form submission on the session
-      aReq.session.redirectTo = aReq.body.redirectTo || getRedirect(aReq);
-
-      // Store the username always so we still have it when they
-      // get back from authentication
-        aReq.session.username = username;
-
-      anteauth();
+    // Store the username always so we still have it when they
+    // get back from authentication
+    aReq.session.username = username;
 
+    anteauth();
 
   } else {
     // Already validated username
     username = aReq.session.username || (authedUser ? authedUser.name : null);
 
-    // Yet another passport hack.
-    // Initialize the passport session data only when we need it. i.e. late binding
-    if (!aReq.session[passportKey] && aReq._passport.session) {
-      aReq.session[passportKey] = {};
-      aReq._passport.session = aReq.session[passportKey];
-    }
-
-    // Save redirect url from the form submission on the session
-    aReq.session.redirectTo = aReq.body.redirectTo || getRedirect(aReq);
+    sessionauth();
 
     // Allow a logged in user to add a new strategy
     if (strategy) {

routes.js

@@ -10,6 +10,7 @@ var MongoStore = require('rate-limit-mongo');
 var exec = require('child_process').exec;
 var hcaptcha = require('express-hcaptcha');
 var SECRET = process.env.HCAPTCHA_SECRET_KEY;
+var SITEKEY = process.env.HCAPTCHA_SITE_KEY;
 
 //
 var main = require('./controllers/index');
@@ -123,7 +124,7 @@ module.exports = function (aApp) {
 
   //--- Routes
   // Authentication routes
-  aApp.route('/auth/').post(authentication.preauth, hcaptcha.middleware.validate(SECRET),
+  aApp.route('/auth/').post(authentication.preauth, hcaptcha.middleware.validate(SECRET, SITEKEY),
     function (aErr, aReq, aRes, aNext) {
       if (aErr) {
         aRes.redirect(302, '/login?authfail');