Email spam security (#641)

* Add hCaptcha on register page * register page captcha test cases * Refactor integration validation rules to include form context - Updated the `getValidationRules` method in various integration handlers (Discord, Email, Google Sheets, Slack, Webhook, Zapier) to accept an optional `Form` parameter, allowing for context-aware validation. - Enhanced the `EmailIntegration` handler to enforce restrictions based on user plans, ensuring free users can only create one email integration per form and can only send to a single email address. - Added a new test suite for `EmailIntegration` to validate the new restrictions and ensure proper functionality for both free and pro users. - Introduced loading state management in the `IntegrationModal` component to improve user experience during save operations. These changes improve the flexibility and user experience of form integrations, particularly for email handling. * for self-hosted ignore emil validation for spam * fix pint * ignore register throttle for testing env * support new migration for mysql also * Register page captcha enable if captcha key set * fix test case * fix test case * fix test case * fix pint * Refactor RegisterController middleware and update TestCase setup - Removed environment check for throttling middleware in RegisterController, ensuring consistent rate limiting for the registration endpoint. - Updated TestCase to disable throttle middleware during tests, allowing for more flexible testing scenarios without rate limiting interference. * Enhance hCaptcha integration in tests and configuration - Added hCaptcha site and secret keys to phpunit.xml for testing purposes. - Updated RegisterTest to configure hCaptcha secret key dynamically, ensuring proper token validation in production environment. These changes improve the testing setup for hCaptcha, facilitating more accurate simulation of production conditions. --------- Co-authored-by: Julien Nahum <julien@nahum.net>
2024-12-18 17:46:27 +05:30
parent c1ee072b71
commit 7365479c83
18 changed files with 375 additions and 25 deletions
--- a/api/tests/Feature/RegisterTest.php
+++ b/api/tests/Feature/RegisterTest.php
@@ -1,8 +1,15 @@
 <?php

 use App\Models\User;
+use App\Rules\ValidHCaptcha;
+use Illuminate\Support\Facades\Http;

 it('can register', function () {
+
+    Http::fake([
+        ValidHCaptcha::H_CAPTCHA_VERIFY_URL => Http::response(['success' => true])
+    ]);
+
    $this->postJson('/register', [
        'name' => 'Test User',
        'email' => 'test@test.app',
@@ -10,13 +17,15 @@ it('can register', function () {
        'password' => 'secret',
        'password_confirmation' => 'secret',
        'agree_terms' => true,
+        'h-captcha-response' => 'test-token', // Mock token for testing
    ])
        ->assertSuccessful()
        ->assertJsonStructure(['id', 'name', 'email']);
-    $this->assertDatabaseHas('users', [
-        'name' => 'Test User',
-        'email' => 'test@test.app',
-    ]);
+
+    $user = User::where('email', 'test@test.app')->first();
+    expect($user)->not->toBeNull();
+    expect($user->meta)->toHaveKey('registration_ip');
+    expect($user->meta['registration_ip'])->toBe(request()->ip());
 });

 it('cannot register with existing email', function () {
@@ -27,12 +36,17 @@ it('cannot register with existing email', function () {
        'email' => 'test@test.app',
        'password' => 'secret',
        'password_confirmation' => 'secret',
+        'h-captcha-response' => 'test-token',
    ])
        ->assertStatus(422)
        ->assertJsonValidationErrors(['email']);
 });

 it('cannot register with disposable email', function () {
+    Http::fake([
+        ValidHCaptcha::H_CAPTCHA_VERIFY_URL => Http::response(['success' => true])
+    ]);
+
    // Select random email
    $email = [
        'dumliyupse@gufum.com',
@@ -48,6 +62,7 @@ it('cannot register with disposable email', function () {
        'password' => 'secret',
        'password_confirmation' => 'secret',
        'agree_terms' => true,
+        'h-captcha-response' => 'test-token',
    ])
        ->assertStatus(422)
        ->assertJsonValidationErrors(['email'])
@@ -60,3 +75,22 @@ it('cannot register with disposable email', function () {
            ],
        ]);
 });
+
+it('requires hcaptcha token in production', function () {
+    config(['services.h_captcha.secret_key' => 'test-key']);
+
+    Http::fake([
+        ValidHCaptcha::H_CAPTCHA_VERIFY_URL => Http::response(['success' => true])
+    ]);
+
+    $this->postJson('/register', [
+        'name' => 'Test User',
+        'email' => 'test@test.app',
+        'hear_about_us' => 'google',
+        'password' => 'secret',
+        'password_confirmation' => 'secret',
+        'agree_terms' => true,
+    ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['h-captcha-response']);
+});