8 years ago · 915fa97c4f
--- a/app/models/agents/webhook_agent.rb
+++ b/app/models/agents/webhook_agent.rb
@@ -1,5 +1,7 @@
 
                 module Agents
              
 
                   class WebhookAgent < Agent
              
 
                +    include WebRequestConcern
              
 
                +
              
 
                     cannot_be_scheduled!
              
 
                     cannot_receive_events!
              
 
                 
              
@@ -24,6 +26,8 @@ module Agents
 
                           For example, "post,get" will enable POST and GET requests. Defaults
              
 
                           to "post".
              
 
                         * `response` - The response message to the request. Defaults to 'Event Created'.
              
 
                +        * `recaptcha_secret` - Setting this to a reCAPTCHA "secret" key makes your agent verify incoming requests with reCAPTCHA.  Don't forget to embed a reCAPTCHA snippet including your "site" key in the originating form(s).
              
 
                +        * `recaptcha_send_remote_addr` - Set this to true if your server is properly configured to set REMOTE_ADDR to the IP address of each visitor (instead of that of a proxy server).
              
 
                       MD
              
 
                     end
              
 
                 
              
@@ -46,10 +50,36 @@ module Agents
 
                       secret = params.delete('secret')
              
 
                       return ["Not Authorized", 401] unless secret == interpolated['secret']
              
 
                 
              
 
                -      #check the verbs
              
 
                +      # check the verbs
              
 
                       verbs = (interpolated['verbs'] || 'post').split(/,/).map { |x| x.strip.downcase }.select { |x| x.present? }
              
 
                       return ["Please use #{verbs.join('/').upcase} requests only", 401] unless verbs.include?(method)
              
 
                 
              
 
                +      # check the reCAPTCHA response if required
              
 
                +      if recaptcha_secret = interpolated['recaptcha_secret'].presence
              
 
                +        recaptcha_response = params.delete('g-recaptcha-response') or
              
 
                +          return ["Not Authorized", 401]
              
 
                +
              
 
                +        parameters = {
              
 
                +          secret: recaptcha_secret,
              
 
                +          response: recaptcha_response,
              
 
                +        }
              
 
                +
              
 
                +        if boolify(interpolated['recaptcha_send_remote_addr'])
              
 
                +          parameters[:remoteip] = request.env['REMOTE_ADDR']
              
 
                +        end
              
 
                +
              
 
                +        begin
              
 
                +          response = faraday.post('https://www.google.com/recaptcha/api/siteverify',
              
 
                +                                  parameters)
              
 
                +        rescue => e
              
 
                +          error "Verification failed: #{e.message}"
              
 
                +          return ["Not Authorized", 401]
              
 
                +        end
              
 
                +
              
 
                +        JSON.parse(response.body)['success'] or
              
 
                +          return ["Not Authorized", 401]
              
 
                +      end
              
 
                +
              
 
                       [payload_for(params)].flatten.each do |payload|
              
 
                         create_event(payload: payload)
              
 
                       end
              
--- a/spec/models/agents/webhook_agent_spec.rb
+++ b/spec/models/agents/webhook_agent_spec.rb
@@ -223,6 +223,80 @@ describe Agents::WebhookAgent do
 
                 
              
 
                       end
              
 
                 
              
 
                +      context "with reCAPTCHA" do
              
 
                +        it "should not check a reCAPTCHA response unless recaptcha_secret is set" do
              
 
                +          checked = false
              
 
                +          out = nil
              
 
                +
              
 
                +          stub_request(:any, /verify/).to_return { |request|
              
 
                +            checked = true
              
 
                +            { status: 200, body: '{"success":false}' }
              
 
                +          }
              
 
                +
              
 
                +          expect {
              
 
                +            out= agent.receive_web_request({ 'secret' => 'foobar', 'some_key' => payload }, "post", "text/html")
              
 
                +          }.not_to change { checked }
              
 
                +
              
 
                +          expect(out).to eq(["Event Created", 201])
              
 
                +        end
              
 
                +
              
 
                +        it "should reject a request if recaptcha_secret is set but g-recaptcha-response is not given" do
              
 
                +          agent.options['recaptcha_secret'] = 'supersupersecret'
              
 
                +
              
 
                +          checked = false
              
 
                +          out = nil
              
 
                +
              
 
                +          stub_request(:any, /verify/).to_return { |request|
              
 
                +            checked = true
              
 
                +            { status: 200, body: '{"success":false}' }
              
 
                +          }
              
 
                +
              
 
                +          expect {
              
 
                +            out = agent.receive_web_request({ 'secret' => 'foobar', 'some_key' => payload }, "post", "text/html")
              
 
                +          }.not_to change { checked }
              
 
                +
              
 
                +          expect(out).to eq(["Not Authorized", 401])
              
 
                +        end
              
 
                +
              
 
                +        it "should reject a request if recaptcha_secret is set and g-recaptcha-response given is not verified" do
              
 
                +          agent.options['recaptcha_secret'] = 'supersupersecret'
              
 
                +
              
 
                +          checked = false
              
 
                +          out = nil
              
 
                +
              
 
                +          stub_request(:any, /verify/).to_return { |request|
              
 
                +            checked = true
              
 
                +            { status: 200, body: '{"success":false}' }
              
 
                +          }
              
 
                +
              
 
                +          expect {
              
 
                +            out = agent.receive_web_request({ 'secret' => 'foobar', 'some_key' => payload, 'g-recaptcha-response' => 'somevalue' }, "post", "text/html")
              
 
                +          }.to change { checked }
              
 
                +
              
 
                +          expect(out).to eq(["Not Authorized", 401])
              
 
                +        end
              
 
                +
              
 
                +        it "should accept a request if recaptcha_secret is set and g-recaptcha-response given is verified" do
              
 
                +          agent.options['payload_path'] = '.'
              
 
                +          agent.options['recaptcha_secret'] = 'supersupersecret'
              
 
                +
              
 
                +          checked = false
              
 
                +          out = nil
              
 
                +
              
 
                +          stub_request(:any, /verify/).to_return { |request|
              
 
                +            checked = true
              
 
                +            { status: 200, body: '{"success":true}' }
              
 
                +          }
              
 
                +
              
 
                +          expect {
              
 
                +            out = agent.receive_web_request(payload.merge({ 'secret' => 'foobar', 'g-recaptcha-response' => 'somevalue' }), "post", "text/html")
              
 
                +          }.to change { checked }
              
 
                +
              
 
                +          expect(out).to eq(["Event Created", 201])
              
 
                +          expect(Event.last.payload).to eq(payload)
              
 
                +        end
              
 
                +      end
              
 
                +
              
 
                     end
              
 
                 
              
 
                   end