feat: add captcha-backed forum security hardening

2026-03-17 16:06:28 +01:00
parent 980a15f66e
commit b3fc889452
40 changed files with 2849 additions and 108 deletions
--- a/app/Http/Middleware/ForumSecurityFirewallMiddleware.php
+++ b/app/Http/Middleware/ForumSecurityFirewallMiddleware.php
@@ -0,0 +1,90 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Services\Security\CaptchaVerifier;
+use Closure;
+use cPad\Plugins\Forum\Services\Security\ForumSecurityFirewallService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\ValidationException;
+use Symfony\Component\HttpFoundation\Response;
+
+class ForumSecurityFirewallMiddleware
+{
+    public function __construct(
+        private readonly ForumSecurityFirewallService $firewallService,
+        private readonly CaptchaVerifier $captchaVerifier,
+    ) {
+    }
+
+    public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
+    {
+        $assessment = $this->firewallService->assess($request, $action);
+        $request->attributes->set('forum_firewall_assessment', $assessment);
+
+        if ($this->requiresCaptcha($assessment, $action)) {
+            $captcha = $this->captchaVerifier->frontendConfig();
+            $tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
+            $token = (string) (
+                $request->input($tokenInput)
+                ?: $request->header('X-Captcha-Token', '')
+                ?: $request->header('X-Turnstile-Token', '')
+            );
+
+            if (! $this->captchaVerifier->verify($token, $request->ip())) {
+                $message = 'Additional verification is required before continuing.';
+
+                if ($request->expectsJson()) {
+                    return response()->json([
+                        'message' => $message,
+                        'errors' => [
+                            'captcha' => [$message],
+                        ],
+                        'requires_captcha' => true,
+                        'captcha' => $captcha,
+                    ], 422);
+                }
+
+                return redirect()->back()
+                    ->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
+                    ->withErrors(['captcha' => $message]);
+            }
+
+            $request->attributes->set('forum_firewall_captcha_verified', true);
+        }
+
+        if ((bool) ($assessment['blocked'] ?? false)) {
+            $message = 'Security firewall blocked this request.';
+
+            if ($request->expectsJson()) {
+                return response()->json([
+                    'message' => $message,
+                    'errors' => [
+                        'security' => [$message],
+                    ],
+                ], 429);
+            }
+
+            throw ValidationException::withMessages([
+                'security' => [$message],
+            ]);
+        }
+
+        return $next($request);
+    }
+
+    private function requiresCaptcha(array $assessment, string $action): bool
+    {
+        if (! $this->captchaVerifier->isEnabled()) {
+            return false;
+        }
+
+        if (! (bool) ($assessment['requires_captcha'] ?? false)) {
+            return false;
+        }
+
+        return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
+    }
+}