feat: add captcha-backed forum security hardening
This commit is contained in:
50
app/Http/Middleware/ForumAIModerationMiddleware.php
Normal file
50
app/Http/Middleware/ForumAIModerationMiddleware.php
Normal file
@@ -0,0 +1,50 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use cPad\Plugins\Forum\Services\AI\AIContentModerator;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ForumAIModerationMiddleware
|
||||
{
|
||||
public function __construct(
|
||||
private readonly AIContentModerator $aiContentModerator,
|
||||
) {
|
||||
}
|
||||
|
||||
public function handle(Request $request, Closure $next, string $action = 'generic'): Response
|
||||
{
|
||||
$assessment = [
|
||||
'action' => $action,
|
||||
'ai_spam_score' => 0,
|
||||
'ai_toxicity_score' => 0,
|
||||
'flags' => [],
|
||||
'reasons' => [],
|
||||
'provider' => 'none',
|
||||
'available' => false,
|
||||
'raw' => null,
|
||||
'language' => null,
|
||||
];
|
||||
|
||||
$title = trim((string) $request->input('title', ''));
|
||||
$content = trim((string) $request->input('content', ''));
|
||||
$combinedContent = trim($title !== '' ? $title . "\n" . $content : $content);
|
||||
|
||||
if (
|
||||
$combinedContent !== ''
|
||||
&& (bool) config('skinbase_ai_moderation.enabled', true)
|
||||
&& (bool) config('skinbase_ai_moderation.preflight.run_ai_sync', true)
|
||||
) {
|
||||
$spamAssessment = $request->attributes->get('forum_spam_assessment');
|
||||
$assessment = ['action' => $action] + $this->aiContentModerator->analyze($combinedContent, [
|
||||
'links' => is_array($spamAssessment) ? (array) ($spamAssessment['links'] ?? []) : [],
|
||||
]);
|
||||
}
|
||||
|
||||
$request->attributes->set('forum_ai_assessment', $assessment);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
96
app/Http/Middleware/ForumBotProtectionMiddleware.php
Normal file
96
app/Http/Middleware/ForumBotProtectionMiddleware.php
Normal file
@@ -0,0 +1,96 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Services\Security\CaptchaVerifier;
|
||||
use cPad\Plugins\Forum\Services\Security\BotProtectionService;
|
||||
use Closure;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ForumBotProtectionMiddleware
|
||||
{
|
||||
public function __construct(
|
||||
private readonly BotProtectionService $botProtectionService,
|
||||
private readonly CaptchaVerifier $captchaVerifier,
|
||||
) {
|
||||
}
|
||||
|
||||
public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
|
||||
{
|
||||
$assessment = $this->botProtectionService->assess($request, $action);
|
||||
$request->attributes->set('forum_bot_assessment', $assessment);
|
||||
|
||||
if ($this->requiresCaptcha($assessment, $action)) {
|
||||
$captcha = $this->captchaVerifier->frontendConfig();
|
||||
$tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
|
||||
$token = (string) (
|
||||
$request->input($tokenInput)
|
||||
?: $request->header('X-Captcha-Token', '')
|
||||
?: $request->header('X-Turnstile-Token', '')
|
||||
);
|
||||
|
||||
if (! $this->captchaVerifier->verify($token, $request->ip())) {
|
||||
$message = (string) config('forum_bot_protection.captcha.message', 'Complete the captcha challenge to continue.');
|
||||
|
||||
if ($request->expectsJson()) {
|
||||
return response()->json([
|
||||
'message' => $message,
|
||||
'errors' => [
|
||||
'captcha' => [$message],
|
||||
],
|
||||
'requires_captcha' => true,
|
||||
'captcha' => $captcha,
|
||||
'captcha_provider' => (string) ($captcha['provider'] ?? $this->captchaVerifier->provider()),
|
||||
'captcha_site_key' => (string) ($captcha['siteKey'] ?? ''),
|
||||
'captcha_input' => (string) ($captcha['inputName'] ?? $tokenInput),
|
||||
'captcha_script_url' => (string) ($captcha['scriptUrl'] ?? ''),
|
||||
], 422);
|
||||
}
|
||||
|
||||
return redirect()->back()
|
||||
->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
|
||||
->withErrors(['captcha' => $message])
|
||||
->with('bot_captcha_required', true)
|
||||
->with('bot_turnstile_required', true);
|
||||
}
|
||||
|
||||
$request->attributes->set('forum_bot_captcha_verified', true);
|
||||
}
|
||||
|
||||
if ((bool) ($assessment['blocked'] ?? false)) {
|
||||
$message = 'Suspicious activity detected.';
|
||||
|
||||
if ($request->expectsJson()) {
|
||||
return response()->json([
|
||||
'message' => $message,
|
||||
'errors' => [
|
||||
'bot' => [$message],
|
||||
],
|
||||
], 429);
|
||||
}
|
||||
|
||||
throw ValidationException::withMessages([
|
||||
'bot' => [$message],
|
||||
]);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
private function requiresCaptcha(array $assessment, string $action): bool
|
||||
{
|
||||
if (! $this->captchaVerifier->isEnabled()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) ($assessment['risk_score'] ?? 0) < (int) config('forum_bot_protection.thresholds.captcha', 60)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
|
||||
}
|
||||
}
|
||||
70
app/Http/Middleware/ForumRateLimitMiddleware.php
Normal file
70
app/Http/Middleware/ForumRateLimitMiddleware.php
Normal file
@@ -0,0 +1,70 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use cPad\Plugins\Forum\Services\Security\BotProtectionService;
|
||||
use Illuminate\Http\Exceptions\ThrottleRequestsException;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Routing\Middleware\ThrottleRequests;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ForumRateLimitMiddleware
|
||||
{
|
||||
public function __construct(
|
||||
private readonly ThrottleRequests $throttleRequests,
|
||||
private readonly BotProtectionService $botProtectionService,
|
||||
) {
|
||||
}
|
||||
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$routeName = (string) optional($request->route())->getName();
|
||||
$limiterName = match ($routeName) {
|
||||
'forum.topic.store' => 'forum-thread-create',
|
||||
default => 'forum-post-write',
|
||||
};
|
||||
|
||||
try {
|
||||
return $this->throttleRequests->handle($request, $next, $limiterName);
|
||||
} catch (ThrottleRequestsException $exception) {
|
||||
$maxAttempts = (int) ($exception->getHeaders()['X-RateLimit-Limit'] ?? 0);
|
||||
|
||||
$this->botProtectionService->recordRateLimitViolation(
|
||||
$request,
|
||||
$this->resolveActionName($routeName),
|
||||
[
|
||||
'limiter' => $limiterName,
|
||||
'bucket' => $this->resolveBucket($limiterName, $maxAttempts),
|
||||
'max_attempts' => $maxAttempts,
|
||||
'retry_after' => (int) ($exception->getHeaders()['Retry-After'] ?? 0),
|
||||
'reason' => sprintf('Forum write rate limit exceeded on %s.', $routeName !== '' ? $routeName : 'unknown route'),
|
||||
],
|
||||
);
|
||||
|
||||
throw $exception;
|
||||
}
|
||||
}
|
||||
|
||||
private function resolveActionName(string $routeName): string
|
||||
{
|
||||
return match ($routeName) {
|
||||
'forum.topic.store' => 'forum_topic_create',
|
||||
'forum.post.update' => 'forum_post_update',
|
||||
default => 'forum_reply_create',
|
||||
};
|
||||
}
|
||||
|
||||
private function resolveBucket(string $limiterName, int $maxAttempts): string
|
||||
{
|
||||
return $maxAttempts <= $this->minuteLimitThreshold($limiterName) ? 'minute' : 'hour';
|
||||
}
|
||||
|
||||
private function minuteLimitThreshold(string $limiterName): int
|
||||
{
|
||||
return match ($limiterName) {
|
||||
'forum-thread-create', 'forum-post-write' => 3,
|
||||
default => PHP_INT_MAX,
|
||||
};
|
||||
}
|
||||
}
|
||||
90
app/Http/Middleware/ForumSecurityFirewallMiddleware.php
Normal file
90
app/Http/Middleware/ForumSecurityFirewallMiddleware.php
Normal file
@@ -0,0 +1,90 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Services\Security\CaptchaVerifier;
|
||||
use Closure;
|
||||
use cPad\Plugins\Forum\Services\Security\ForumSecurityFirewallService;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ForumSecurityFirewallMiddleware
|
||||
{
|
||||
public function __construct(
|
||||
private readonly ForumSecurityFirewallService $firewallService,
|
||||
private readonly CaptchaVerifier $captchaVerifier,
|
||||
) {
|
||||
}
|
||||
|
||||
public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
|
||||
{
|
||||
$assessment = $this->firewallService->assess($request, $action);
|
||||
$request->attributes->set('forum_firewall_assessment', $assessment);
|
||||
|
||||
if ($this->requiresCaptcha($assessment, $action)) {
|
||||
$captcha = $this->captchaVerifier->frontendConfig();
|
||||
$tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
|
||||
$token = (string) (
|
||||
$request->input($tokenInput)
|
||||
?: $request->header('X-Captcha-Token', '')
|
||||
?: $request->header('X-Turnstile-Token', '')
|
||||
);
|
||||
|
||||
if (! $this->captchaVerifier->verify($token, $request->ip())) {
|
||||
$message = 'Additional verification is required before continuing.';
|
||||
|
||||
if ($request->expectsJson()) {
|
||||
return response()->json([
|
||||
'message' => $message,
|
||||
'errors' => [
|
||||
'captcha' => [$message],
|
||||
],
|
||||
'requires_captcha' => true,
|
||||
'captcha' => $captcha,
|
||||
], 422);
|
||||
}
|
||||
|
||||
return redirect()->back()
|
||||
->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
|
||||
->withErrors(['captcha' => $message]);
|
||||
}
|
||||
|
||||
$request->attributes->set('forum_firewall_captcha_verified', true);
|
||||
}
|
||||
|
||||
if ((bool) ($assessment['blocked'] ?? false)) {
|
||||
$message = 'Security firewall blocked this request.';
|
||||
|
||||
if ($request->expectsJson()) {
|
||||
return response()->json([
|
||||
'message' => $message,
|
||||
'errors' => [
|
||||
'security' => [$message],
|
||||
],
|
||||
], 429);
|
||||
}
|
||||
|
||||
throw ValidationException::withMessages([
|
||||
'security' => [$message],
|
||||
]);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
private function requiresCaptcha(array $assessment, string $action): bool
|
||||
{
|
||||
if (! $this->captchaVerifier->isEnabled()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! (bool) ($assessment['requires_captcha'] ?? false)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
|
||||
}
|
||||
}
|
||||
66
app/Http/Middleware/ForumSpamDetectionMiddleware.php
Normal file
66
app/Http/Middleware/ForumSpamDetectionMiddleware.php
Normal file
@@ -0,0 +1,66 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use cPad\Plugins\Forum\Services\ForumSpamDetector;
|
||||
use cPad\Plugins\Forum\Services\LinkAnalyzer;
|
||||
use cPad\Plugins\Forum\Services\Security\ContentPatternAnalyzer;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ForumSpamDetectionMiddleware
|
||||
{
|
||||
public function __construct(
|
||||
private readonly ForumSpamDetector $spamDetector,
|
||||
private readonly LinkAnalyzer $linkAnalyzer,
|
||||
private readonly ContentPatternAnalyzer $contentPatternAnalyzer,
|
||||
) {
|
||||
}
|
||||
|
||||
public function handle(Request $request, Closure $next, string $action = 'generic'): Response
|
||||
{
|
||||
$title = trim((string) $request->input('title', ''));
|
||||
$content = trim((string) $request->input('content', ''));
|
||||
$combinedContent = trim($title !== '' ? $title . "\n" . $content : $content);
|
||||
|
||||
if ($combinedContent === '') {
|
||||
$request->attributes->set('forum_spam_assessment', [
|
||||
'action' => $action,
|
||||
'spam_score' => 0,
|
||||
'spam_reasons' => [],
|
||||
'link_score' => 0,
|
||||
'link_reasons' => [],
|
||||
'links' => [],
|
||||
'domains' => [],
|
||||
'pattern_score' => 0,
|
||||
'pattern_reasons' => [],
|
||||
'matched_categories' => [],
|
||||
]);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
$spam = $this->spamDetector->analyze($combinedContent);
|
||||
$link = $this->linkAnalyzer->analyze($combinedContent);
|
||||
$patterns = $this->contentPatternAnalyzer->analyze($combinedContent);
|
||||
|
||||
$request->attributes->set('forum_spam_assessment', [
|
||||
'action' => $action,
|
||||
'spam_score' => max((int) ($spam['score'] ?? 0), (int) ($patterns['score'] ?? 0)),
|
||||
'spam_reasons' => array_values(array_unique(array_merge(
|
||||
(array) ($spam['reasons'] ?? []),
|
||||
(array) ($patterns['reasons'] ?? []),
|
||||
))),
|
||||
'link_score' => (int) ($link['score'] ?? 0),
|
||||
'link_reasons' => (array) ($link['reasons'] ?? []),
|
||||
'links' => (array) ($link['links'] ?? []),
|
||||
'domains' => (array) ($link['domains'] ?? []),
|
||||
'pattern_score' => (int) ($patterns['score'] ?? 0),
|
||||
'pattern_reasons' => (array) ($patterns['reasons'] ?? []),
|
||||
'matched_categories' => (array) ($patterns['matched_categories'] ?? []),
|
||||
]);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user