Commit 1e2b131b authored by Dominik Hebeler's avatar Dominik Hebeler

The Bugs that I had fixed on the Master branch for the human verification

parent 9c37d30d
......@@ -2,66 +2,87 @@
namespace App\Http\Controllers;
use Captcha;
use Carbon;
use DB;
use Illuminate\Hashing\BcryptHasher as Hasher;
use Illuminate\Http\Request;
use Validator;
use Input;
use DB;
use Carbon;
class HumanVerification extends Controller
{
public static function captcha(Request $request, $id, $url){
if($request->getMethod() == 'POST'){
$rules = ['captcha' => 'required|captcha'];
$validator = Validator::make($request->all(), $rules);
if($validator->fails()){
return view('captcha')->with('title', 'Bestätigung notwendig')->with('id', $id)->with('url', base64_decode($url))->with('errorMessage', 'Bitte Captcha eingeben:');
}else{
# If we can unlock the Account of this user we will redirect him to the result page
$id = $request->input('id');
$url = $request->input('url');
public static function captcha(Request $request, Hasher $hasher, $id, $url = null)
{
if ($url != null) {
$url = base64_decode(str_replace("<<SLASH>>", "/", $url));
} else {
$url = $request->input('url');
}
$user = DB::table('humanverification')->where('id', $id)->first();
if($user !== null && $user->locked === 1){
if ($request->getMethod() == 'POST') {
$user = DB::table('humanverification')->where('id', $id)->first();
$lockedKey = $user->lockedKey;
$key = $request->input('captcha');
$key = strtolower($key);
if (!$hasher->check($key, $lockedKey)) {
$captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return view('captcha')->with('title', 'Bestätigung notwendig')
->with('id', $id)
->with('url', $url)
->with('image', $captcha["img"])
->with('errorMessage', 'Bitte Captcha eingeben:');
} else {
# If we can unlock the Account of this user we will redirect him to the result page
if ($user !== null && $user->locked === 1) {
DB::table('humanverification')->where('id', $id)->update(['locked' => false]);
return redirect($url);
}else{
} else {
return redirect('/');
}
}
}
return view('captcha')->with('title', 'Bestätigung notwendig')->with('id', $id)->with('url', base64_decode($url));
$captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return view('captcha')->with('title', 'Bestätigung notwendig')
->with('id', $id)
->with('url', $url)
->with('image', $captcha["img"]);
}
public static function remove(Request $request){
if(!$request->has('mm')){
public static function remove(Request $request)
{
if (!$request->has('mm')) {
abort(404, "Keine Katze gefunden.");
}
$id = md5($request->ip());
if(HumanVerification::checkId($request, $request->input('mm'))){
if (HumanVerification::checkId($request, $request->input('mm'))) {
# Remove the entry from the database
DB::table('humanverification')->where('id', $id)->where('updated_at', '<', Carbon::NOW()->subSeconds(2) )->delete();
DB::table('humanverification')->where('id', $id)->where('updated_at', '<', Carbon::NOW()->subSeconds(2))->delete();
}
return response(hex2bin('89504e470d0a1a0a0000000d494844520000000100000001010300000025db56ca00000003504c5445000000a77a3dda0000000174524e530040e6d8660000000a4944415408d76360000000020001e221bc330000000049454e44ae426082'), 200)
->header('Content-Type', 'image/png');
}
public static function removeGet(Request $request, $mm, $password, $url){
$url = base64_decode($url);
public static function removeGet(Request $request, $mm, $password, $url)
{
$url = base64_decode(str_replace("<<SLASH>>", "/", $url));
# If the user is correct and the password is we will delete any entry in the database
$requiredPass = md5($mm . Carbon::NOW()->day . $url . env("PROXY_PASSWORD"));
if(HumanVerification::checkId($request, $mm) && $requiredPass === $password){
if (HumanVerification::checkId($request, $mm) && $requiredPass === $password) {
# Remove the entry from the database
DB::table('humanverification')->where('id', $mm)->where('updated_at', '<', Carbon::NOW()->subSeconds(2) )->delete();
DB::table('humanverification')->where('id', $mm)->where('updated_at', '<', Carbon::NOW()->subSeconds(2))->delete();
}
return redirect($url);
}
private static function checkId($request, $id){
if(md5($request->ip()) === $id){
private static function checkId($request, $id)
{
if (md5($request->ip()) === $id) {
return true;
}else{
} else {
return false;
}
}
......
......@@ -36,11 +36,6 @@ class Kernel extends HttpKernel
],
'session' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
......@@ -53,12 +48,12 @@ class Kernel extends HttpKernel
* @var array
*/
protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'referer.check' => \App\Http\Middleware\RefererCheck::class,
'humanverification' => \App\Http\Middleware\HumanVerification::class,
];
......
......@@ -2,9 +2,11 @@
namespace App\Http\Middleware;
use Captcha;
use Carbon;
use Closure;
use DB;
use Carbon;
use Illuminate\Http\Response;
class HumanVerification
{
......@@ -17,50 +19,64 @@ class HumanVerification
*/
public function handle($request, Closure $next)
{
$id = md5($request->ip());
try {
$id = md5($request->ip());
/**
* If the user sends a Password or a key
* We will not verificate the user.
* If someone that uses a bot finds this out we
* might have to change it at some point.
*/
if($request->filled('password') || $request->filled('key') || $request->filled('appversion') || !env('BOT_PROTECTION', false)){
return $next($request);
}
/**
* If the user sends a Password or a key
* We will not verificate the user.
* If someone that uses a bot finds this out we
* might have to change it at some point.
*/
if ($request->has('password') || $request->filled('key') || $request->filled('appversion') || !env('BOT_PROTECTION', false)) {
return $next($request);
}
$user = DB::table('humanverification')->where('id', $id)->first();
$createdAt = now();
$unusedResultPages = 1;
$locked = false;
# If this user doesn't have an entry we will create one
if($user === null){
DB::table('humanverification')->insert(
['id' => $id, 'unusedResultPages' => 1, 'locked' => false, 'updated_at' => now()]
);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
$user = DB::table('humanverification')->where('id', $id)->first();
}else if($user->locked !== 1){
$unusedResultPages = intval($user->unusedResultPages);
$unusedResultPages++;
# We have different security gates:
# 50, 75, 85, >=90 => Captcha validated Result Pages
# If the user shows activity on our result page the counter will be deleted
# Maybe I'll add a ban if the user reaches 100
if($unusedResultPages === 50 || $unusedResultPages === 75 || $unusedResultPages === 85 || $unusedResultPages >= 90){
$locked = true;
$createdAt = Carbon::now();
$unusedResultPages = 1;
$locked = false;
# If this user doesn't have an entry we will create one
if ($user === null) {
DB::table('humanverification')->insert(
['id' => $id, 'unusedResultPages' => 1, 'locked' => false, "lockedKey" => "", 'updated_at' => Carbon::now()]
);
# Insert the URL the user tries to reach
$url = url()->full();
DB::table('usedurls')->insert(['user_id' => $id, 'url' => $url]);
$user = DB::table('humanverification')->where('id', $id)->first();
} else if ($user->locked !== 1) {
$unusedResultPages = intval($user->unusedResultPages);
$unusedResultPages++;
# We have different security gates:
# 50, 75, 85, >=90 => Captcha validated Result Pages
# If the user shows activity on our result page the counter will be deleted
# Maybe I'll add a ban if the user reaches 100
if ($unusedResultPages === 50 || $unusedResultPages === 75 || $unusedResultPages === 85 || $unusedResultPages >= 90) {
$locked = true;
}
DB::table('humanverification')->where('id', $id)->update(['unusedResultPages' => $unusedResultPages, 'locked' => $locked, 'updated_at' => $createdAt]);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
}
DB::table('humanverification')->where('id', $id)->update(['unusedResultPages' => $unusedResultPages, 'locked' => $locked, 'updated_at' => $createdAt]);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
}
$request->request->add(['verification_id' => $id, 'verification_count' => $unusedResultPages]);
$request->request->add(['verification_id' => $id, 'verification_count' => $unusedResultPages]);
# If the user is locked we will force a Captcha validation
if($user->locked === 1){
return redirect('meta/verification/' . $id . '/' . urlencode(base64_encode(url()->full())));
# If the user is locked we will force a Captcha validation
if ($user->locked === 1) {
$captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return
new Response(
view('captcha')
->with('title', "Bestätigung erforderlich")
->with('id', $id)
->with('url', url()->full())
->with('image', $captcha["img"])
);
}
} catch (\Illuminate\Database\QueryException $e) {
// Failure in contacting metager3.de
}
return $next($request);
......
......@@ -4,21 +4,19 @@
@section('content')
<h1>Entschuldigen Sie die Störung</h1>
<p>Wir haben Grund zur Annahme, dass von Ihrem Anschluss verstärkt automatisierte Abfragen abgeschickt wurden.
<p>Wir haben Grund zur Annahme, dass von Ihrem Anschluss verstärkt automatisierte Abfragen abgeschickt wurden.
Deshalb bitten wir Sie, die nachfolgende Captcha Abfrage zu beantworten.</p>
<p>Sollten Sie diese Nachricht häufiger sehen oder handelt es sich dabei um einen Irrtum, schicken Sie uns gerne eine Nachricht über unser <a href="/kontakt">Kontaktformular</a>.</p>
<p>Nennen Sie uns in diesem Fall bitte unbedingt folgende Vorgangsnummer: {{ $id }}
<p>Wir schauen uns den Vorgang dann gerne im Detail an.</p>
<form method="post">
{{ csrf_field() }}
<form method="post" action="{{ route('verification', ['id' => $id]) }}">
<input type="hidden" name="url" value="{!! $url !!}">
<input type="hidden" name="id" value="{{ $id }}">
<p>{!! captcha_img() !!}</p>
<p><img src="{{ $image }}" /></p>
@if(isset($errorMessage))
<p><font color="red">{{$errorMessage}}</font></p>
@endif
<p><input type="text" name="captcha"></p>
<p><button type="submit" name="check">OK</button></p>
</form>
<p>Hinweis: Zum Zwecke der Autorisierung wird auf dieser Seite ein Session Cookie gesetzt.
@endsection
\ No newline at end of file
@endsection
<?php
# In this File we collect all routes which require a session or other cookies to be active
Route::get('captcha/api/{config?}', '\Mews\Captcha\CaptchaController@getCaptchaApi')->middleware('session');
Route::get('captcha/{config?}', '\Mews\Captcha\CaptchaController@getCaptcha')->middleware('session');
Route::match(['get', 'post'], 'meta/verification/{id}/{url}', 'HumanVerification@captcha');
\ No newline at end of file
Route::match(['get', 'post'], 'meta/verification/{id}/{url?}', 'HumanVerification@captcha')->name('verification');
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment