FreshRSS
diff --git a/‎xExtension-Captcha/Controllers/authController.php‎
Lines changed: 8 additions & 118 deletions b/‎xExtension-Captcha/Controllers/authController.php‎
Lines changed: 8 additions & 118 deletions
diff --git a/‎xExtension-Captcha/Controllers/userController.php‎
Lines changed: 19 additions & 0 deletions b/‎xExtension-Captcha/Controllers/userController.php‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎xExtension-Captcha/README.md‎
Lines changed: 20 additions & 1 deletion b/‎xExtension-Captcha/README.md‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎xExtension-Captcha/configure.phtml‎
Lines changed: 22 additions & 14 deletions b/‎xExtension-Captcha/configure.phtml‎
Lines changed: 22 additions & 14 deletions
@@ -6,134 +6,24 @@ class FreshExtension_auth_Controller extends FreshRSS_auth_Controller {
 	 * @throws FreshRSS_Context_Exception
 	 * @throws Minz_PermissionDeniedException
 	 */
-	public function initCaptcha(): bool {
-		$username = Minz_Request::paramString('username');
-
-		$config = CaptchaExtension::getConfig();
-		$provider = $config['captchaProvider'];
-
-		if ($provider === 'none') {
-			return true;
-		}
-
-		$isPOST = Minz_Request::isPost() && !Minz_Session::paramBoolean('POST_to_GET');
-		if ($isPOST && CaptchaExtension::isProtectedPage()) {
-			$ch = curl_init();
-			if ($ch === false) {
-				Minz_Error::error(500);
-				return false;
-			}
-
-			/*
-			See:
-			https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
-			https://developers.google.com/recaptcha/docs/verify?hl=en
-			https://docs.hcaptcha.com/#verify-the-user-response-server-side
-			*/
-
-			$siteverify_url = match ($provider) {
-				'turnstile' => 'https://challenges.cloudflare.com/turnstile/v0/siteverify',
-				'recaptcha-v2' => 'https://www.google.com/recaptcha/api/siteverify',
-				'recaptcha-v3' => 'https://www.google.com/recaptcha/api/siteverify',
-				'hcaptcha' => 'https://hcaptcha.com/siteverify',
-				default => '',
-			};
-			$response_param = match ($provider) {
-				'turnstile' => 'cf-turnstile-response',
-				'recaptcha-v2' => 'g-recaptcha-response',
-				'recaptcha-v3' => 'g-recaptcha-response',
-				'hcaptcha' => 'h-captcha-response',
-				default => '',
-			};
-			$response_val = Minz_Request::paramString($response_param);
-
-			$fields = [
-				'secret' => $config['provider']['secretKey'] ?? '',
-				'response' => $response_val,
-			];
-			if ($config['sendClientIp']) {
-				$fields['remoteip'] = CaptchaExtension::getClientIp();
-			}
-			curl_setopt_array($ch, [
-				CURLOPT_URL => $siteverify_url,
-				CURLOPT_POST => true,
-				CURLOPT_POSTFIELDS => http_build_query($fields),
-				CURLOPT_USERAGENT => FRESHRSS_USERAGENT,
-				CURLOPT_RETURNTRANSFER => true,
-			]);
-			curl_setopt_array($ch, FreshRSS_Context::systemConf()->curl_options);
-
-			$body = curl_exec($ch);
-			if (!is_string($body)) {
-				Minz_Error::error(500);
-				return false;
-			}
-			/** @var array{success:bool,error-codes:string[]} $json */
-			$json = json_decode($body, true);
-			if (!is_array($json)) {
-				Minz_Error::error(500);
-				return false;
-			}
-			if ($json['success'] !== true) {
-				$actionName = Minz_Request::actionName();
-				CaptchaExtension::warnLog("($actionName) Failed to verify '$provider' challenge for user \"$username\": " . implode(',', $json['error-codes']));
-				Minz_Error::error(400, ['error' => [_t('ext.form_captcha.invalid_captcha')]]);
-				return false;
-			}
-		} else {
-			$js_url = match ($provider) {
-				'turnstile' => 'https://challenges.cloudflare.com/turnstile/v0/api.js',
-				'recaptcha-v2' => 'https://www.google.com/recaptcha/api.js',
-				'recaptcha-v3' => 'https://www.google.com/recaptcha/api.js?render=' . $config['provider']['siteKey'],
-				'hcaptcha' => 'https://js.hcaptcha.com/1/api.js',
-				default => '',
-			};
-			$js_domain = parse_url($js_url);
-			if (!is_array($js_domain)) {
-				Minz_Error::error(500);
-				return false;
-			}
-			$js_domain = $js_domain['host'] ?? '';
-			if ($js_domain === 'www.google.com') {
-				// Original js_url redirects to www.gstatic.com therefore this is needed
-				$js_domain .= ' www.gstatic.com';
-			} else if ($js_domain === 'js.hcaptcha.com') {
-				$js_domain = 'hcaptcha.com *.hcaptcha.com';
-			}
-			$csp = [
-				'default-src' => "'self'",
-				'frame-ancestors' => '"none"',
-				'script-src' => "'self' $js_domain",
-				'frame-src' => $js_domain,
-				'connect-src' => "'self' $js_domain",
-			];
-			if ($provider === 'hcaptcha') {
-				$csp['style-src'] = "'self' " . $js_domain;
-			}
-			$this->_csp($csp);
-			Minz_View::appendScript($js_url);
-			if ($provider === 'recaptcha-v3') {
-				Minz_View::appendScript(CaptchaExtension::$recaptcha_v3_js);
-			}
-		}
-		return true;
-	}
-
 	public function formLoginAction(): void {
-		if (!$this->initCaptcha()) {
+		if (!CaptchaExtension::initCaptcha()) {
 			return;
 		}
+		$csp = CaptchaExtension::loadDependencies();
+		if (!empty($csp)) $this->_csp($csp);
+
 		parent::formLoginAction();
 	}
 
 	/**
 	 * @throws FreshRSS_Context_Exception
-	 * @throws Minz_PermissionDeniedException
 	 */
 	public function registerAction(): void {
-		if (!$this->initCaptcha()) {
-			return;
-		}
+		// Checking for valid captcha is not needed here since this isn't a POST action
+		$csp = CaptchaExtension::loadDependencies();
+		if (!empty($csp)) $this->_csp($csp);
+
 		parent::registerAction();
 	}
 }
@@ -0,0 +1,19 @@
+<?php
+declare(strict_types=1);
+
+class FreshExtension_user_Controller extends FreshRSS_user_Controller {
+	/**
+	 * @throws FreshRSS_Context_Exception
+	 * @throws Minz_PermissionDeniedException
+	 */
+	public function createAction(): void {
+		if (!CaptchaExtension::initCaptcha()) {
+			return;
+		}
+		$csp = CaptchaExtension::loadDependencies();
+		if (!empty($csp)) $this->_csp($csp);
+
+		parent::createAction();
+	}
+}
+
@@ -30,7 +30,26 @@ Available configuration settings:
 
 </details>
 
+## Trouble with login
+
+If you are having trouble with logging in after configuring the extension, you can manually disable it in `FreshRSS/data/config.php`, login and reconfigure the extension.
+
 ## Changelog
 
-* 1.0.0
+* 1.0.1 [2025-??-??]
+	* Improvements
+		* The user is now notified that the extension must be enabled for the configuration view to work properly. (due to JS)
+	* Security
+		* Captcha configuration now requires reauthenticating in FreshRSS to protect the secret key
+		* Register form wasn't correctly protected because the extension wasn't protecting the POST action, only displaying the captcha widget
+		* Fixed potential captcha bypass due to checking for `POST_TO_GET` parameter in the session
+		* Use slightly stronger CSP on login and register pages
+	* Bug fixes
+		* Fixed wrong quote in CSP `"` instead of `'`
+		* Client IP is now taken from `X-Real-IP` instead of `X-Forwarded-For`, since the latter could contain multiple comma-separated IPs
+	* Refactor
+		* `data-auto-leave-validation` is now being used in the configure view instead of `data-leave-validation`
+		* `data-toggle` attributes were removed from the configure view, since they aren't needed anymore as of v1.27.1
+		* Other minor changes
+* 1.0.0 [2025-07-30]
 	* Initial release
@@ -2,34 +2,42 @@
 declare(strict_types=1);
 /** @var CaptchaExtension $this */
 
-$config = CaptchaExtension::getConfig();
-
-function value(string $v): string {
-	return 'value="' . $v . '" data-leave-validation="' . $v .'"';
+if (!Minz_ExtensionManager::isExtensionEnabled($this->getName())) {
+	echo '<br /><b>' . _t('ext.form_captcha.ext_must_be_enabled') . '</b>';
+	return;
 }
+
+$config = CaptchaExtension::getConfig();
 ?>
-<form action="<?= _url('extension', 'configure', 'e', urlencode($this->getName())) ?>" method="post" autocomplete="off" spellcheck="false">
+<form
+	action="<?= _url('extension', 'configure', 'e', urlencode($this->getName())) ?>"
+	method="post"
+	autocomplete="off"
+	spellcheck="false"
+	data-auto-leave-validation="1">
+
 	<input type="hidden" name="_csrf" value="<?= FreshRSS_Auth::csrfToken() ?>" />
 
 	<div class="form-group">
 		<label class="group-name"><?= _t('ext.form_captcha.protected_pages') ?></label>
 		<div class="group-controls">
 			<div class="stick">
-				<input type="checkbox" name="protectedPages[0]" value="auth_register"<?= in_array('auth_register', $config['protectedPages'], true) ? 'checked="checked" data-leave-validation="1"' : '' ?> />
-				<label for="protectedPages[0]"><?= _t('ext.form_captcha.pages.register') ?></label>
+				<?php # `auth_register` also protects `user_create` ?>
+				<input type="checkbox" name="protectedPages[]" value="auth_register"<?= in_array('auth_register', $config['protectedPages'], true) ? 'checked="checked"' : '' ?> />
+				<label for="protectedPages[]"><?= _t('ext.form_captcha.pages.register') ?></label>
 			</div>
 			<br />
 			<div class="stick">
-				<input type="checkbox" name="protectedPages[1]" value="auth_formLogin"<?= in_array('auth_formLogin', $config['protectedPages'], true) ? 'checked="checked" data-leave-validation="1"' : '' ?> />
-				<label for="protectedPages[1]"><?= _t('ext.form_captcha.pages.login') ?></label>
+				<input type="checkbox" name="protectedPages[]" value="auth_formLogin"<?= in_array('auth_formLogin', $config['protectedPages'], true) ? 'checked="checked"' : '' ?> />
+				<label for="protectedPages[]"><?= _t('ext.form_captcha.pages.login') ?></label>
 			</div>
 		</div>
 	</div>
 
 	<div class="form-group">
 		<label class="group-name" for="captchaProvider"><?= _t('ext.form_captcha.captcha_provider') ?></label>
 		<div class="group-controls">
-			<select id="captchaProvider" name="captchaProvider" data-leave-validation="<?= $config['captchaProvider'] ?>">
+			<select id="captchaProvider" name="captchaProvider">
 				<option value="none"<?= $config['captchaProvider'] === 'none' ? ' selected="selected"' : '' ?>><?= _t('ext.form_captcha.providers.none') ?></option>
 				<option value="turnstile"<?= $config['captchaProvider'] === 'turnstile' ? ' selected="selected"' : '' ?>>Cloudflare Turnstile</option>
 				<option value="recaptcha-v2"<?= $config['captchaProvider'] === 'recaptcha-v2' ? ' selected="selected"' : '' ?>>reCAPTCHA v2</option>
@@ -43,24 +51,24 @@ function value(string $v): string {
 		<div class="form-group">
 			<label class="group-name" for="provider[siteKey]"><?= _t('ext.form_captcha.providers.site_key.label') ?></label>
 			<div class="group-controls">
-				<input type="text" name="provider[siteKey]" placeholder="<?= _t('ext.form_captcha.providers.site_key.placeholder') ?>" <?= value($config['provider']['siteKey'] ?? '') ?> />
+				<input type="text" name="provider[siteKey]" placeholder="<?= _t('ext.form_captcha.providers.site_key.placeholder') ?>" value="<?= $config['provider']['siteKey'] ?? '' ?>" />
 			</div>
 		</div>
 
 		<div class="form-group">
 			<label class="group-name" for="provider[secretKey]"><?= _t('ext.form_captcha.providers.secret_key.label') ?></label>
 			<div class="group-controls">
 				<div class="stick">
-					<input id="commonSecretKey" type="password" name="provider[secretKey]" placeholder="<?= _t('ext.form_captcha.providers.secret_key.placeholder') ?>" <?= value($config['provider']['secretKey'] ?? '') ?> />
-					<button type="button" class="btn toggle-password" data-toggle="commonSecretKey"><?= _i('key') ?></button>
+					<input type="password" name="provider[secretKey]" placeholder="<?= _t('ext.form_captcha.providers.secret_key.placeholder') ?>" value="<?= $config['provider']['secretKey'] ?? '' ?>" />
+					<button type="button" class="btn toggle-password"><?= _i('key') ?></button>
 				</div>
 			</div>
 		</div>
 
 		<div class="form-group">
 			<label class="group-name" for="sendClientIp"><?= _t('ext.form_captcha.send_client_ip') ?></label>
 			<div class="group-controls">
-				<input type="checkbox" name="sendClientIp"<?= $config['sendClientIp'] ? ' checked="checked" data-leave-validation="1"' : '' ?> />
+				<input type="checkbox" name="sendClientIp"<?= $config['sendClientIp'] ? ' checked="checked"' : '' ?> />
 			</div>
 		</div>