[IMP] fastapi_captcha: Handle custom altcha url

Author: paradoxxxzero

fastapi_captcha/captcha_middleware.py

@@ -31,6 +31,13 @@ async def dispatch(self, request, call_next):
             raise AccessError(
                 _("Captcha token not found in headers"),
             )
-        endpoint.validate_captcha(token)
+        try:
+            endpoint.validate_captcha(token)
+        except AccessError as e:
+            raise e
+        except IOError as e:
+            raise AccessError(
+                _("Captcha validation failed: %s") % str(e),
+            ) from e
         response = await call_next(request)
         return response

fastapi_captcha/models/fastapi_endpoint.py

@@ -48,6 +48,10 @@ class FastapiEndpoint(models.Model):
         "captcha service.",
     )
 
+    captcha_custom_verify_url = fields.Char(
+        help="Custom URL to use for the captcha verification",
+    )
+
     @property
     def _server_env_fields(self):
         fields = getattr(super(), "_server_env_fields", None) or {}
@@ -180,16 +184,19 @@ def _validate_altcha(self, captcha_response, secret_key):
             "apiKey": secret_key,
             "payload": captcha_response,
         }
-        response = requests.post(
-            "https://eu.altcha.org/api/v1/challenge/verify",
-            data=data,
-            timeout=10,
+        url = (
+            self.captcha_custom_verify_url
+            or "https://eu.altcha.org/api/v1/challenge/verify"
         )
+        response = requests.post(url, data=data, timeout=10)
         result = response.json()
         success = result.get("verified", False)
         if not success:
             error = result.get("error", "?")
-            raise AccessError(_("Altcha validation failed: %s") % error)
+            raise AccessError(
+                _("Altcha (%(url)s) validation failed: %(error)s")
+                % {"url": url, "error": error}
+            )
 
     @api.model
     def _fastapi_app_fields(self):

fastapi_captcha/tests/test_fastapi_captcha.py

@@ -5,7 +5,7 @@
 
 import requests
 
-from odoo.exceptions import AccessError
+from odoo.exceptions import AccessError, UserError, ValidationError
 
 from odoo.addons.fastapi.tests.common import FastAPITransactionCase
 
@@ -26,6 +26,22 @@ def setUpClass(cls):
         cls.endpoint.captcha_secret_key = "test_secret"
         cls.default_fastapi_app = cls.endpoint._get_app()
 
+    def test_no_secret_key(self):
+        self.endpoint.captcha_secret_key = False
+        with self._create_test_client() as test_client:
+            with self.assertRaisesRegex(
+                UserError,
+                "No secret key found for this endpoint",
+            ):
+                test_client.get("/demo/", headers={"X-Captcha-Token": "valid"})
+
+    def test_invalid_regex(self):
+        with self.assertRaisesRegex(
+            ValidationError,
+            r"Invalid regex for captcha routes: /route/\( ",
+        ):
+            self.endpoint.captcha_routes_regex = r"/route/("
+
     def test_missing_header(self):
         with self._create_test_client() as test_client:
             with self.assertRaisesRegex(
@@ -95,6 +111,7 @@ def test_valid_header_recaptcha(self):
 
     def test_invalid_header_hcaptcha(self):
         self.endpoint.captcha_type = "hcaptcha"
+        self.endpoint.captcha_minimum_score = 0.8
         with patch(
             "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
             return_value=requests.Response(),
@@ -120,6 +137,7 @@ def test_invalid_header_hcaptcha(self):
 
     def test_valid_header_hcaptcha(self):
         self.endpoint.captcha_type = "hcaptcha"
+        self.endpoint.captcha_minimum_score = 0.8
         with patch(
             "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
             return_value=requests.Response(),
@@ -149,6 +167,132 @@ def test_valid_header_hcaptcha(self):
                     },
                 )
 
+    def test_valid_header_low_score_hcaptcha(self):
+        self.endpoint.captcha_type = "hcaptcha"
+        self.endpoint.captcha_minimum_score = 0.8
+        with patch(
+            "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
+            return_value=requests.Response(),
+        ) as mock_post:
+            mock_post.return_value.status_code = 200
+            mock_post.return_value.json = lambda: {
+                "success": True,
+                "score": 0.6,
+                "score_reason": "low-confidence",
+            }
+            with self._create_test_client() as test_client:
+                with self.assertRaisesRegex(
+                    AccessError,
+                    r"Hcaptcha validation failed: score 0.6 < 0.8 \(low-confidence\)",
+                ):
+                    test_client.get("/demo/", headers={"X-Captcha-Token": "valid"})
+
+    def test_invalid_header_altcha(self):
+        self.endpoint.captcha_type = "altcha"
+        with patch(
+            "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
+            return_value=requests.Response(),
+        ) as mock_post:
+            mock_post.return_value.status_code = 200
+            mock_post.return_value.json = lambda: {
+                "verified": False,
+                "error": "invalid-input-response",
+            }
+            with self._create_test_client() as test_client:
+                with self.assertRaisesRegex(
+                    AccessError,
+                    r"Altcha \(https://eu.altcha.org/api/v1/challenge/verify\) "
+                    "validation failed: invalid-input-response",
+                ):
+                    test_client.get("/demo/", headers={"X-Captcha-Token": "invalid"})
+
+                self.assertGreaterEqual(mock_post.call_count, 1)
+                self.assertEqual(
+                    mock_post.call_args.args[0],
+                    "https://eu.altcha.org/api/v1/challenge/verify",
+                )
+
+                with self.assertRaisesRegex(
+                    AccessError,
+                    r"Altcha \(https://eu.altcha.org/api/v1/challenge/verify\) "
+                    "validation failed: invalid-input-response",
+                ):
+                    test_client.get(
+                        "/demo/who_ami", headers={"X-Captcha-Token": "invalid"}
+                    )
+
+    def test_valid_header_altcha(self):
+        self.endpoint.captcha_type = "altcha"
+        with patch(
+            "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
+            return_value=requests.Response(),
+        ) as mock_post:
+            mock_post.return_value.status_code = 200
+            mock_post.return_value.json = lambda: {
+                "verified": True,
+            }
+            with self._create_test_client() as test_client:
+                response = test_client.get(
+                    "/demo/", headers={"X-Captcha-Token": "valid"}
+                )
+                self.assertEqual(response.status_code, status.HTTP_200_OK)
+                self.assertEqual(response.json(), {"Hello": "World"})
+
+                self.assertGreaterEqual(mock_post.call_count, 1)
+                self.assertEqual(
+                    mock_post.call_args.args[0],
+                    "https://eu.altcha.org/api/v1/challenge/verify",
+                )
+                response = test_client.get(
+                    "/demo/who_ami", headers={"X-Captcha-Token": "valid"}
+                )
+                self.assertEqual(response.status_code, status.HTTP_200_OK)
+                partner = self.default_fastapi_authenticated_partner
+                self.assertDictEqual(
+                    response.json(),
+                    {
+                        "name": partner.name,
+                        "display_name": partner.display_name,
+                    },
+                )
+
+    def test_valid_header_custom_url_altcha(self):
+        self.endpoint.captcha_type = "altcha"
+        self.endpoint.captcha_custom_verify_url = "https://custom.exemple.org/verify"
+
+        with patch(
+            "odoo.addons.fastapi_captcha.models.fastapi_endpoint.requests.post",
+            return_value=requests.Response(),
+        ) as mock_post:
+            mock_post.return_value.status_code = 200
+            mock_post.return_value.json = lambda: {
+                "verified": True,
+            }
+            with self._create_test_client() as test_client:
+                response = test_client.get(
+                    "/demo/", headers={"X-Captcha-Token": "valid"}
+                )
+                self.assertEqual(response.status_code, status.HTTP_200_OK)
+                self.assertEqual(response.json(), {"Hello": "World"})
+
+                self.assertGreaterEqual(mock_post.call_count, 1)
+                self.assertEqual(
+                    mock_post.call_args.args[0],
+                    "https://custom.exemple.org/verify",
+                )
+                response = test_client.get(
+                    "/demo/who_ami", headers={"X-Captcha-Token": "valid"}
+                )
+                self.assertEqual(response.status_code, status.HTTP_200_OK)
+                partner = self.default_fastapi_authenticated_partner
+                self.assertDictEqual(
+                    response.json(),
+                    {
+                        "name": partner.name,
+                        "display_name": partner.display_name,
+                    },
+                )
+
     def test_routes_matching_1(self):
         self.endpoint.captcha_routes_regex = "/demo/wh.*,/demo/ca.?"
         # Refresh app

fastapi_captcha/views/fastapi_endpoint_views.xml

@@ -28,6 +28,10 @@
                         attrs="{'required': [('use_captcha', '=', True)]}"
                     />
                     <field name="captcha_routes_regex" />
+                    <field
+                        name="captcha_custom_verify_url"
+                        attrs="{'invisible': [('captcha_type', '!=', 'altcha')]}"
+                    />
                     <field name="captcha_minimum_score" />
                 </group>
             </group>