Allow a (hidden undocumented) key to m.login.recaptcha to specify a shared secret to allow bots to bypass the ReCAPTCHA test (SYN-60)

2014-09-23 14:29:08 +01:00 · 2014-09-23 14:29:08 +01:00 · 3a8a94448a
parent b5c9d99424
commit 3a8a94448a
2 changed files with 24 additions and 6 deletions
--- a/synapse/config/captcha.py
+++ b/synapse/config/captcha.py
@ -24,6 +24,7 @@ class CaptchaConfig(Config):
        self.captcha_ip_origin_is_x_forwarded = (
            args.captcha_ip_origin_is_x_forwarded
        )
+        self.captcha_bypass_secret = args.captcha_bypass_secret

    @classmethod
    def add_arguments(cls, parser):
@ -44,3 +45,7 @@ class CaptchaConfig(Config):
            help="When checking captchas, use the X-Forwarded-For (XFF) header"
            + " as the client IP and not the actual client IP."
        )
+        group.add_argument(
+            "--captcha_bypass_secret", type=str,
+            help="A secret key used to bypass the captcha test entirely."
+        )
--- a/synapse/rest/register.py
+++ b/synapse/rest/register.py
@ -142,6 +142,24 @@ class RegisterRestServlet(RestServlet):
        if not self.hs.config.enable_registration_captcha:
            raise SynapseError(400, "Captcha not required.")

+        yield self._check_recaptcha(request, register_json)
+
+        session[LoginType.RECAPTCHA] = True  # mark captcha as done
+        self._save_session(session)
+        defer.returnValue({
+            "next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
+        })
+
+    @defer.inlineCallbacks
+    def _check_recaptcha(self, request, register_json):
+        if "captcha_bypass_secret" in register_json:
+            if (register_json["captcha_bypass_secret"] ==
+                    self.hs.config.captcha_bypass_secret):
+                defer.returnValue(None)
+            else:
+                raise SynapseError(400, "Captcha bypass secret incorrect",
+                    errcode=Codes.CAPTCHA_NEEDED)
+
        challenge = None
        user_response = None
        try:
@ -166,11 +184,6 @@ class RegisterRestServlet(RestServlet):
            challenge,
            user_response
        )
-        session[LoginType.RECAPTCHA] = True  # mark captcha as done
-        self._save_session(session)
-        defer.returnValue({
-            "next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
-        })

    @defer.inlineCallbacks
    def _do_email_identity(self, request, register_json, session):