Commit c7aa7f52 authored by Dominik Hebeler's avatar Dominik Hebeler

The Bugs that I had fixed on the Master branch for the human verification

parent 4b4066d5
...@@ -2,66 +2,87 @@ ...@@ -2,66 +2,87 @@
namespace App\Http\Controllers; namespace App\Http\Controllers;
use Captcha;
use Carbon;
use DB;
use Illuminate\Hashing\BcryptHasher as Hasher;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Validator;
use Input; use Input;
use DB;
use Carbon;
class HumanVerification extends Controller class HumanVerification extends Controller
{ {
public static function captcha(Request $request, $id, $url){ public static function captcha(Request $request, Hasher $hasher, $id, $url = null)
if($request->getMethod() == 'POST'){ {
$rules = ['captcha' => 'required|captcha']; if ($url != null) {
$validator = Validator::make($request->all(), $rules); $url = base64_decode(str_replace("<<SLASH>>", "/", $url));
if($validator->fails()){ } else {
return view('captcha')->with('title', 'Bestätigung notwendig')->with('id', $id)->with('url', base64_decode($url))->with('errorMessage', 'Bitte Captcha eingeben:'); $url = $request->input('url');
}else{ }
# If we can unlock the Account of this user we will redirect him to the result page
$id = $request->input('id');
$url = $request->input('url');
$user = DB::table('humanverification')->where('id', $id)->first(); if ($request->getMethod() == 'POST') {
if($user !== null && $user->locked === 1){ $user = DB::table('humanverification')->where('id', $id)->first();
$lockedKey = $user->lockedKey;
$key = $request->input('captcha');
$key = strtolower($key);
if (!$hasher->check($key, $lockedKey)) {
$captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return view('captcha')->with('title', 'Bestätigung notwendig')
->with('id', $id)
->with('url', $url)
->with('image', $captcha["img"])
->with('errorMessage', 'Bitte Captcha eingeben:');
} else {
# If we can unlock the Account of this user we will redirect him to the result page
if ($user !== null && $user->locked === 1) {
DB::table('humanverification')->where('id', $id)->update(['locked' => false]); DB::table('humanverification')->where('id', $id)->update(['locked' => false]);
return redirect($url); return redirect($url);
}else{ } else {
return redirect('/'); return redirect('/');
} }
} }
} }
return view('captcha')->with('title', 'Bestätigung notwendig')->with('id', $id)->with('url', base64_decode($url)); $captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return view('captcha')->with('title', 'Bestätigung notwendig')
->with('id', $id)
->with('url', $url)
->with('image', $captcha["img"]);
} }
public static function remove(Request $request){ public static function remove(Request $request)
if(!$request->has('mm')){ {
if (!$request->has('mm')) {
abort(404, "Keine Katze gefunden."); abort(404, "Keine Katze gefunden.");
} }
$id = md5($request->ip()); $id = md5($request->ip());
if(HumanVerification::checkId($request, $request->input('mm'))){ if (HumanVerification::checkId($request, $request->input('mm'))) {
# Remove the entry from the database # Remove the entry from the database
DB::table('humanverification')->where('id', $id)->where('updated_at', '<', Carbon::NOW()->subSeconds(2) )->delete(); DB::table('humanverification')->where('id', $id)->where('updated_at', '<', Carbon::NOW()->subSeconds(2))->delete();
} }
return response(hex2bin('89504e470d0a1a0a0000000d494844520000000100000001010300000025db56ca00000003504c5445000000a77a3dda0000000174524e530040e6d8660000000a4944415408d76360000000020001e221bc330000000049454e44ae426082'), 200) return response(hex2bin('89504e470d0a1a0a0000000d494844520000000100000001010300000025db56ca00000003504c5445000000a77a3dda0000000174524e530040e6d8660000000a4944415408d76360000000020001e221bc330000000049454e44ae426082'), 200)
->header('Content-Type', 'image/png'); ->header('Content-Type', 'image/png');
} }
public static function removeGet(Request $request, $mm, $password, $url){ public static function removeGet(Request $request, $mm, $password, $url)
$url = base64_decode($url); {
$url = base64_decode(str_replace("<<SLASH>>", "/", $url));
# If the user is correct and the password is we will delete any entry in the database # If the user is correct and the password is we will delete any entry in the database
$requiredPass = md5($mm . Carbon::NOW()->day . $url . env("PROXY_PASSWORD")); $requiredPass = md5($mm . Carbon::NOW()->day . $url . env("PROXY_PASSWORD"));
if(HumanVerification::checkId($request, $mm) && $requiredPass === $password){ if (HumanVerification::checkId($request, $mm) && $requiredPass === $password) {
# Remove the entry from the database # Remove the entry from the database
DB::table('humanverification')->where('id', $mm)->where('updated_at', '<', Carbon::NOW()->subSeconds(2) )->delete(); DB::table('humanverification')->where('id', $mm)->where('updated_at', '<', Carbon::NOW()->subSeconds(2))->delete();
} }
return redirect($url); return redirect($url);
} }
private static function checkId($request, $id){ private static function checkId($request, $id)
if(md5($request->ip()) === $id){ {
if (md5($request->ip()) === $id) {
return true; return true;
}else{ } else {
return false; return false;
} }
} }
......
...@@ -36,11 +36,6 @@ class Kernel extends HttpKernel ...@@ -36,11 +36,6 @@ class Kernel extends HttpKernel
], ],
'session' => [ 'session' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class, \Illuminate\Routing\Middleware\SubstituteBindings::class,
], ],
]; ];
...@@ -53,12 +48,12 @@ class Kernel extends HttpKernel ...@@ -53,12 +48,12 @@ class Kernel extends HttpKernel
* @var array * @var array
*/ */
protected $routeMiddleware = [ protected $routeMiddleware = [
'auth' => \Illuminate\Auth\Middleware\Authenticate::class, 'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'referer.check' => \App\Http\Middleware\RefererCheck::class, 'referer.check' => \App\Http\Middleware\RefererCheck::class,
'humanverification' => \App\Http\Middleware\HumanVerification::class, 'humanverification' => \App\Http\Middleware\HumanVerification::class,
]; ];
......
...@@ -2,9 +2,11 @@ ...@@ -2,9 +2,11 @@
namespace App\Http\Middleware; namespace App\Http\Middleware;
use Captcha;
use Carbon;
use Closure; use Closure;
use DB; use DB;
use Carbon; use Illuminate\Http\Response;
class HumanVerification class HumanVerification
{ {
...@@ -17,50 +19,64 @@ class HumanVerification ...@@ -17,50 +19,64 @@ class HumanVerification
*/ */
public function handle($request, Closure $next) public function handle($request, Closure $next)
{ {
$id = md5($request->ip()); try {
$id = md5($request->ip());
/** /**
* If the user sends a Password or a key * If the user sends a Password or a key
* We will not verificate the user. * We will not verificate the user.
* If someone that uses a bot finds this out we * If someone that uses a bot finds this out we
* might have to change it at some point. * might have to change it at some point.
*/ */
if($request->filled('password') || $request->filled('key') || $request->filled('appversion') || !env('BOT_PROTECTION', false)){ if ($request->has('password') || $request->filled('key') || $request->filled('appversion') || !env('BOT_PROTECTION', false)) {
return $next($request); return $next($request);
} }
$user = DB::table('humanverification')->where('id', $id)->first();
$createdAt = now();
$unusedResultPages = 1;
$locked = false;
# If this user doesn't have an entry we will create one
if($user === null){
DB::table('humanverification')->insert(
['id' => $id, 'unusedResultPages' => 1, 'locked' => false, 'updated_at' => now()]
);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
$user = DB::table('humanverification')->where('id', $id)->first(); $user = DB::table('humanverification')->where('id', $id)->first();
}else if($user->locked !== 1){ $createdAt = Carbon::now();
$unusedResultPages = intval($user->unusedResultPages); $unusedResultPages = 1;
$unusedResultPages++; $locked = false;
# We have different security gates: # If this user doesn't have an entry we will create one
# 50, 75, 85, >=90 => Captcha validated Result Pages if ($user === null) {
# If the user shows activity on our result page the counter will be deleted DB::table('humanverification')->insert(
# Maybe I'll add a ban if the user reaches 100 ['id' => $id, 'unusedResultPages' => 1, 'locked' => false, "lockedKey" => "", 'updated_at' => Carbon::now()]
if($unusedResultPages === 50 || $unusedResultPages === 75 || $unusedResultPages === 85 || $unusedResultPages >= 90){ );
$locked = true; # Insert the URL the user tries to reach
$url = url()->full();
DB::table('usedurls')->insert(['user_id' => $id, 'url' => $url]);
$user = DB::table('humanverification')->where('id', $id)->first();
} else if ($user->locked !== 1) {
$unusedResultPages = intval($user->unusedResultPages);
$unusedResultPages++;
# We have different security gates:
# 50, 75, 85, >=90 => Captcha validated Result Pages
# If the user shows activity on our result page the counter will be deleted
# Maybe I'll add a ban if the user reaches 100
if ($unusedResultPages === 50 || $unusedResultPages === 75 || $unusedResultPages === 85 || $unusedResultPages >= 90) {
$locked = true;
}
DB::table('humanverification')->where('id', $id)->update(['unusedResultPages' => $unusedResultPages, 'locked' => $locked, 'updated_at' => $createdAt]);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
} }
DB::table('humanverification')->where('id', $id)->update(['unusedResultPages' => $unusedResultPages, 'locked' => $locked, 'updated_at' => $createdAt]);
# Insert the URL the user tries to reach
DB::table('usedurls')->insert(['user_id' => $id, 'url' => url()->full()]);
}
$request->request->add(['verification_id' => $id, 'verification_count' => $unusedResultPages]);
$request->request->add(['verification_id' => $id, 'verification_count' => $unusedResultPages]);
# If the user is locked we will force a Captcha validation # If the user is locked we will force a Captcha validation
if($user->locked === 1){ if ($user->locked === 1) {
return redirect('meta/verification/' . $id . '/' . urlencode(base64_encode(url()->full()))); $captcha = Captcha::create("default", true);
DB::table('humanverification')->where('id', $id)->update(['lockedKey' => $captcha["key"]]);
return
new Response(
view('captcha')
->with('title', "Bestätigung erforderlich")
->with('id', $id)
->with('url', url()->full())
->with('image', $captcha["img"])
);
}
} catch (\Illuminate\Database\QueryException $e) {
// Failure in contacting metager3.de
} }
return $next($request); return $next($request);
......
...@@ -4,21 +4,19 @@ ...@@ -4,21 +4,19 @@
@section('content') @section('content')
<h1>Entschuldigen Sie die Störung</h1> <h1>Entschuldigen Sie die Störung</h1>
<p>Wir haben Grund zur Annahme, dass von Ihrem Anschluss verstärkt automatisierte Abfragen abgeschickt wurden. <p>Wir haben Grund zur Annahme, dass von Ihrem Anschluss verstärkt automatisierte Abfragen abgeschickt wurden.
Deshalb bitten wir Sie, die nachfolgende Captcha Abfrage zu beantworten.</p> Deshalb bitten wir Sie, die nachfolgende Captcha Abfrage zu beantworten.</p>
<p>Sollten Sie diese Nachricht häufiger sehen oder handelt es sich dabei um einen Irrtum, schicken Sie uns gerne eine Nachricht über unser <a href="/kontakt">Kontaktformular</a>.</p> <p>Sollten Sie diese Nachricht häufiger sehen oder handelt es sich dabei um einen Irrtum, schicken Sie uns gerne eine Nachricht über unser <a href="/kontakt">Kontaktformular</a>.</p>
<p>Nennen Sie uns in diesem Fall bitte unbedingt folgende Vorgangsnummer: {{ $id }} <p>Nennen Sie uns in diesem Fall bitte unbedingt folgende Vorgangsnummer: {{ $id }}
<p>Wir schauen uns den Vorgang dann gerne im Detail an.</p> <p>Wir schauen uns den Vorgang dann gerne im Detail an.</p>
<form method="post"> <form method="post" action="{{ route('verification', ['id' => $id]) }}">
{{ csrf_field() }}
<input type="hidden" name="url" value="{!! $url !!}"> <input type="hidden" name="url" value="{!! $url !!}">
<input type="hidden" name="id" value="{{ $id }}"> <input type="hidden" name="id" value="{{ $id }}">
<p>{!! captcha_img() !!}</p> <p><img src="{{ $image }}" /></p>
@if(isset($errorMessage)) @if(isset($errorMessage))
<p><font color="red">{{$errorMessage}}</font></p> <p><font color="red">{{$errorMessage}}</font></p>
@endif @endif
<p><input type="text" name="captcha"></p> <p><input type="text" name="captcha"></p>
<p><button type="submit" name="check">OK</button></p> <p><button type="submit" name="check">OK</button></p>
</form> </form>
<p>Hinweis: Zum Zwecke der Autorisierung wird auf dieser Seite ein Session Cookie gesetzt. @endsection
@endsection
\ No newline at end of file
<?php <?php
# In this File we collect all routes which require a session or other cookies to be active # In this File we collect all routes which require a session or other cookies to be active
Route::match(['get', 'post'], 'meta/verification/{id}/{url?}', 'HumanVerification@captcha')->name('verification');
Route::get('captcha/api/{config?}', '\Mews\Captcha\CaptchaController@getCaptchaApi')->middleware('session');
Route::get('captcha/{config?}', '\Mews\Captcha\CaptchaController@getCaptcha')->middleware('session');
Route::match(['get', 'post'], 'meta/verification/{id}/{url}', 'HumanVerification@captcha');
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment