add optional registration verification with hCaptcha

.env.production.sample

@@ -290,3 +290,9 @@ STREAMING_CLUSTER_NUM=1
 # Only allow federation with whitelisted domains, see
 # https://docs.joinmastodon.org/admin/config/#whitelist_mode
 # WHITELIST_MODE=true
+
+# Optional hCaptcha verification on user signup
+# If the feature is enabled and no keys are specified here, dummy keys will be used and no actual verification will be taking place.
+# HCAPTCHA_ENABLED=
+# HCAPTCHA_SITE_KEY=
+# HCAPTCHA_SECRET_KEY=

Gemfile

@@ -100,6 +100,8 @@ gem 'tzinfo-data', '~> 1.2019'
 gem 'webpacker', '~> 4.2'
 gem 'webpush'
 
+gem 'hcaptcha', git: 'https://github.com/firstmoversadvantage/hcaptcha', ref:  'e65246bea49374566a9dbaead59fdb35b46b086d', require: 'hcaptcha/rails'
+
 gem 'json-ld'
 gem 'json-ld-preloaded', '~> 3.1'
 gem 'rdf-normalize', '~> 0.4'

Gemfile.lock

@@ -27,6 +27,13 @@ GIT
   ref: fd184883048b922b176939f851338d0a4971a532
   specs:
     nilsimsa (1.1.2)
+	
+GIT
+  remote: https://github.com/firstmoversadvantage/hcaptcha
+  revision: e65246bea49374566a9dbaead59fdb35b46b086d
+  ref: e65246bea49374566a9dbaead59fdb35b46b086d
+  specs:
+    hcaptcha (6.0.1)
 
 GEM
   remote: https://rubygems.org/
@@ -704,6 +711,7 @@ DEPENDENCIES
   fuubar (~> 2.5)
   goldfinger (~> 2.1)
   hamlit-rails (~> 0.2)
+  hcaptcha
   health_check!
   hiredis (~> 0.6)
   htmlentities (~> 4.3)

app/controllers/admin/dashboard_controller.rb

@@ -37,6 +37,7 @@ module Admin
       @keybase_integration   = Setting.enable_keybase
       @spam_check_enabled    = Setting.spam_check_enabled
       @trends_enabled        = Setting.trends
+      @hcaptcha_enabled      = ENV['HCAPTCHA_ENABLED'] == 'true'
     end
 
     private

app/controllers/api/v1/accounts_controller.rb

@@ -21,13 +21,14 @@ class Api::V1::AccountsController < Api::BaseController
   end
 
   def create
-    token    = AppSignUpService.new.call(doorkeeper_token.application, account_params)
-    response = Doorkeeper::OAuth::TokenResponse.new(token)
+    not_found
+#    token    = AppSignUpService.new.call(doorkeeper_token.application, account_params)
+#    response = Doorkeeper::OAuth::TokenResponse.new(token)
 
-    headers.merge!(response.headers)
+#    headers.merge!(response.headers)
 
-    self.response_body = Oj.dump(response.body)
-    self.status        = response.status
+#    self.response_body = Oj.dump(response.body)
+#    self.status        = response.status
   end
 
   def follow

app/controllers/auth/registrations_controller.rb

@@ -12,6 +12,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   before_action :set_body_classes, only: [:new, :create, :edit, :update]
   before_action :require_not_suspended!, only: [:update]
   before_action :set_cache_headers, only: [:edit, :update]
+  before_action :check_captcha, only: [:create]
 
   skip_before_action :require_functional!, only: [:edit, :update]
 
@@ -93,6 +94,15 @@ class Auth::RegistrationsController < Devise::RegistrationsController
 
   private
 
+  def check_captcha
+    if ENV['HCAPTCHA_ENABLED'] == 'true' && !verify_hcaptcha
+      self.resource = resource_class.new sign_up_params
+      resource.validate
+	  flash[:alert] = Hcaptcha::Helpers.to_error_message(:verification_failed)
+      respond_with_navigational(resource) { render :new }
+    end
+  end
+
   def set_pack
     use_pack %w(edit update).include?(action_name) ? 'admin' : 'auth'
   end

app/helpers/application_helper.rb

@@ -148,4 +148,5 @@ module ApplicationHelper
     json = ActiveModelSerializers::SerializableResource.new(InitialStatePresenter.new(state_params), serializer: InitialStateSerializer).to_json
     content_tag(:script, json_escape(json).html_safe, id: 'initial-state', type: 'application/json')
   end
+
 end

app/javascript/flavours/glitch/styles/forms.scss

@@ -230,6 +230,10 @@ code {
     .input:last-child {
       margin-bottom: 0;
     }
+	
+    .h-captcha {
+      text-align: center;
+    }
   }
 
   .fields-row {

app/javascript/styles/mastodon/forms.scss

@@ -239,6 +239,10 @@ code {
     .input:last-child {
       margin-bottom: 0;
     }
+	
+    .h-captcha {
+      text-align: center;
+    }
   }
 
   .fields-row {

app/views/about/_registration.html.haml

@@ -17,6 +17,10 @@
 
     .fields-group
       = f.input :agreement, as: :boolean, wrapper: :with_label, label: t('auth.checkbox_agreement_html', rules_path: about_more_path, terms_path: terms_path), disabled: closed_registrations?
+	
+    - if ENV['HCAPTCHA_ENABLED'] == 'true'
+      .fields-group
+        = hcaptcha_tags
 
     .actions
       = f.button :button, sign_up_message, type: :submit, class: 'button button-primary', disabled: closed_registrations?

app/views/admin/dashboard/index.html.haml

@@ -124,6 +124,8 @@
           = feature_hint('PAM', @pam_enabled)
         %li
           = feature_hint(t('admin.dashboard.hidden_service'), @hidden_service)
+        %li
+          = feature_hint(t('admin.dashboard.feature_hcaptcha'), @hcaptcha_enabled)
 
   .dashboard__widgets__trends
     %div

app/views/auth/registrations/new.html.haml

@@ -35,6 +35,10 @@
   .fields-group
     = f.input :agreement, as: :boolean, wrapper: :with_label, label: whitelist_mode? ? t('auth.checkbox_agreement_without_rules_html', terms_path: terms_path) : t('auth.checkbox_agreement_html', rules_path: about_more_path, terms_path: terms_path)
 
+  - if ENV['HCAPTCHA_ENABLED'] == 'true'
+    .fields-group
+      = hcaptcha_tags
+
   .actions
     = f.button :button, @invite.present? ? t('auth.register') : sign_up_message, type: :submit
 

config/initializers/content_security_policy.rb

@@ -16,6 +16,8 @@ if Rails.env.production?
     attachments_host = nil
   end
 
+  hcaptcha_hosts = ["https://hcaptcha.com", "https://*.hcaptcha.com"]
+
   data_hosts << attachments_host unless attachments_host.nil?
 
   if ENV['PAPERCLIP_ROOT_URL']
@@ -31,12 +33,12 @@ if Rails.env.production?
     p.base_uri        :none
     p.default_src     :none
     p.frame_ancestors :none
-    p.script_src      :self, assets_host
+    p.script_src      :self, assets_host, *hcaptcha_hosts
     p.font_src        :self, assets_host
     p.img_src         :self, :data, :blob, *data_hosts
-    p.style_src       :self, :unsafe_inline, assets_host
+    p.style_src       :self, :unsafe_inline, assets_host, *hcaptcha_hosts
     p.media_src       :self, :data, *data_hosts
-    p.frame_src       :self, :https
+    p.frame_src       :self, :https, *hcaptcha_hosts
     p.child_src       :self, :blob, assets_host
     p.worker_src      :self, :blob, assets_host
     p.connect_src     :self, :blob, :data, Rails.configuration.x.streaming_api_base_url, *data_hosts

config/initializers/hcaptcha.rb

@@ -0,0 +1,4 @@
+Hcaptcha.configure do |config|
+  config.site_key  = ENV.fetch('HCAPTCHA_SITE_KEY') { '10000000-ffff-ffff-ffff-000000000001' }
+  config.secret_key = ENV.fetch('HCAPTCHA_SECRET_KEY') { '0x0000000000000000000000000000000000000000' }
+end

config/locales/en.yml

@@ -324,6 +324,7 @@ en:
       backlog: backlogged jobs
       config: Configuration
       feature_deletions: Account deletions
+      feature_hcaptcha: hCaptcha
       feature_invites: Invite links
       feature_profile_directory: Profile directory
       feature_registrations: Registrations
@@ -542,6 +543,8 @@ en:
         deletion:
           desc_html: Allow anyone to delete their account
           title: Open account deletion
+        errors:
+          captcha_fail: Captcha verification failed
         min_invite_role:
           disabled: No one
           title: Allow invitations by