Move captcha validation to a separate method [MAILPOET-2015]

2019-07-11 15:29:02 +03:00
parent 7788aebe83
commit 8647244807
1 changed files with 68 additions and 58 deletions
--- a/lib/API/JSON/v1/Subscribers.php
+++ b/lib/API/JSON/v1/Subscribers.php
@ -4,6 +4,7 @@ namespace MailPoet\API\JSON\v1;
 use MailPoet\API\JSON\Endpoint as APIEndpoint;
 use MailPoet\API\JSON\Error as APIError;
 use MailPoet\API\JSON\Response as APIResponse;
 use MailPoet\Config\AccessControl;
 use MailPoet\Form\Util\FieldNameObfuscator;
 use MailPoet\Listing;
@ -158,9 +159,9 @@ class Subscribers extends APIEndpoint {
      ]);
    }
-    $captcha = $this->settings->get('captcha');
+    $captcha_settings = $this->settings->get('captcha');
-    if (!empty($captcha['type']) && $captcha['type'] === Captcha::TYPE_BUILTIN) {
+    if (!empty($captcha_settings['type']) && $captcha_settings['type'] === Captcha::TYPE_BUILTIN) {
      if (empty($data['captcha'])) {
        // Save form data to session
        $_SESSION[Captcha::SESSION_FORM_KEY] = array_merge($data, ['form_id' => $form_id]);
@ -192,62 +193,9 @@ class Subscribers extends APIEndpoint {
      ]);
    }
-    $is_builtin_captcha_required = false;
+    $captcha_validation_result = $this->validateCaptcha($captcha_settings, $data);
-    if (!empty($captcha['type']) && $captcha['type'] === Captcha::TYPE_BUILTIN) {
+    if ($captcha_validation_result instanceof APIResponse) {
-      $is_builtin_captcha_required = $this->subscription_captcha->isRequired(isset($data['email']) ? $data['email'] : '');
+      return $captcha_validation_result;
      if ($is_builtin_captcha_required && empty($data['captcha'])) {
        $meta = [];
        $meta['redirect_url'] = SubscriptionUrl::getCaptchaUrl();
        return $this->badRequest([
          APIError::BAD_REQUEST => WPFunctions::get()->__('Please check the CAPTCHA.', 'mailpoet'),
        ], $meta);
      }
    }
    if (!empty($captcha['type']) && $captcha['type'] === Captcha::TYPE_RECAPTCHA && empty($data['recaptcha'])) {
      return $this->badRequest([
        APIError::BAD_REQUEST => WPFunctions::get()->__('Please check the CAPTCHA.', 'mailpoet'),
      ]);
    }
    if (!empty($captcha['type'])) {
      if ($captcha['type'] === Captcha::TYPE_RECAPTCHA) {
        $res = empty($data['recaptcha']) ? $data['recaptcha-no-js'] : $data['recaptcha'];
        $res = WPFunctions::get()->wpRemotePost('https://www.google.com/recaptcha/api/siteverify', [
          'body' => [
            'secret' => $captcha['recaptcha_secret_token'],
            'response' => $res,
          ],
        ]);
        if (is_wp_error($res)) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Error while validating the CAPTCHA.', 'mailpoet'),
          ]);
        }
        $res = json_decode(wp_remote_retrieve_body($res));
        if (empty($res->success)) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Error while validating the CAPTCHA.', 'mailpoet'),
          ]);
        }
      } elseif ($captcha['type'] === Captcha::TYPE_BUILTIN && $is_builtin_captcha_required) {
        if (empty($_SESSION[Captcha::SESSION_KEY])) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Please regenerate the CAPTCHA.', 'mailpoet'),
          ]);
        } elseif (!hash_equals(strtolower($data['captcha']), $_SESSION[Captcha::SESSION_KEY])) {
          $_SESSION[Captcha::SESSION_KEY] = null;
          $meta = [];
          $meta['refresh_captcha'] = true;
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('The characters entered do not match with the previous captcha.', 'mailpoet'),
          ], $meta);
        } else {
          // Captcha has been verified, invalidate the session vars
          $_SESSION[Captcha::SESSION_KEY] = null;
          $_SESSION[Captcha::SESSION_FORM_KEY] = null;
        }
      }
    }
    // only accept fields defined in the form
@ -297,6 +245,68 @@ class Subscribers extends APIEndpoint {
    return $obfuscator->deobfuscateFormPayload($data);
  }
  private function validateCaptcha($captcha_settings, $data) {
    $is_builtin_captcha_required = false;
    if (!empty($captcha_settings['type']) && $captcha_settings['type'] === Captcha::TYPE_BUILTIN) {
      $is_builtin_captcha_required = $this->subscription_captcha->isRequired(isset($data['email']) ? $data['email'] : '');
      if ($is_builtin_captcha_required && empty($data['captcha'])) {
        $meta = [];
        $meta['redirect_url'] = SubscriptionUrl::getCaptchaUrl();
        return $this->badRequest([
          APIError::BAD_REQUEST => WPFunctions::get()->__('Please check the CAPTCHA.', 'mailpoet'),
        ], $meta);
      }
    }
    if (!empty($captcha_settings['type']) && $captcha_settings['type'] === Captcha::TYPE_RECAPTCHA && empty($data['recaptcha'])) {
      return $this->badRequest([
        APIError::BAD_REQUEST => WPFunctions::get()->__('Please check the CAPTCHA.', 'mailpoet'),
      ]);
    }
    if (!empty($captcha_settings['type'])) {
      if ($captcha_settings['type'] === Captcha::TYPE_RECAPTCHA) {
        $res = empty($data['recaptcha']) ? $data['recaptcha-no-js'] : $data['recaptcha'];
        $res = WPFunctions::get()->wpRemotePost('https://www.google.com/recaptcha/api/siteverify', [
          'body' => [
            'secret' => $captcha_settings['recaptcha_secret_token'],
            'response' => $res,
          ],
        ]);
        if (is_wp_error($res)) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Error while validating the CAPTCHA.', 'mailpoet'),
          ]);
        }
        $res = json_decode(wp_remote_retrieve_body($res));
        if (empty($res->success)) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Error while validating the CAPTCHA.', 'mailpoet'),
          ]);
        }
      } elseif ($captcha_settings['type'] === Captcha::TYPE_BUILTIN && $is_builtin_captcha_required) {
        if (empty($_SESSION[Captcha::SESSION_KEY])) {
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('Please regenerate the CAPTCHA.', 'mailpoet'),
          ]);
        } elseif (!hash_equals(strtolower($data['captcha']), $_SESSION[Captcha::SESSION_KEY])) {
          $_SESSION[Captcha::SESSION_KEY] = null;
          $meta = [];
          $meta['refresh_captcha'] = true;
          return $this->badRequest([
            APIError::BAD_REQUEST => WPFunctions::get()->__('The characters entered do not match with the previous captcha.', 'mailpoet'),
          ], $meta);
        } else {
          // Captcha has been verified, invalidate the session vars
          $_SESSION[Captcha::SESSION_KEY] = null;
          $_SESSION[Captcha::SESSION_FORM_KEY] = null;
        }
      }
    }
    return true;
  }
  function save($data = []) {
    if (empty($data['segments'])) {
      $data['segments'] = [];