From 0318fee8ec6b070e505aa51075ea1b42e97313fb Mon Sep 17 00:00:00 2001
From: Evandro Magalhaes Leite Junior <evandro.leite@serpro.gov.br>
Date: Wed, 27 May 2015 12:01:44 -0300
Subject: [PATCH] Support google recaptcha for the API

---
 config/noosfero.yml.dist    |  7 +++++++
 lib/noosfero/api/api.rb     | 24 ++++++++++++++----------
 lib/noosfero/api/helpers.rb | 16 +++++++++++++++-
 lib/noosfero/api/session.rb | 22 ++++++++++++++--------
 4 files changed, 50 insertions(+), 19 deletions(-)

diff --git a/config/noosfero.yml.dist b/config/noosfero.yml.dist
index 0284faa..160b380 100644
--- a/config/noosfero.yml.dist
+++ b/config/noosfero.yml.dist
@@ -11,7 +11,14 @@ development:
   max_upload_size: 5MB
   hours_until_user_activation_check: 72
   exclude_profile_identifier_pattern: index(\..*)?|home(\..*)?
+  api_recaptcha_site_key:      '6LdsWAcTAAAAAChTUUD6yu9fCDhdIZzNd7F53zf-'
+  api_recaptcha_private_key:   '6LdsWAcTAAAAAB6maB_HalVyCc4asDAxPxloIMvY'
+  api_recaptcha_verify_uri:    'https://www.google.com/recaptcha/api/siteverify'  
 
 test:
 
 production:
+  api_recaptcha_site_key:      '6LcLPAcTAAAAAKsd0bxY_TArhD_A7OL19SRCW7_i'
+  api_recaptcha_private_key:   '6LcLPAcTAAAAAE36SN1M2w1I7Hn8upwXYZ_YQZ5-'
+  api_recaptcha_verify_uri:    'https://www.google.com/recaptcha/api/siteverify'
+  
\ No newline at end of file
diff --git a/lib/noosfero/api/api.rb b/lib/noosfero/api/api.rb
index d6cec15..8a0eca3 100644
--- a/lib/noosfero/api/api.rb
+++ b/lib/noosfero/api/api.rb
@@ -1,17 +1,21 @@
 require 'grape'
 #require 'rack/contrib'
+
 Dir["#{Rails.root}/lib/noosfero/api/*.rb"].each {|file| require file unless file =~ /api\.rb/}
 module Noosfero
   module API
     class API < Grape::API
       use Rack::JSONP
-
-      logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
-      logger.formatter = GrapeLogging::Formatters::Default.new
-      use RequestLogger, { logger: logger }
-
-      rescue_from :all do |e|
-        logger.error e
+      
+      @@NOOSFERO_CONF = nil
+      
+      def self.NOOSFERO_CONF
+        if @@NOOSFERO_CONF 
+          @@NOOSFERO_CONF
+        else
+          file = Rails.root.join('config', 'noosfero.yml')
+          @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] || {} : {}
+        end    
       end
 
       before { setup_multitenancy }
@@ -22,9 +26,9 @@ module Noosfero
       prefix "api"
       format :json
       content_type :txt, "text/plain"
-  
+      
       helpers APIHelpers
-  
+
       mount V1::Articles
       mount V1::Comments
       mount V1::Users
@@ -33,7 +37,7 @@ module Noosfero
       mount V1::Enterprises
       mount V1::Categories
       mount Session
-  
+
       # hook point which allow plugins to add Grape::API extensions to API::API
       #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
       @plugins = Noosfero::Plugin.all.map { |p| p.constantize }
diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index 489ff1c..28c15e6 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -102,7 +102,21 @@ module Noosfero
         end
         attrs
       end
-      
+
+      def verify_recaptcha_v2(remote_ip, g_recaptcha_response, private_key, api_recaptcha_verify_uri)
+        verify_hash = {
+          "secret"    => private_key,
+          "remoteip"  => remote_ip,
+          "response"  => g_recaptcha_response
+        }
+        uri = URI(api_recaptcha_verify_uri)
+        https = Net::HTTP.new(uri.host, uri.port)
+        https.use_ssl = true
+        request = Net::HTTP::Post.new(uri.path)
+        request.set_form_data(verify_hash)
+        JSON.parse(https.request(request).body)
+      end
+  
       ##########################################
       #              error helpers             #
       ##########################################
diff --git a/lib/noosfero/api/session.rb b/lib/noosfero/api/session.rb
index 1f302c9..aa535f8 100644
--- a/lib/noosfero/api/session.rb
+++ b/lib/noosfero/api/session.rb
@@ -1,8 +1,10 @@
+require "uri"
+
 module Noosfero
   module API
-  
+
     class Session < Grape::API
-  
+
       # Login to get token
       #
       # Parameters:
@@ -13,13 +15,13 @@ module Noosfero
       #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
       post "/login" do
         user ||= User.authenticate(params[:login], params[:password], environment)
-  
+
         return unauthorized! unless user
         user.generate_private_token!
         @current_user = user
         present user, :with => Entities::UserLogin
       end
-  
+
       # Create user.
       #
       # Parameters:
@@ -37,16 +39,20 @@ module Noosfero
         unique_attributes! User, [:email, :login]
         attrs = attributes_for_keys [:email, :login, :password]
         attrs[:password_confirmation] = attrs[:password]
-        user = User.new(attrs)
-        if user.save
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        private_key = API.NOOSFERO_CONF['api_recaptcha_private_key']
+        api_recaptcha_verify_uri = API.NOOSFERO_CONF['api_recaptcha_verify_uri']
+        captcha_result = verify_recaptcha_v2(remote_ip, params['g-recaptcha-response'], private_key, api_recaptcha_verify_uri)
+        user = User.new(attrs)  
+        if captcha_result["success"] and user.save! 
           user.activate
           user.generate_private_token!
           present user, :with => Entities::UserLogin
         else
-          something_wrong!
+          message = user.errors.to_json
+          render_api_error!(message, 400)
         end
       end
-  
     end
   end
 end
--
libgit2 0.21.2