Merge pull request #119 from Retrospring/feature/hcaptcha

Gemfile

@@ -40,6 +40,7 @@ gem 'colorize'
 gem 'carrierwave', '~> 2.0'
 gem 'carrierwave_backgrounder', git: 'https://github.com/mltnhm/carrierwave_backgrounder.git'
 gem 'mini_magick'
+gem 'hcaptcha', git: 'https://github.com/firstmoversadvantage/hcaptcha.git'
 
 gem "rolify", "~> 5.2"
 
@@ -87,6 +88,7 @@ gem 'puma'
 
 group :development, :test do
   gem 'rake'
+  gem 'rspec-mocks'
   gem 'rspec-rails', '~> 3.9'
   gem 'rspec-its', '~> 1.3'
   gem "rspec-sidekiq", "~> 3.0", require: false

Gemfile.lock

@@ -10,6 +10,13 @@ GIT
       oauth
       simple_oauth
 
+GIT
+  remote: https://github.com/firstmoversadvantage/hcaptcha.git
+  revision: 531ce4562dd3d29a52497bfe09378ba61a40c98a
+  specs:
+    hcaptcha (6.0.1)
+      json
+
 GIT
   remote: https://github.com/mltnhm/carrierwave_backgrounder.git
   revision: 8fe468957f047ad7039f07679e5952a534d07b6d
@@ -80,14 +87,14 @@ GEM
     autoprefixer-rails (9.7.6)
       execjs
     bcrypt (3.1.13)
-    better_errors (2.6.0)
+    better_errors (2.7.1)
       coderay (>= 1.0.0)
       erubi (>= 1.0.0)
       rack (>= 0.9.0)
     bindex (0.8.1)
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
-    bootstrap (4.4.1)
+    bootstrap (4.5.0)
       autoprefixer-rails (>= 9.1.0)
       popper_js (>= 1.14.3, < 2)
       sassc-rails (>= 2.0.0)
@@ -95,14 +102,14 @@ GEM
       jquery-rails (~> 4.2, >= 4.2.0)
       moment-timezone-rails (~> 1.0)
       momentjs-rails (>= 2.10.5, <= 3.0.0)
-    bootstrap_form (4.4.0)
+    bootstrap_form (4.5.0)
-      actionpack (>= 5.0)
+      actionpack (>= 5.2)
-      activemodel (>= 5.0)
+      activemodel (>= 5.2)
-    brakeman (4.8.1)
+    brakeman (4.8.2)
     buftok (0.2.0)
     builder (3.2.4)
-    byebug (11.1.2)
+    byebug (11.1.3)
-    capybara (3.32.1)
+    capybara (3.32.2)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
@@ -130,7 +137,7 @@ GEM
     concurrent-ruby (1.1.6)
     connection_pool (2.2.2)
     crass (1.0.6)
-    database_cleaner (1.8.4)
+    database_cleaner (1.8.5)
     debug_inspector (0.0.3)
     devise (4.7.1)
       bcrypt (~> 3.0)
@@ -151,10 +158,10 @@ GEM
     erubi (1.9.0)
     excon (0.73.0)
     execjs (2.7.0)
-    factory_bot (5.1.2)
+    factory_bot (5.2.0)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.1.1)
+    factory_bot_rails (5.2.0)
-      factory_bot (~> 5.1.0)
+      factory_bot (~> 5.2.0)
       railties (>= 4.2.0)
     fake_email_validator (1.0.11)
       activemodel
@@ -169,7 +176,7 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    fog-aws (3.6.2)
+    fog-aws (3.6.5)
       fog-core (~> 2.1)
       fog-json (~> 1.1)
       fog-xml (~> 0.1)
@@ -235,7 +242,7 @@ GEM
       concurrent-ruby (~> 1.0)
     i18n-js (3.0.0.rc10)
       i18n (~> 0.6)
-    image_processing (1.10.3)
+    image_processing (1.11.0)
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
     ipaddress (0.8.3)
@@ -244,7 +251,7 @@ GEM
     jquery-minicolors-rails (2.2.6.2)
       jquery-rails
       rails (>= 3.2.8)
-    jquery-rails (4.3.5)
+    jquery-rails (4.4.0)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
@@ -286,7 +293,7 @@ GEM
     method_source (1.0.0)
     mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2019.1009)
+    mime-types-data (3.2020.0512)
     mimemagic (0.3.5)
     mini_magick (4.10.1)
     mini_mime (1.0.2)
@@ -340,7 +347,7 @@ GEM
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.4)
+    public_suffix (4.0.5)
     puma (4.3.5)
       nio4r (~> 2.0)
     rack (2.0.9)
@@ -399,11 +406,11 @@ GEM
       thor (>= 0.19.0, < 2.0)
     rainbow (3.0.0)
     rake (13.0.1)
-    rb-fsevent (0.10.3)
+    rb-fsevent (0.10.4)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     redcarpet (3.5.0)
-    redis (4.1.3)
+    redis (4.1.4)
     regexp_parser (1.7.0)
     remotipart (1.4.4)
     responders (3.0.0)
@@ -411,9 +418,9 @@ GEM
       railties (>= 5.0)
     rexml (3.2.4)
     rolify (5.2.0)
-    rspec-core (3.9.1)
+    rspec-core (3.9.2)
-      rspec-support (~> 3.9.1)
+      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.1)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-its (1.3.0)
@@ -433,14 +440,17 @@ GEM
     rspec-sidekiq (3.0.3)
       rspec-core (~> 3.0, >= 3.0.0)
       sidekiq (>= 2.4.0)
-    rspec-support (3.9.2)
+    rspec-support (3.9.3)
-    rubocop (0.83.0)
+    rubocop (0.84.0)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
       rexml
+      rubocop-ast (>= 0.0.3)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.0.3)
+      parser (>= 2.7.0.1)
     ruby-progressbar (1.10.1)
     ruby-vips (2.0.17)
       ffi (~> 1.9)
@@ -567,6 +577,7 @@ DEPENDENCIES
   guard-brakeman
   haml (~> 5.0)
   haml_lint
+  hcaptcha!
   httparty
   i18n-js (= 3.0.0.rc10)
   jbuilder (~> 2.10)
@@ -598,6 +609,7 @@ DEPENDENCIES
   redis
   rolify (~> 5.2)
   rspec-its (~> 1.3)
+  rspec-mocks
   rspec-rails (~> 3.9)
   rspec-sidekiq (~> 3.0)
   ruby-progressbar

app/controllers/user/registrations_controller.rb

@@ -1,4 +1,11 @@
 class User::RegistrationsController < Devise::RegistrationsController
+  def create
+    if captcha_valid?
+      super
+    else
+      respond_with_navigational(resource){ redirect_to new_user_registration_path }
+    end
+  end
 
   def destroy
     DeletionWorker.perform_async(resource.id)
@@ -7,4 +14,13 @@ class User::RegistrationsController < Devise::RegistrationsController
     yield resource if block_given?
     respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
+
+  private
+
+  def captcha_valid?
+    # If the captcha isn't enabled, treat it as being correct
+    return true unless APP_CONFIG.dig(:hcaptcha, :enabled)
+
+    verify_hcaptcha
+  end
 end

app/views/devise/confirmations/new.haml

@@ -6,7 +6,7 @@
         .card-body
           %h1 Resend confirmation instructions
           = bootstrap_form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f|
-            = devise_error_messages!
+            = render 'devise/shared/error_messages', resource: resource
 
             = f.text_field :screen_name, autofocus: true, label: 'User name'
             = f.submit 'Resend confirmation instructions', class: 'btn btn-primary mb-3'

app/views/devise/passwords/edit.haml

@@ -6,7 +6,7 @@
         .card-body
           %h1 Change your password
           = bootstrap_form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f|
-            = devise_error_messages!
+            = render 'devise/shared/error_messages', resource: resource
 
             = f.hidden_field :reset_password_token
 

app/views/devise/passwords/new.haml

@@ -6,7 +6,7 @@
         .card-body
           %h1 Forgot your password?
           = bootstrap_form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f|
-            = devise_error_messages!
+            = render 'devise/shared/error_messages', resource: resource
 
             = f.email_field :email, autofocus: true, label: 'Email address'
             = f.submit 'Send me password reset instructions', class: 'btn btn-primary mb-3'

app/views/devise/registrations/new.haml

@@ -6,7 +6,8 @@
         .card-body
           %h1= t('views.sessions.new')
           = bootstrap_form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f|
-            = devise_error_messages!
+            = render 'devise/shared/error_messages', resource: resource
+            = render 'layouts/messages'
 
             = f.text_field :screen_name, autofocus: true, label: t('views.settings.account.username')
             = f.email_field :email, autofocus: false, label: t('views.settings.account.email')
@@ -14,6 +15,9 @@
             = f.password_field :password, autocomplete: :off, label: t('views.settings.account.password')
             = f.password_field :password_confirmation, autocomplete: :off, label: t('views.settings.account.password_confirm')
 
+            - if APP_CONFIG.dig(:hcaptcha, :enabled)
+              = hcaptcha_tags
+
             %p= raw t('views.sessions.info', terms: link_to(t('views.general.terms'), terms_path))
             = f.submit 'Sign up', class: 'btn btn-primary mb-3'
 

app/views/devise/unlocks/new.haml

@@ -4,7 +4,7 @@
   = render 'layouts/messages'
 
   = bootstrap_form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post }) do |f|
-    = devise_error_messages!
+    = render 'devise/shared/error_messages', resource: resource
 
     = f.email_field :email, autofocus: true, label: 'Email address'
 

app/views/settings/_account.haml

@@ -3,7 +3,7 @@
     = bootstrap_form_for(resource, as: resource_name, url: '/settings/account', html: { method: :put }) do |f|
       = render 'modal/password', f: f
 
-      = devise_error_messages!
+      = render 'devise/shared/error_messages', resource: resource
 
       = f.text_field :screen_name, autofocus: true, label: t('views.settings.account.username')
 

config/initializers/hcaptcha.rb

@@ -0,0 +1,6 @@
+return unless APP_CONFIG.dig(:hcaptcha, :enabled)
+
+Hcaptcha.configure do |config|
+  config.site_key = APP_CONFIG.dig(:hcaptcha, :site_key)
+  config.secret_key = APP_CONFIG.dig(:hcaptcha, :secret_key)
+end

config/justask.yml.example

@@ -62,3 +62,9 @@ admins:
     # host: 's3.wherever.com'
   # bucket name, required
   # directory: 'retrospring'
+
+# hCaptcha -- get keys from https://www.hcaptcha.com/
+hcaptcha:
+  enabled: false
+  site_key: ''
+  secret_key: ''

config/routes.rb

@@ -52,7 +52,7 @@ Rails.application.routes.draw do
     delete 'sign_out' => 'devise/sessions#destroy', as: :destroy_user_session
     # :registrations
     get 'settings/delete_account' => 'devise/registrations#cancel', as: :cancel_user_registration
-    post '/user/create' => 'devise/registrations#create', as: :user_registration
+    post '/user/create' => 'user/registrations#create', as: :user_registration
     get '/sign_up' => 'devise/registrations#new', as: :new_user_registration
     get '/settings/account' => 'devise/registrations#edit', as: :edit_user_registration
     patch '/settings/account' => 'devise/registrations#update', as: :update_user_registration

spec/controllers/user/registration_controller_spec.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+describe User::RegistrationsController, type: :controller do
+  before do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
+  end
+
+  describe "#create" do
+    context "valid user sign up" do
+      before do
+        allow(APP_CONFIG).to receive(:dig).with(:hcaptcha, :enabled).and_return(true)
+        allow(controller).to receive(:verify_hcaptcha).and_return(captcha_successful)
+      end
+
+      let :registration_params do
+        {
+            user: {
+                screen_name: 'dio',
+                email: 'the-world-21@somewhere.everywhere',
+                password: 'AReallySecurePassword456!',
+                password_confirmation: 'AReallySecurePassword456!'
+            }
+        }
+      end
+
+      subject { post :create, params: registration_params }
+
+      context "when captcha is invalid" do
+        let(:captcha_successful) { false }
+        it "doesn't allow a registration with an invalid captcha" do
+          expect { subject }.not_to(change { User.count })
+          expect(response).to redirect_to :new_user_registration
+        end
+      end
+
+      context "when captcha is valid" do
+        let(:captcha_successful) { true }
+        it "creates a user" do
+          allow(controller).to receive(:verify_hcaptcha).and_return(true)
+          expect { subject }.to change { User.count }.by(1)
+        end
+      end
+    end
+
+    context "invalid user sign up" do
+      before do
+        allow(APP_CONFIG).to receive(:dig).with(:hcaptcha, :enabled).and_return(false)
+      end
+
+      subject { post :create, params: registration_params }
+
+      context "when registration params are empty" do
+        let(:registration_params) do
+          {
+              user: {
+                  screen_name: '',
+                  email: '',
+                  password: '',
+                  password_confirmation: ''
+              }
+          }
+        end
+
+        it "does not create a user" do
+          expect { subject }.not_to(change { User.count })
+        end
+      end
+
+      context "when username contains invalid characters" do
+        let(:registration_params) { {
+            user: {
+                screen_name: 'Dio Brando',
+                email: 'the-world-21@somewhere.everywhere',
+                password: 'AReallySecurePassword456!',
+                password_confirmation: 'AReallySecurePassword456!'
+            }
+        } }
+
+        it "does not create a user" do
+          expect { subject }.not_to(change { User.count })
+        end
+      end
+
+      context "when username is forbidden" do
+        let(:registration_params) { {
+            user: {
+                screen_name: 'inbox',
+                email: 'the-world-21@somewhere.everywhere',
+                password: 'AReallySecurePassword456!',
+                password_confirmation: 'AReallySecurePassword456!'
+            }
+        } }
+
+        it "does not create a user" do
+          expect { subject }.not_to(change { User.count })
+        end
+      end
+    end
+  end
+end