From 18f62768e00fad3b605a04bab90ca6d9785e8925 Mon Sep 17 00:00:00 2001
From: Aaron Lee <longyklee@gmail.com>
Date: Thu, 23 Sep 2021 22:21:59 +0800
Subject: [PATCH] Added recaptcha

---
 app.py               | 35 +++++++++++++++++++++++++----------
 static/allpages.css  | 10 ++++++++++
 templates/login.html | 12 ++++++++++--
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/app.py b/app.py
index a19b3f4..91b2024 100644
--- a/app.py
+++ b/app.py
@@ -9,6 +9,7 @@ import pandas as pd
 import base64
 from random import randint
 from dotenv import load_dotenv
+import requests
 load_dotenv()
 app = Flask(__name__)
 
@@ -45,6 +46,17 @@ def check_permission():
             db.child("Users").child(session['uid']).child("showUpload").get().val() == '1')
 
 
+def verify_recaptcha(response):
+    data = {
+        'secret': os.environ.get('RECAPTCHA_SECRET'),
+        'response': response,
+        'remoteip': request.remote_addr
+    }
+    r = requests.post(
+        'https://www.google.com/recaptcha/api/siteverify', data=data)
+    return r.json()['success']
+
+
 def manageProcess(fCommand, fData):
     if (check_login_status()):
         return redirect('/logout')
@@ -218,7 +230,7 @@ def manageProcess(fCommand, fData):
         return redirect('/logout')
 
 
-@ app.route('/', methods=['GET', 'POST'])
+@ app.route('/', methods=['GET'])
 def index():
     if request.method == 'GET':
         if check_login_status():
@@ -227,15 +239,18 @@ def index():
     elif request.method == 'POST':
         if check_login_status():
             try:
-                user = auth.sign_in_with_email_and_password(
-                    request.form['username'] + "@group-attendance.fhjh.tp.edu.tw", request.form['password'])
-                session['is_logged_in'] = True
-                session['email'] = user['email']
-                session['uid'] = user['localId']
-                session['token'] = user['idToken']
-                session['refreshToken'] = user['refreshToken']
-                session['loginTime'] = datetime.now(tz)
-                return redirect('/manage')
+                if (verify_recaptcha(request.form['g-recaptcha-response'])):
+                    user = auth.sign_in_with_email_and_password(
+                        request.form['username'] + "@group-attendance.fhjh.tp.edu.tw", request.form['password'])
+                    session['is_logged_in'] = True
+                    session['email'] = user['email']
+                    session['uid'] = user['localId']
+                    session['token'] = user['idToken']
+                    session['refreshToken'] = user['refreshToken']
+                    session['loginTime'] = datetime.now(tz)
+                    return redirect('/manage')
+                else:
+                    return render_template('login.html', error=True)
             except Exception as e:
                 return render_template('login.html', error=True)
         else:
diff --git a/static/allpages.css b/static/allpages.css
index 55bd3c0..0cc3a39 100644
--- a/static/allpages.css
+++ b/static/allpages.css
@@ -137,4 +137,14 @@ div.showTime {
     border:1px solid black;
     color:rgb(77, 77, 77);
     background:rgb(179, 255, 169);
+}
+
+.grecaptcha-badge {
+    display: none;
+}
+
+.disclaimer {
+    color: rgb(160, 160, 160);
+    font-size: 0.7524em;
+    margin-bottom: 20px;
 }
\ No newline at end of file
diff --git a/templates/login.html b/templates/login.html
index 4fd7bc6..a0e9ae0 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -19,6 +19,7 @@
 
         gtag('config', 'G-H6D61RSBHR');
     </script>
+    <script src="https://www.google.com/recaptcha/api.js"></script>
 </head>
 
 <body>
@@ -28,7 +29,7 @@
         <div class="row">
             <div class="col"></div>
             <div class="col-md-5">
-                <form action="/" method="post">
+                <form action="/" id="loginForm" method="post">
                     <div class="form-group row" style="margin-bottom: 10px;">
                         <div class="col-3 center"><label for="username" style="font-size: 19px">Username 帳號: </label>
                         </div>
@@ -41,9 +42,15 @@
                         <div class="col-9 center-input"><input type="password" class="form-control" name="password"
                                 id="password"></div>
                     </div>
-                    <button type="submit" class="btn btn-primary btn-block" onclick="loadingAnimation()">Login
+                    <button class="btn btn-primary btn-block g-recaptcha"
+                        data-sitekey="6LevCYccAAAAAAQ8XL6Bay_Nn22OyX9-9Shhi62M" data-callback='loadingAnimation'>Login
                         登入</button>
                 </form>
+                <div class="disclaimer">
+                    This site is protected by reCAPTCHA and the Google
+                    <a target="_blank" href="https://policies.google.com/privacy">Privacy Policy</a> and
+                    <a target="_blank" href="https://policies.google.com/terms">Terms of Service</a> apply.
+                </div>
                 {% if error %}
                 <div class="alert alert-danger" role="alert">
                     帳號或密碼錯誤，請重新輸入<br>
@@ -69,6 +76,7 @@
     <script type=" text/javascript" src="/static/jquery.min.js"></script>
     <script>
         function loadingAnimation() {
+            $('#loginForm').submit();
             $('.container').hide();
             $('#loading').show();
         }