klevze/SkinbaseNova
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add captcha-backed forum security hardening

Browse Source
This commit is contained in:
Gregor Klevže
2026-03-17 16:06:28 +01:00
parent 980a15f66e
commit b3fc889452
40 changed files with 2849 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/Http/Controllers/Auth/AuthenticatedSessionController.php
View File

@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Http\Requests\Auth\LoginRequest;
use App\Services\Security\CaptchaVerifier;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
@@ -14,9 +15,17 @@ class AuthenticatedSessionController extends Controller
/**
* Display the login view.
*/
public function __construct(
private readonly CaptchaVerifier $captchaVerifier,
) {
}
public function create(): View
{
return view('auth.login');
return view('auth.login', [
'requiresCaptcha' => session('bot_captcha_required', false),
'captcha' => $this->captchaVerifier->frontendConfig(),
]);
}
/**

26
app/Http/Controllers/Auth/RegisteredUserController.php
View File

@@ -8,7 +8,7 @@ use App\Models\EmailSendEvent;
use App\Models\User;
use App\Services\Auth\DisposableEmailService;
use App\Services\Auth\RegistrationVerificationTokenService;
use App\Services\Security\TurnstileVerifier;
use App\Services\Security\CaptchaVerifier;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
@@ -19,7 +19,7 @@ use Illuminate\View\View;
class RegisteredUserController extends Controller
{
public function __construct(
private readonly TurnstileVerifier $turnstileVerifier,
private readonly CaptchaVerifier $captchaVerifier,
private readonly DisposableEmailService $disposableEmailService,
private readonly RegistrationVerificationTokenService $verificationTokenService,
)
@@ -33,8 +33,8 @@ class RegisteredUserController extends Controller
{
return view('auth.register', [
'prefillEmail' => (string) $request->query('email', ''),
'requiresTurnstile' => $this->shouldRequireTurnstile($request->ip()),
'turnstileSiteKey' => (string) config('services.turnstile.site_key', ''),
'requiresCaptcha' => $this->shouldRequireCaptcha($request->ip()),
'captcha' => $this->captchaVerifier->frontendConfig(),
]);
}
@@ -56,20 +56,22 @@ class RegisteredUserController extends Controller
*/
public function store(Request $request): RedirectResponse
{
$validated = $request->validate([
$rules = [
'email' => ['required', 'string', 'lowercase', 'email', 'max:255'],
'website' => ['nullable', 'max:0'],
'cf-turnstile-response' => ['nullable', 'string'],
]);
];
$rules[$this->captchaVerifier->inputName()] = ['nullable', 'string'];
$validated = $request->validate($rules);
$email = strtolower(trim((string) $validated['email']));
$ip = $request->ip();
$this->trackRegisterAttempt($ip);
if ($this->shouldRequireTurnstile($ip)) {
$verified = $this->turnstileVerifier->verify(
(string) $request->input('cf-turnstile-response', ''),
if ($this->shouldRequireCaptcha($ip)) {
$verified = $this->captchaVerifier->verify(
(string) $request->input($this->captchaVerifier->inputName(), ''),
$ip
);
@@ -199,9 +201,9 @@ class RegisteredUserController extends Controller
]);
}
private function shouldRequireTurnstile(?string $ip): bool
private function shouldRequireCaptcha(?string $ip): bool
{
if (! $this->turnstileVerifier->isEnabled()) {
if (! $this->captchaVerifier->isEnabled()) {
return false;
}

4
app/Http/Controllers/User/ProfileController.php
View File

@@ -17,6 +17,7 @@ use App\Models\Artwork;
use App\Models\ProfileComment;
use App\Models\Story;
use App\Models\User;
use App\Services\Security\CaptchaVerifier;
use App\Services\AvatarService;
use App\Services\ArtworkService;
use App\Services\FollowService;
@@ -47,6 +48,7 @@ class ProfileController extends Controller
private readonly UsernameApprovalService $usernameApprovalService,
private readonly FollowService $followService,
private readonly UserStatsService $userStats,
private readonly CaptchaVerifier $captchaVerifier,
)
{
}
@@ -240,7 +242,9 @@ class ProfileController extends Controller
'flash' => [
'status' => session('status'),
'error' => session('error'),
'botCaptchaRequired' => session('bot_captcha_required', false),
],
'captcha' => $this->captchaVerifier->frontendConfig(),
])->rootView('settings');
}

50
app/Http/Middleware/ForumAIModerationMiddleware.php Normal file
View File

@@ -0,0 +1,50 @@
<?php
namespace App\Http\Middleware;
use Closure;
use cPad\Plugins\Forum\Services\AI\AIContentModerator;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class ForumAIModerationMiddleware
{
public function __construct(
private readonly AIContentModerator $aiContentModerator,
) {
}
public function handle(Request $request, Closure $next, string $action = 'generic'): Response
{
$assessment = [
'action' => $action,
'ai_spam_score' => 0,
'ai_toxicity_score' => 0,
'flags' => [],
'reasons' => [],
'provider' => 'none',
'available' => false,
'raw' => null,
'language' => null,
];
$title = trim((string) $request->input('title', ''));
$content = trim((string) $request->input('content', ''));
$combinedContent = trim($title !== '' ? $title . "\n" . $content : $content);
if (
$combinedContent !== ''
&& (bool) config('skinbase_ai_moderation.enabled', true)
&& (bool) config('skinbase_ai_moderation.preflight.run_ai_sync', true)
) {
$spamAssessment = $request->attributes->get('forum_spam_assessment');
$assessment = ['action' => $action] + $this->aiContentModerator->analyze($combinedContent, [
'links' => is_array($spamAssessment) ? (array) ($spamAssessment['links'] ?? []) : [],
]);
}
$request->attributes->set('forum_ai_assessment', $assessment);
return $next($request);
}
}

96
app/Http/Middleware/ForumBotProtectionMiddleware.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
namespace App\Http\Middleware;
use App\Services\Security\CaptchaVerifier;
use cPad\Plugins\Forum\Services\Security\BotProtectionService;
use Closure;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;
use Symfony\Component\HttpFoundation\Response;
class ForumBotProtectionMiddleware
{
public function __construct(
private readonly BotProtectionService $botProtectionService,
private readonly CaptchaVerifier $captchaVerifier,
) {
}
public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
{
$assessment = $this->botProtectionService->assess($request, $action);
$request->attributes->set('forum_bot_assessment', $assessment);
if ($this->requiresCaptcha($assessment, $action)) {
$captcha = $this->captchaVerifier->frontendConfig();
$tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
$token = (string) (
$request->input($tokenInput)
?: $request->header('X-Captcha-Token', '')
?: $request->header('X-Turnstile-Token', '')
);
if (! $this->captchaVerifier->verify($token, $request->ip())) {
$message = (string) config('forum_bot_protection.captcha.message', 'Complete the captcha challenge to continue.');
if ($request->expectsJson()) {
return response()->json([
'message' => $message,
'errors' => [
'captcha' => [$message],
],
'requires_captcha' => true,
'captcha' => $captcha,
'captcha_provider' => (string) ($captcha['provider'] ?? $this->captchaVerifier->provider()),
'captcha_site_key' => (string) ($captcha['siteKey'] ?? ''),
'captcha_input' => (string) ($captcha['inputName'] ?? $tokenInput),
'captcha_script_url' => (string) ($captcha['scriptUrl'] ?? ''),
], 422);
}
return redirect()->back()
->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
->withErrors(['captcha' => $message])
->with('bot_captcha_required', true)
->with('bot_turnstile_required', true);
}
$request->attributes->set('forum_bot_captcha_verified', true);
}
if ((bool) ($assessment['blocked'] ?? false)) {
$message = 'Suspicious activity detected.';
if ($request->expectsJson()) {
return response()->json([
'message' => $message,
'errors' => [
'bot' => [$message],
],
], 429);
}
throw ValidationException::withMessages([
'bot' => [$message],
]);
}
return $next($request);
}
private function requiresCaptcha(array $assessment, string $action): bool
{
if (! $this->captchaVerifier->isEnabled()) {
return false;
}
if ((int) ($assessment['risk_score'] ?? 0) < (int) config('forum_bot_protection.thresholds.captcha', 60)) {
return false;
}
return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
}
}

70
app/Http/Middleware/ForumRateLimitMiddleware.php Normal file
View File

@@ -0,0 +1,70 @@
<?php
namespace App\Http\Middleware;
use Closure;
use cPad\Plugins\Forum\Services\Security\BotProtectionService;
use Illuminate\Http\Exceptions\ThrottleRequestsException;
use Illuminate\Http\Request;
use Illuminate\Routing\Middleware\ThrottleRequests;
use Symfony\Component\HttpFoundation\Response;
class ForumRateLimitMiddleware
{
public function __construct(
private readonly ThrottleRequests $throttleRequests,
private readonly BotProtectionService $botProtectionService,
) {
}
public function handle(Request $request, Closure $next): Response
{
$routeName = (string) optional($request->route())->getName();
$limiterName = match ($routeName) {
'forum.topic.store' => 'forum-thread-create',
default => 'forum-post-write',
};
try {
return $this->throttleRequests->handle($request, $next, $limiterName);
} catch (ThrottleRequestsException $exception) {
$maxAttempts = (int) ($exception->getHeaders()['X-RateLimit-Limit'] ?? 0);
$this->botProtectionService->recordRateLimitViolation(
$request,
$this->resolveActionName($routeName),
[
'limiter' => $limiterName,
'bucket' => $this->resolveBucket($limiterName, $maxAttempts),
'max_attempts' => $maxAttempts,
'retry_after' => (int) ($exception->getHeaders()['Retry-After'] ?? 0),
'reason' => sprintf('Forum write rate limit exceeded on %s.', $routeName !== '' ? $routeName : 'unknown route'),
],
);
throw $exception;
}
}
private function resolveActionName(string $routeName): string
{
return match ($routeName) {
'forum.topic.store' => 'forum_topic_create',
'forum.post.update' => 'forum_post_update',
default => 'forum_reply_create',
};
}
private function resolveBucket(string $limiterName, int $maxAttempts): string
{
return $maxAttempts <= $this->minuteLimitThreshold($limiterName) ? 'minute' : 'hour';
}
private function minuteLimitThreshold(string $limiterName): int
{
return match ($limiterName) {
'forum-thread-create', 'forum-post-write' => 3,
default => PHP_INT_MAX,
};
}
}

90
app/Http/Middleware/ForumSecurityFirewallMiddleware.php Normal file
View File

@@ -0,0 +1,90 @@
<?php
namespace App\Http\Middleware;
use App\Services\Security\CaptchaVerifier;
use Closure;
use cPad\Plugins\Forum\Services\Security\ForumSecurityFirewallService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;
use Symfony\Component\HttpFoundation\Response;
class ForumSecurityFirewallMiddleware
{
public function __construct(
private readonly ForumSecurityFirewallService $firewallService,
private readonly CaptchaVerifier $captchaVerifier,
) {
}
public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
{
$assessment = $this->firewallService->assess($request, $action);
$request->attributes->set('forum_firewall_assessment', $assessment);
if ($this->requiresCaptcha($assessment, $action)) {
$captcha = $this->captchaVerifier->frontendConfig();
$tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
$token = (string) (
$request->input($tokenInput)
?: $request->header('X-Captcha-Token', '')
?: $request->header('X-Turnstile-Token', '')
);
if (! $this->captchaVerifier->verify($token, $request->ip())) {
$message = 'Additional verification is required before continuing.';
if ($request->expectsJson()) {
return response()->json([
'message' => $message,
'errors' => [
'captcha' => [$message],
],
'requires_captcha' => true,
'captcha' => $captcha,
], 422);
}
return redirect()->back()
->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
->withErrors(['captcha' => $message]);
}
$request->attributes->set('forum_firewall_captcha_verified', true);
}
if ((bool) ($assessment['blocked'] ?? false)) {
$message = 'Security firewall blocked this request.';
if ($request->expectsJson()) {
return response()->json([
'message' => $message,
'errors' => [
'security' => [$message],
],
], 429);
}
throw ValidationException::withMessages([
'security' => [$message],
]);
}
return $next($request);
}
private function requiresCaptcha(array $assessment, string $action): bool
{
if (! $this->captchaVerifier->isEnabled()) {
return false;
}
if (! (bool) ($assessment['requires_captcha'] ?? false)) {
return false;
}
return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
}
}

66
app/Http/Middleware/ForumSpamDetectionMiddleware.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
namespace App\Http\Middleware;
use Closure;
use cPad\Plugins\Forum\Services\ForumSpamDetector;
use cPad\Plugins\Forum\Services\LinkAnalyzer;
use cPad\Plugins\Forum\Services\Security\ContentPatternAnalyzer;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class ForumSpamDetectionMiddleware
{
public function __construct(
private readonly ForumSpamDetector $spamDetector,
private readonly LinkAnalyzer $linkAnalyzer,
private readonly ContentPatternAnalyzer $contentPatternAnalyzer,
) {
}
public function handle(Request $request, Closure $next, string $action = 'generic'): Response
{
$title = trim((string) $request->input('title', ''));
$content = trim((string) $request->input('content', ''));
$combinedContent = trim($title !== '' ? $title . "\n" . $content : $content);
if ($combinedContent === '') {
$request->attributes->set('forum_spam_assessment', [
'action' => $action,
'spam_score' => 0,
'spam_reasons' => [],
'link_score' => 0,
'link_reasons' => [],
'links' => [],
'domains' => [],
'pattern_score' => 0,
'pattern_reasons' => [],
'matched_categories' => [],
]);
return $next($request);
}
$spam = $this->spamDetector->analyze($combinedContent);
$link = $this->linkAnalyzer->analyze($combinedContent);
$patterns = $this->contentPatternAnalyzer->analyze($combinedContent);
$request->attributes->set('forum_spam_assessment', [
'action' => $action,
'spam_score' => max((int) ($spam['score'] ?? 0), (int) ($patterns['score'] ?? 0)),
'spam_reasons' => array_values(array_unique(array_merge(
(array) ($spam['reasons'] ?? []),
(array) ($patterns['reasons'] ?? []),
))),
'link_score' => (int) ($link['score'] ?? 0),
'link_reasons' => (array) ($link['reasons'] ?? []),
'links' => (array) ($link['links'] ?? []),
'domains' => (array) ($link['domains'] ?? []),
'pattern_score' => (int) ($patterns['score'] ?? 0),
'pattern_reasons' => (array) ($patterns['reasons'] ?? []),
'matched_categories' => (array) ($patterns['matched_categories'] ?? []),
]);
return $next($request);
}
}