Email spam security (#641)

* Add hCaptcha on register page * register page captcha test cases * Refactor integration validation rules to include form context - Updated the `getValidationRules` method in various integration handlers (Discord, Email, Google Sheets, Slack, Webhook, Zapier) to accept an optional `Form` parameter, allowing for context-aware validation. - Enhanced the `EmailIntegration` handler to enforce restrictions based on user plans, ensuring free users can only create one email integration per form and can only send to a single email address. - Added a new test suite for `EmailIntegration` to validate the new restrictions and ensure proper functionality for both free and pro users. - Introduced loading state management in the `IntegrationModal` component to improve user experience during save operations. These changes improve the flexibility and user experience of form integrations, particularly for email handling. * for self-hosted ignore emil validation for spam * fix pint * ignore register throttle for testing env * support new migration for mysql also * Register page captcha enable if captcha key set * fix test case * fix test case * fix test case * fix pint * Refactor RegisterController middleware and update TestCase setup - Removed environment check for throttling middleware in RegisterController, ensuring consistent rate limiting for the registration endpoint. - Updated TestCase to disable throttle middleware during tests, allowing for more flexible testing scenarios without rate limiting interference. * Enhance hCaptcha integration in tests and configuration - Added hCaptcha site and secret keys to phpunit.xml for testing purposes. - Updated RegisterTest to configure hCaptcha secret key dynamically, ensuring proper token validation in production environment. These changes improve the testing setup for hCaptcha, facilitating more accurate simulation of production conditions. --------- Co-authored-by: Julien Nahum <julien@nahum.net>
2024-12-18 17:46:27 +05:30
parent c1ee072b71
commit 7365479c83
18 changed files with 375 additions and 25 deletions
--- a/api/app/Http/Controllers/Auth/RegisterController.php
+++ b/api/app/Http/Controllers/Auth/RegisterController.php
@@ -12,6 +12,7 @@ use Illuminate\Foundation\Auth\RegistersUsers;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\Rule;
+use App\Rules\ValidHCaptcha;

 class RegisterController extends Controller
 {
@@ -27,6 +28,9 @@ class RegisterController extends Controller
    public function __construct()
    {
        $this->middleware('guest');
+
+        $this->middleware('throttle:5,1')->only('register'); // 5 attempts per minute
+        $this->middleware('throttle:30,60')->only('register'); // 30 attempts per hour
    }

    /**
@@ -56,7 +60,7 @@ class RegisterController extends Controller
     */
    protected function validator(array $data)
    {
-        return Validator::make($data, [
+        $rules = [
            'name' => 'required|max:255',
            'email' => 'required|email:filter|max:255|unique:users|indisposable',
            'password' => 'required|min:6|confirmed',
@@ -64,8 +68,14 @@ class RegisterController extends Controller
            'agree_terms' => ['required', Rule::in([true])],
            'appsumo_license' => ['nullable'],
            'invite_token' => ['nullable', 'string'],
-            'utm_data' => ['nullable', 'array']
-        ], [
+            'utm_data' => ['nullable', 'array'],
+        ];
+
+        if (config('services.h_captcha.secret_key')) {
+            $rules['h-captcha-response'] = [new ValidHCaptcha()];
+        }
+
+        return Validator::make($data, $rules, [
            'agree_terms' => 'Please agree with the terms and conditions.',
        ]);
    }
@@ -84,6 +94,7 @@ class RegisterController extends Controller
            'password' => bcrypt($data['password']),
            'hear_about_us' => $data['hear_about_us'],
            'utm_data' => array_key_exists('utm_data', $data) ? $data['utm_data'] : null,
+            'meta' => ['registration_ip' => request()->ip()],
        ]);

        // Add relation with user
--- a/api/app/Http/Requests/Integration/FormIntegrationsRequest.php
+++ b/api/app/Http/Requests/Integration/FormIntegrationsRequest.php
@@ -2,6 +2,7 @@

 namespace App\Http\Requests\Integration;

+use App\Models\Forms\Form;
 use App\Models\Integration\FormIntegration;
 use App\Rules\IntegrationLogicRule;
 use Illuminate\Foundation\Http\FormRequest;
@@ -14,9 +15,11 @@ class FormIntegrationsRequest extends FormRequest
    public array $integrationRules = [];

    private ?string $integrationClassName = null;
+    private ?Form $form = null;

    public function __construct(Request $request)
    {
+        $this->form = Form::findOrFail(request()->route('id'));
        if ($request->integration_id) {
            // Load integration class, and get rules
            $integration = FormIntegration::getIntegration($request->integration_id);
@@ -77,7 +80,7 @@ class FormIntegrationsRequest extends FormRequest

    private function loadIntegrationRules()
    {
-        foreach ($this->integrationClassName::getValidationRules() as $key => $value) {
+        foreach ($this->integrationClassName::getValidationRules($this->form) as $key => $value) {
            $this->integrationRules['settings.' . $key] = $value;
        }
    }