Commit af23a728 authored by o@immerda.ch's avatar o@immerda.ch
Browse files

use a better captcha solution that does not use imagemagick

parent 87a8b05a
......@@ -36,7 +36,7 @@ gem 'bootsnap', '>= 1.1.0', require: false
gem 'rqrcode'
gem 'rotp'
gem 'simple_captcha_reloaded'
gem 'rucaptcha'
gem 'jsobfu'
group :development, :test do
......
......@@ -159,6 +159,8 @@ GEM
chunky_png (~> 1.0)
ruby_dep (1.5.0)
rubyzip (1.2.1)
rucaptcha (2.3.0)
railties (>= 3.2)
sass (3.5.6)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
......@@ -173,8 +175,6 @@ GEM
selenium-webdriver (3.13.0)
childprocess (~> 0.5)
rubyzip (~> 1.2)
simple_captcha_reloaded (0.3.0)
rails (>= 4.1)
spring (2.0.2)
activesupport (>= 4.2)
spring-watcher-listen (2.0.1)
......@@ -227,9 +227,9 @@ DEPENDENCIES
rest-client
rotp
rqrcode
rucaptcha
sass-rails (~> 5.0)
selenium-webdriver
simple_captcha_reloaded
spring
spring-watcher-listen (~> 2.0.0)
sqlite3
......
......@@ -7,9 +7,14 @@ class ApplicationController < ActionController::Base
before_action :set_locale
def available_locales
[:de, :en, :fr, :es]
end
helper_method :available_locales
def valid_l(l)
l = l.to_s[0..1]
return l if l && I18n.available_locales.include?(l.to_sym)
return l if l && available_locales.include?(l.to_sym)
nil
end
......
require 'simple_captcha_reloaded'
require 'rucaptcha'
require 'base64'
require 'jsobfu'
......@@ -232,11 +232,13 @@ class SessionsController < ApplicationController
def load_pow(autosubmit)
security_level = security_level(current_user || params[:user_id])
nonce = session[:pow_nonce] = (0...6).map { captcha_chars.sample }.join
@pow_factor = session[:pow_factor] = security_level[:pow_factor]
if session[:ping_pong] == 1 && security_level[:enable_captcha]
@captcha = Base64.encode64(SimpleCaptchaReloaded::Image.new.generate(nonce))
res = RuCaptcha.generate()
@captcha = Base64.encode64(res[1])
session[:pow_nonce] = res[0]
else
nonce = session[:pow_nonce] = SecureRandom.urlsafe_base64(20)
# Add some obfuscated script to the page that will fill in the nonce
# field, compute the pow and submit it. The obfuscation makes it
# harder for an attacker to get the nonce without executing this
......
......@@ -25,9 +25,9 @@
<% end %>
<div class="langswitch">
<% I18n.available_locales.each do |l| %>
<% available_locales.select{|l| l != I18n.locale }.each do |l| %>
<%= link_to l, :l => l %>
<%= if l != I18n.available_locales.last then '|' else '' end %>
<%= if l != available_locales.last then '|' else '' end %>
<% end %>
</div>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment