feat(auth): enable recaptcha for signup (#318)

## Summary by CodeRabbit ## Release Notes - **New Features** - Integrated Google reCAPTCHA into the signup process for enhanced security. - Added configuration for reCAPTCHA in the deployment workflow. - **Bug Fixes** - Improved error handling for reCAPTCHA in the signup form. - **Chores** - Updated dependencies to include `django-recaptcha`. - Modified logging configuration to include specific logging for reCAPTCHA events. These changes enhance user experience by improving signup security and ensuring smoother deployment processes.
esnvutbrno · Nov 30, 2024 · c8775a9 · c8775a9
2 parents f0722d9 + 4947e88
commit c8775a9
Show file tree

Hide file tree

Showing 12 changed files with 70 additions and 5 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -182,6 +182,9 @@ jobs:
               sentry:
                 dsn: ${{ secrets.SENTRY_DSN }}
                 jsLoaderUrl: ${{ secrets.SENTRY_JS_LOADER_URL }}
+              recaptcha:
+                siteKey: ${{ secrets.RECAPTCHA_SITE_KEY }}
+                secretKey: ${{ secrets.RECAPTCHA_SECRET_KEY }}
               mailer:
                 primary:
                   host: ${{ secrets.DJANGO_MAILER_PRIMARY_HOST }}

diff --git a/charts/templates/web-secret.yaml b/charts/templates/web-secret.yaml
@@ -17,6 +17,9 @@
     "DJANGO_MAILER_PRIMARY_HOST_PORT" (.Values.secrets.mailer.primary.port | b64enc)
     "DJANGO_MAILER_PRIMARY_HOST_USER" (.Values.secrets.mailer.primary.user | b64enc)
     "DJANGO_MAILER_PRIMARY_HOST_PASSWORD" (.Values.secrets.mailer.primary.password | b64enc)
+
+    "DJANGO_RECAPTCHA_SITE_KEY" (.Values.secrets.recaptcha.siteKey | b64enc)
+    "DJANGO_RECAPTCHA_SECRET_KEY" (.Values.secrets.recaptcha.secretKey | b64enc)
   )
 }}
 {{- include "fiesta.secret" (merge (dict "Args" $data) . ) -}}
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -39,6 +39,9 @@ secrets:
   sentry:
     dsn: dsn
     jsLoaderUrl: url
+  recaptcha:
+    siteKey: key
+    secretKey: key
   mailer:
     primary:
       host: host

diff --git a/fiesta/.env.base b/fiesta/.env.base
@@ -1,3 +1,6 @@
 DJANGO_BUILD_DIR=/usr/src/build
 DJANGO_STATIC_ROOT=/usr/src/static
 DJANGO_MEDIA_ROOT=/usr/src/media
+# test keys are NOT suitable for v2 recaptcha
+DJANGO_RECAPTCHA_SITE_KEY=" "
+DJANGO_RECAPTCHA_SECRET_KEY=" "
diff --git a/fiesta/apps/accounts/forms/sign_up.py b/fiesta/apps/accounts/forms/sign_up.py
@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+from allauth.account.forms import SignupForm as AllauthSignupForm
+from django_recaptcha.fields import ReCaptchaField
+from django_recaptcha.widgets import ReCaptchaV3
+
+
+class SignupForm(AllauthSignupForm):
+    recaptcha = ReCaptchaField(
+        widget=ReCaptchaV3(
+            action="signup",
+            attrs={"theme": "clean"},
+        )
+    )
diff --git a/fiesta/apps/accounts/templates/account/signup_form.html b/fiesta/apps/accounts/templates/account/signup_form.html
@@ -23,6 +23,11 @@ <h1 class="card-title">{{ card_title|default:"Create Account" }}</h1>
   {% include "fiestaforms/parts/field.html" with bf=form.email errors=form.errors.email %}
   {% include "fiestaforms/parts/field.html" with bf=form.password1 errors=form.errors.password1 %}
   {% include "fiestaforms/parts/field.html" with bf=form.password2 errors=form.errors.password2 %}
+  <div class="Forms__field">
+    {{ form.recaptcha }}
+    {% if form.errors.recaptcha %}<div class="Forms__error_text">{{ form.errors.recaptcha }}</div>{% endif %}
+  </div>
+
   <button type="submit" class="btn btn-block btn-primary">Sign up</button>
   <div class="text-sm font-medium text-gray-500">
     Already registered?

diff --git a/fiesta/fiesta/settings/__init__.py b/fiesta/fiesta/settings/__init__.py
@@ -39,6 +39,8 @@ class Development(Base):
 
     USE_WEBPACK_INTEGRITY = False
 
+    SILENCED_SYSTEM_CHECKS = ["django_recaptcha.recaptcha_test_key_error"]
+
     def INSTALLED_APPS(self):
         return super().INSTALLED_APPS + ["debug_toolbar"]
 

diff --git a/fiesta/fiesta/settings/auth.py b/fiesta/fiesta/settings/auth.py
@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+from configurations.values import SecretValue
+
 
 class AuthConfigMixin:
     AUTH_PASSWORD_VALIDATORS = [
@@ -75,6 +77,10 @@ class AuthConfigMixin:
     ACCOUNT_USERNAME_REQUIRED = False  # email ftw
     ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
 
+    ACCOUNT_FORMS = {
+        "signup": "apps.accounts.forms.sign_up.SignupForm",
+    }
+
     ACCOUNT_EMAIL_VERIFICATION = "mandatory"
     SOCIALACCOUNT_EMAIL_VERIFICATION = "optional"
     # social account settings
@@ -92,3 +98,9 @@ class AuthConfigMixin:
     ACCOUNT_LOGOUT_ON_PASSWORD_CHANGE = True  # logout after password change
 
     ACCOUNT_USERNAME_MIN_LENGTH = 4  # a personal preference
+
+    # rename it to get the same as defined in recaptcha original docs
+    RECAPTCHA_PUBLIC_KEY = SecretValue(environ_name="RECAPTCHA_SITE_KEY")
+    RECAPTCHA_PRIVATE_KEY = SecretValue(environ_name="RECAPTCHA_SECRET_KEY")
+
+    RECAPTCHA_USE_SSL = True  # Defaults to False
diff --git a/fiesta/fiesta/settings/logging.py b/fiesta/fiesta/settings/logging.py
@@ -58,6 +58,10 @@ def LOGGING(self):
                     "handlers": ["console"],
                     "level": self.LOG_LEVEL,
                 },
+                "django_recaptcha": {
+                    "handlers": ["console"],
+                    "level": self.LOG_LEVEL,
+                },
             },
         }
 

diff --git a/fiesta/fiesta/settings/project.py b/fiesta/fiesta/settings/project.py
@@ -101,6 +101,8 @@ def DEFAULT_FROM_EMAIL(self):
         "allauth_cas",
         # superuser can log in as any user
         "loginas",
+        # recaptcha
+        "django_recaptcha",
         # editorjs integration
         "django_editorjs_fields",
         # location fields

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -55,6 +55,7 @@ django-admin-env-notice = "^1.0"
 cryptography = "^43.0.0"
 django-admin-relation-links = "^0.2.5"
 django-mailer = "^2.3.1"
+django-recaptcha = "^4.0.0"
 
 
 [tool.poetry.dev-dependencies]
@@ -96,17 +97,16 @@ exclude = '''
 
 [tool.ruff]
 # see https://beta.ruff.rs/docs/rules/
-extend-select = ["UP", "DJ", "PIE", "INT", "PTH", "SIM", "RET", "G", "DTZ", "B", "I002"]
 line-length = 120
 target-version = "py311"
-ignore = ["E731"]
 
 exclude = [
     "migrations",
 ]
 
-[tool.ruff.isort]
-required-imports = ["from __future__ import annotations"]
+lint.ignore = ["E731"]
+extend-select = ["UP", "DJ", "PIE", "INT", "PTH", "SIM", "RET", "G", "DTZ", "B", "I002"]
+lint.isort.required-imports = ["from __future__ import annotations"]
 
 
 [tool.vulture]