sovrin-foundation · KoleBarnes · Apr 13, 2022
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,7 @@ __pycache__/
 [._]s[a-rt-v][a-z]
 [._]ss[a-gi-z]
 [._]sw[a-p]
+
+*.env
+venv/
+.vscode/
diff --git a/selfserve/REQUIREMENTS.TXT b/selfserve/REQUIREMENTS.TXT
@@ -4,3 +4,4 @@ aioboto3
 indy
 Python3-indy
 python-dotenv
+requests
diff --git a/selfserve/main_selfserve/nym.py b/selfserve/main_selfserve/nym.py
@@ -8,6 +8,7 @@
 import argparse
 import datetime
 import base58
+import requests
 import re
 from aiohttp import web
 import platform
@@ -783,6 +784,30 @@ def my_handler(event, context):
     logging.debug("response: %s" % json.dumps(response))
     return response
 
+async def verify_captcha(request) -> dict:
+    secret_key = os.environ.get('RECAPTCHA_SECRET_KEY')
+    captcha_rs = None
+    if not secret_key:
+        return {"status": False, "message": "Secret key not found"}
+    msgbody = await request.json()
+    if 'captcha_response' in msgbody:
+        captcha_rs = msgbody['captcha_response']
+    if not captcha_rs:
+        return {"status": False, "message": "Captcha response not provided"}
+
+    url = "https://www.google.com/recaptcha/api/siteverify"
+    params = {
+        "secret": secret_key,
+        "response": captcha_rs,
+        "remoteip": request.host,
+    }
+    verify_rs = requests.get(url, params=params, verify=True)
+    verify_rs = verify_rs.json()
+    return {
+        "status": verify_rs.get("success", False),
+        "message": verify_rs.get("error-codes", None) or "Unspecified error.",
+    }
+
 async def handle_nym_req(request):
     handles = request.app['handles']
     xfer_lock = request.app['xfer_lock']
@@ -793,9 +818,15 @@ async def handle_nym_req(request):
     tmp_errors=[]
 
     nyms = []
+    errors = {}
+    load_dotenv()
     #logging.debug("Event body >%s<" % event['body'])
     msgbody = await request.json() #written by dbluhm (not copied)
 
+    verified_captcha = await verify_captcha(request)
+    if not verified_captcha["status"]:
+        return web.HTTPUnauthorized()
+
     # Validate and build nyms from request body; setting name and sourceIP for
     # each nym.
 
@@ -807,7 +838,6 @@ async def handle_nym_req(request):
         'body': json.dumps(responseBody)
     }
 
-    errors = {}
     logger.debug("Processing single (non-batch) request...")
     if (msgbody['did'] == "") and (msgbody['verkey'] == "") and (msgbody['paymentaddr'] == ""):
         return web.Response(body=json.dumps(response))
@@ -823,7 +853,6 @@ async def handle_nym_req(request):
 
     if poolName == 'stagingnet':
         logger.info(f'Nym bound for {poolName}. Attempting to authenticate request ...')
-        load_dotenv()
         API_KEY = os.environ.get('API_KEY')
         header_admin_api_key = request.headers.get("x-api-key")
         if not const_compare(header_admin_api_key, API_KEY):

diff --git a/selfserve/static/endorser.html b/selfserve/static/endorser.html
@@ -177,6 +177,15 @@
     <script type="text/javascript" src="static/apigClient.js"></script>
 
     <script>
+    var captcha_response;
+
+    function verifyCaptcha(token) {
+      var submit_button = document.getElementById("submit_button");
+      captcha_response = token;
+      document.getElementById('g-recaptcha-error').innerHTML = '';
+      submit_button.classList.remove("disabled");
+    }
+
     //var apigClient = apigClientFactory.newClient({region: 'us-west-2'});
     function addEndorser () {
       // displays div_results on submit. Display default is none.
@@ -187,7 +196,8 @@
         network: document.getElementById('network').value,
         did: document.getElementById('did').value,
         verkey: document.getElementById('verkey').value,
-        paymentaddr: document.getElementById('paymentaddr').value
+        paymentaddr: document.getElementById('paymentaddr').value,
+        captcha_response: captcha_response
       };
       var additionalParams = {};
       document.getElementById('div_results').innerHTML = "<div class='loader'></div>"
@@ -354,10 +364,17 @@ <h6 class="card-subtitle mb-2 text-muted">Production</h6>
                 <p>By clicking "Submit" you signify agreement to the Sovrin <a href="https://github.com/sovrin-foundation/sovrin/blob/master/TAA/TAA.md" target="_blank">Transaction Author Agreement</a></p>
                 <!-- This is a message box. It is required for this page to work. -->
                 <div id="div_results"></div>
-                <input class="btn btn-warning btn-lg text-light" style="margin-bottom: 10px;" type="button" value="Submit" onclick="addEndorser();" />
+
+                <div style="display: flex;align-items: center; margin-bottom: 10px;">
+                  <input class="btn btn-warning btn-lg text-light disabled" id="submit_button" type="button" value="Submit" onclick="addEndorser();" />
+                  <div class="g-recaptcha" data-sitekey="6LdD03AfAAAAAO4KiIt1oz1l8gQaG8-aRd1g8It0" data-callback="verifyCaptcha"></div>
+                  <div id="g-recaptcha-error"></div>
+                </div>
               </div>
           </form>
 
+          <script src='https://www.google.com/recaptcha/api.js'></script>
+
           <div>
             <a href=https://docs.google.com/document/d/1sXZoN18lpFoAF075QoptofwDV_1otUylPGFKRQnA56E target="_blank"> Help me get a DID!</a>
           </div>