Page 1 of 1

Putting Recaptcha V2 in External phpBB Login Issues

Posted: Fri Nov 02, 2018 4:34 pm
by aster59
Here is the whole file (register.php) stripped of sensitive info:

Code: Select all

<?php

define('IN_PHPBB',true);
$phpbb_root_path = "";
$phpEx = substr(strrchr(__FILE__, '.'), 1);
require_once( $phpbb_root_path . "common." . $phpEx );
include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
include_once($phpbb_root_path . 'includes/functions_user.' . $phpEx);

//turn off warnings
error_reporting(0);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup('ucp');

if($user->data['is_registered'])
{
        meta_refresh(3, append_sid("{$phpbb_root_path}index.$phpEx"));
        trigger_error("You are already registered!");
}

$submit = request_var('submit', '');
if($submit)
{
  //check captcha before anything, do post request to google
  $g_recaptcha_response = $request->variable('g-recaptcha-response', false, false,\phpbb\request\request_interface::POST);
  $secret_g = 'secret key here';
 
  $ch = curl_init();
    $curlConfig = array(
        CURLOPT_URL            => "https://www.google.com/recaptcha/api/siteverify",
        CURLOPT_POST           => true,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POSTFIELDS     => array(
            'secret' => $secret_g,
            'response' => $g_recaptcha_response,
        )
    );
    
    die(var_dump($curlConfig)); //DIE 1, commented out to get to DIE 2

    curl_setopt_array($ch, $curlConfig);
    if($result = curl_exec($ch)){
        curl_close($ch);
        $response = json_decode($result);
        $is_not_a_robot = $response->success;
    }

//DIE 2
die(var_dump($response)); //ALWAYS RETURNS INVALID INPUT ERROR! SEE code snippet below for what I always get.
	
   //Tried this too, messes up as well.
    //$g_response = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secret_g.'&response=' . $g_recaptcha_response);
    //die(var_dump($response));


  //check if can continue
  if($is_not_a_robot != 1) { die('<p style="color: white; margin-top: 3em; font-weight: 200; font-family: var(--main-font); ">Error. Please fill out the captcha. If you still have issues, reload the page.</p>'); }

        // Retrieve default group ID
        $sql = 'SELECT group_id
                FROM ' . GROUPS_TABLE . "
                WHERE group_name = '" . $db->sql_escape('REGISTERED') . "'
                        AND group_type = " . GROUP_SPECIAL;
        $result = $db->sql_query($sql);
        $row = $db->sql_fetchrow($result);
        $db->sql_freeresult($result);

        if (!$row)
        {
                trigger_error('NO_GROUP');
        }
        $group_id = $row['group_id'];


        $data = array(
                'username'                      => utf8_normalize_nfc(request_var('username', '', true)),
                'user_password'         => phpbb_hash(request_var('password', '', true)),
                'user_email'            => strtolower(request_var('email', '')),
                'group_id'                      => (int) $group_id,
                'user_type'                     => USER_NORMAL,
                'user_ip'                       => $user->ip,
        );

        $user_id = user_add($data);

        if ($user_id === false)
        {
                trigger_error('NO_USER', E_USER_ERROR);
        }

        //Set up welcome message
        if ($config['require_activation'] == USER_ACTIVATION_SELF && $config['email_enable'])
        {
                $message = $user->lang['ACCOUNT_INACTIVE'];
                $email_template = 'user_welcome_inactive';
        }
        else if ($config['require_activation'] == USER_ACTIVATION_ADMIN && $config['email_enable'])
        {
                $message = $user->lang['ACCOUNT_INACTIVE_ADMIN'];
                $email_template = 'admin_welcome_inactive';
        }
        else
        {
                $message = $user->lang['ACCOUNT_ADDED'];
                $email_template = 'user_welcome';
        }

        
        echo '<p style="color: white; margin-top: 3em; font-weight: 200; font-family: var(--main-font); ">' . $message . '</p>';
}
else
{
  echo '<head>
    <script src="https://www.google.com/recaptcha/api.js"></script>
  </head>
  
  <form height="100px" class="form-login-register" action="./register" method="post">
    <h3>Register</h3>
    <a id="login-bttn" href="login.php" target="_parent">Login</a>
    <fieldset>
      <label for="username">Username:</label>
      <input type="text" name="username" id="username" title="Username" />
      <label for="email">Email:</label>
      <input type="text" name="email" maxlength="100" />
      <label for="password">Password:</label>
      <input type="password" name="password" id="password" title="Password" />

      <label for="terms"><input type="checkbox" name="terms" id="terms" />I agree to the <a target="_blank" href="tos.php" style="color: white; text-decoration: underline;">terms</a></label>
      <div style="padding: 1% 0;" class="g-recaptcha" data-sitekey="key here"></div>

      <input type="submit" name="submit" value="Submit" />

    </fieldset>
  </form>
  ';
}

If I were to dump at DIE 1 (and click the recaptcha box) I get this output:

Code: Select all

array(4) { [10002]=> string(47) "https://www.google.com/recaptcha/api/siteverify" [47]=> bool(true) [19913]=> bool(true) [10015]=> array(2) { ["secret"]=> string(40) "key here" ["response"]=> bool(true) } }
//so response is true!
The error at DIE 2 shows as follows (clicked or not clicked recaptcha):

Code: Select all

object(stdClass)#75 (2) { ["success"]=> bool(false) ["error-codes"]=> array(1) { [0]=> string(22) "invalid-input-response" } }
This exact code works on another part of my site contact form. What is wrong with it? invalid-input-response. I don't understand how it's being mangled. I assume I do something wrong with the PHPBB since it works elsewhere.

Re: Putting Recaptcha V2 in External phpBB Login Issues

Posted: Fri Nov 02, 2018 6:31 pm
by aster59
Ok, this is kind of a hack, but I just removed the captcha from the phpbb part (above define('IN_PHPBB',true); ) and checked there. Not sure why PHPBB was mangling the CURL response.