use a better captcha solution that does not use imagemagick

af23a728 · o@immerda.ch · 87a8b05a · af23a728 · af23a728 · af23a728
Commit af23a728 authored Sep 08, 2018 by o@immerda.ch
--- a/Gemfile
+++ b/Gemfile
@@ -36,7 +36,7 @@ gem 'bootsnap', '>= 1.1.0', require: false

 gem 'rqrcode'
 gem 'rotp'
-gem 'simple_captcha_reloaded'
+gem 'rucaptcha'
 gem 'jsobfu'

 group :development, :test do

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -159,6 +159,8 @@ GEM
      chunky_png (~> 1.0)
    ruby_dep (1.5.0)
    rubyzip (1.2.1)
+    rucaptcha (2.3.0)
+      railties (>= 3.2)
    sass (3.5.6)
      sass-listen (~> 4.0.0)
    sass-listen (4.0.0)
@@ -173,8 +175,6 @@ GEM
    selenium-webdriver (3.13.0)
      childprocess (~> 0.5)
      rubyzip (~> 1.2)
-    simple_captcha_reloaded (0.3.0)
-      rails (>= 4.1)
    spring (2.0.2)
      activesupport (>= 4.2)
    spring-watcher-listen (2.0.1)
@@ -227,9 +227,9 @@ DEPENDENCIES
  rest-client
  rotp
  rqrcode
+  rucaptcha
  sass-rails (~> 5.0)
  selenium-webdriver
-  simple_captcha_reloaded
  spring
  spring-watcher-listen (~> 2.0.0)
  sqlite3

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -7,9 +7,14 @@ class ApplicationController < ActionController::Base

  before_action :set_locale

+  def available_locales
+    [:de, :en, :fr, :es]
+  end
+  helper_method :available_locales
+
  def valid_l(l)
    l = l.to_s[0..1]
-    return l if l && I18n.available_locales.include?(l.to_sym)
+    return l if l && available_locales.include?(l.to_sym)
    nil
  end


--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
-require 'simple_captcha_reloaded'
+require 'rucaptcha'
 require 'base64'
 require 'jsobfu'

@@ -232,11 +232,13 @@ class SessionsController < ApplicationController

  def load_pow(autosubmit)
    security_level = security_level(current_user || params[:user_id])
-    nonce = session[:pow_nonce] = (0...6).map { captcha_chars.sample }.join
    @pow_factor = session[:pow_factor] = security_level[:pow_factor]
    if session[:ping_pong] == 1 && security_level[:enable_captcha]
-      @captcha = Base64.encode64(SimpleCaptchaReloaded::Image.new.generate(nonce))
+      res = RuCaptcha.generate()
+      @captcha = Base64.encode64(res[1])
+      session[:pow_nonce] = res[0]
    else
+      nonce = session[:pow_nonce] = SecureRandom.urlsafe_base64(20)
      # Add some obfuscated script to the page that will fill in the nonce
      # field, compute the pow and submit it. The obfuscation makes it
      # harder for an attacker to get the nonce without executing this

--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -25,9 +25,9 @@
      <% end %>

      <div class="langswitch">
-        <% I18n.available_locales.each do |l| %>
+        <% available_locales.select{|l| l != I18n.locale }.each do |l| %>
          <%= link_to l, :l => l %>
-          <%= if l != I18n.available_locales.last then '|' else '' end %>
+          <%= if l != available_locales.last then '|' else '' end %>
        <% end %>
      </div>