import json from django.conf import settings from django.core.exceptions import PermissionDenied from django.http import HttpResponseForbidden from django.views.generic.base import RedirectView from allauth.account.views import LoginView from requests import post from requests.exceptions import RequestException # see https://developers.google.com/recaptcha/docs/verify RECAPTCHA_VERIFICATION_URL = 'https://www.google.com/recaptcha/api/siteverify' def verify_recaptcha(response_token): """ Ask google to verify a client-generated recaptcha token against what it supposedly generated. """ try: response = post(RECAPTCHA_VERIFICATION_URL, timeout=5, data={ 'response': response_token, 'secret': settings.RECAPTCHA_SECRET, }) response.raise_for_status() except RequestException: return False data = json.loads(response.text) if data.get('success') is not True: return False return True __old_get_context_data = LoginView.get_context_data def augmented_get_context_data(self, **kwargs): """ Patch allauth's LoginView.get_context_data class function so that we can check for a recaptcha-related session value if we're using recaptcha. Allauth only has post-processing signals, so we're kind of left with monkey patching as the only way to pre-process the login route. """ if settings.USE_RECAPTCHA: request = self.request session = request.session if 'recaptcha_token' not in session: raise PermissionDenied() session_token = session['recaptcha_token'] # clear the token after reading it so someone can't just set a valid session and then # bulk-load the allauth route with a hundred tabs. session['recaptcha_token'] = None if session_token is None: raise PermissionDenied() client_token = request.GET.get('token', None) if client_token is None: raise PermissionDenied() if client_token != session_token: raise PermissionDenied() return __old_get_context_data(self, **kwargs) LoginView.get_context_data = augmented_get_context_data class LoginRedirectView(RedirectView): """ A utility view that redirects requests to the real login route, but only if recaptcha validation passes (provided recaptcha is enabled). If recaptcha fails, we send an http 403 response. """ permanent = False query_string = True url = '/accounts/login' def get(self, request, *args, **kwargs): if settings.USE_RECAPTCHA: client_token = request.GET.get('token', None) if client_token is None: return HttpResponseForbidden() if not verify_recaptcha(client_token): return HttpResponseForbidden() """ note the token in the session, so that the redirect to `accounts/login` works. This allows us to write code that prevents users from directly accessing the allauth login route, thus preventing recaptcha circumvention. """ request.session['recaptcha_token'] = client_token return super().get(request, *args, **kwargs)