Add option to enable CAPTCHA validation for login

custom/conf/app.example.ini

@@ -725,6 +725,9 @@ ROUTER = console
 ;; Enable captcha validation for registration
 ;ENABLE_CAPTCHA = false
 ;;
+;; Enable this to require captcha validation for login
+;REQUIRE_CAPTCHA_FOR_LOGIN = false
+;;
 ;; Type of captcha you want to use. Options: image, recaptcha, hcaptcha, mcaptcha.
 ;CAPTCHA_TYPE = image
 ;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -594,6 +594,7 @@ Certain queues have defaults that override the defaults set in `[queue]` (this o
 - `ENABLE_REVERSE_PROXY_FULL_NAME`: **false**: Enable this to allow to auto-registration with a
    provided full name for the user.
 - `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: Enable this to require captcha validation for login. You also must enable `ENABLE_CAPTCHA`.
 - `REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA`: **false**: Enable this to force captcha validation
    even for External Accounts (i.e. GitHub, OpenID Connect, etc). You also must enable `ENABLE_CAPTCHA`.
 - `CAPTCHA_TYPE`: **image**: \[image, recaptcha, hcaptcha, mcaptcha\]

docs/content/doc/advanced/config-cheat-sheet.zh-cn.md

@@ -145,7 +145,8 @@ menu:
 - `ENABLE_NOTIFY_MAIL`: 是否发送工单创建等提醒邮件，需要 `Mailer` 被激活。
 - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: 允许反向代理认证，更多细节见：https://github.com/gogits/gogs/issues/165
 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: 允许通过反向认证做自动注册。
-- `ENABLE_CAPTCHA`: 注册时使用图片验证码。
+- `ENABLE_CAPTCHA`: **false**: 注册时使用图片验证码。
+- `REQUIRE_CAPTCHA_FOR_LOGIN`: **false**: 登录时需要图片验证码。需要同时开启 `ENABLE_CAPTCHA`。
 
 ### Service - Expore (`service.explore`)
 

modules/setting/service.go

@@ -40,6 +40,7 @@ var Service = struct {
 	EnableReverseProxyEmail                 bool
 	EnableReverseProxyFullName              bool
 	EnableCaptcha                           bool
+	RequireCaptchaForLogin                  bool
 	RequireExternalRegistrationCaptcha      bool
 	RequireExternalRegistrationPassword     bool
 	CaptchaType                             string
@@ -130,6 +131,7 @@ func newService() {
 	Service.EnableReverseProxyEmail = sec.Key("ENABLE_REVERSE_PROXY_EMAIL").MustBool()
 	Service.EnableReverseProxyFullName = sec.Key("ENABLE_REVERSE_PROXY_FULL_NAME").MustBool()
 	Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool(false)
+	Service.RequireCaptchaForLogin = sec.Key("REQUIRE_CAPTCHA_FOR_LOGIN").MustBool(false)
 	Service.RequireExternalRegistrationCaptcha = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA").MustBool(Service.EnableCaptcha)
 	Service.RequireExternalRegistrationPassword = sec.Key("REQUIRE_EXTERNAL_REGISTRATION_PASSWORD").MustBool()
 	Service.CaptchaType = sec.Key("CAPTCHA_TYPE").MustString(ImageCaptcha)

routers/web/auth/auth.go

@@ -170,6 +170,17 @@ func SignIn(ctx *context.Context) {
 	ctx.Data["PageIsLogin"] = true
 	ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled()
 
+	if setting.Service.EnableCaptcha && setting.Service.RequireCaptchaForLogin {
+		ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+		ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+		ctx.Data["Captcha"] = context.GetImageCaptcha()
+		ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+		ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+		ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+		ctx.Data["McaptchaSitekey"] = setting.Service.McaptchaSitekey
+		ctx.Data["McaptchaURL"] = setting.Service.McaptchaURL
+	}
+
 	ctx.HTML(http.StatusOK, tplSignIn)
 }
 
@@ -196,6 +207,43 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	form := web.GetForm(ctx).(*forms.SignInForm)
+
+	if setting.Service.EnableCaptcha && setting.Service.RequireCaptchaForLogin {
+		ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+		ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+		ctx.Data["Captcha"] = context.GetImageCaptcha()
+		ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+		ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+		ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+		ctx.Data["McaptchaSitekey"] = setting.Service.McaptchaSitekey
+		ctx.Data["McaptchaURL"] = setting.Service.McaptchaURL
+
+		var valid bool
+		var err error
+		switch setting.Service.CaptchaType {
+		case setting.ImageCaptcha:
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+		case setting.ReCaptcha:
+			valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+		case setting.MCaptcha:
+			valid, err = mcaptcha.Verify(ctx, form.McaptchaResponse)
+		default:
+			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+			return
+		}
+		if err != nil {
+			log.Debug("%s", err.Error())
+		}
+
+		if !valid {
+			ctx.Data["Err_Captcha"] = true
+			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignIn, &form)
+			return
+		}
+	}
+
 	u, source, err := auth_service.UserSignIn(form.UserName, form.Password)
 	if err != nil {
 		if user_model.IsErrUserNotExist(err) || user_model.IsErrEmailAddressNotExist(err) {

services/forms/user_form.go

@@ -160,6 +160,10 @@ type SignInForm struct {
 	// TODO remove required from password for SecondFactorAuthentication
 	Password string `binding:"Required;MaxSize(255)"`
 	Remember bool
+	// Captcha
+	GRecaptchaResponse string `form:"g-recaptcha-response"`
+	HcaptchaResponse   string `form:"h-captcha-response"`
+	McaptchaResponse   string `form:"m-captcha-response"`
 }
 
 // Validate validates the fields

templates/user/auth/captcha.tmpl

@@ -0,0 +1,27 @@
+{{if and .EnableCaptcha (eq .CaptchaType "image")}}
+	<div class="inline field">
+		<label></label>
+		{{.Captcha.CreateHTML}}
+	</div>
+	<div class="required inline field {{if .Err_Captcha}}error{{end}}">
+		<label for="captcha">{{.locale.Tr "captcha"}}</label>
+		<input id="captcha" name="captcha" value="{{.captcha}}" autocomplete="off">
+	</div>
+{{end}}
+{{if and .EnableCaptcha (eq .CaptchaType "recaptcha")}}
+	<div class="inline field required">
+		<div class="g-recaptcha" data-sitekey="{{.RecaptchaSitekey}}"></div>
+	</div>
+{{end}}
+{{if and .EnableCaptcha (eq .CaptchaType "hcaptcha")}}
+	<div class="inline field required">
+		<div class="h-captcha" data-sitekey="{{.HcaptchaSitekey}}"></div>
+	</div>
+{{end}}
+{{if and .EnableCaptcha (eq .CaptchaType "mcaptcha")}}
+	<div class="inline field df ac db-small captcha-field">
+		<span>{{.locale.Tr "captcha"}}</span>
+		<div class="border-secondary w-100-small" id="mcaptcha__widget-container" style="width: 50%; height: 5em"></div>
+		<div class="m-captcha" data-sitekey="{{.McaptchaSitekey}}" data-instance-url="{{.McaptchaURL}}"></div>
+	</div>
+{{end}}

templates/user/auth/signin_inner.tmpl

@@ -31,6 +31,8 @@
 			</div>
 			{{end}}
 
+			{{template "user/auth/captcha" .}}
+
 			<div class="inline field">
 				<label></label>
 				<button class="ui green button">

templates/user/auth/signup_inner.tmpl

@@ -34,34 +34,8 @@
 						<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="new-password" required>
 					</div>
 				{{end}}
-				{{if and .EnableCaptcha (eq .CaptchaType "image")}}
-					<div class="inline field">
-						<label></label>
-						{{.Captcha.CreateHTML}}
-					</div>
-					<div class="required inline field {{if .Err_Captcha}}error{{end}}">
-						<label for="captcha">{{.locale.Tr "captcha"}}</label>
-						<input id="captcha" name="captcha" value="{{.captcha}}" autocomplete="off">
-					</div>
-				{{end}}
-				{{if and .EnableCaptcha (eq .CaptchaType "recaptcha")}}
-					<div class="inline field required">
-						<div class="g-recaptcha" data-sitekey="{{.RecaptchaSitekey}}"></div>
-					</div>
-				{{end}}
-				{{if and .EnableCaptcha (eq .CaptchaType "hcaptcha")}}
-					<div class="inline field required">
-						<div class="h-captcha" data-sitekey="{{.HcaptchaSitekey}}"></div>
-					</div>
-				{{end}}
-				{{if and .EnableCaptcha (eq .CaptchaType "mcaptcha")}}
-					<div class="inline field df ac db-small captcha-field">
-						<span>{{.locale.Tr "captcha"}}</span>
-						<div class="border-secondary w-100-small" id="mcaptcha__widget-container" style="width: 50%; height: 5em"></div>
-						<div class="m-captcha" data-sitekey="{{.McaptchaSitekey}}" data-instance-url="{{.McaptchaURL}}"></div>
-					</div>
-				{{end}}
 
+				{{template "user/auth/captcha" .}}
 
 				<div class="inline field">
 					<label></label>

templates/user/auth/signup_openid_register.tmpl

@@ -20,31 +20,9 @@
 						<label for="email">{{.locale.Tr "email"}}</label>
 						<input id="email" name="email" type="email" value="{{.email}}" required>
 					</div>
-					{{if and .EnableCaptcha (eq .CaptchaType "image")}}
-						<div class="inline field">
-							<label></label>
-							{{.Captcha.CreateHTML}}
-						</div>
-						<div class="required inline field {{if .Err_Captcha}}error{{end}}">
-							<label for="captcha">{{.locale.Tr "captcha"}}</label>
-							<input id="captcha" name="captcha" value="{{.captcha}}" autocomplete="off">
-						</div>
-					{{end}}
-					{{if and .EnableCaptcha (eq .CaptchaType "recaptcha")}}
-						<div class="inline field required">
-							<div class="g-recaptcha" data-sitekey="{{.RecaptchaSitekey}}"></div>
-						</div>
-					{{end}}
-					{{if and .EnableCaptcha (eq .CaptchaType "hcaptcha")}}
-						<div class="inline field required">
-							<div class="h-captcha" data-sitekey="{{.HcaptchaSitekey}}"></div>
-						</div>
-					{{end}}
-					{{if and .EnableCaptcha (eq .CaptchaType "mcaptcha")}}
-						<div class="inline field required">
-							<div class="m-captcha" data-sitekey="{{.McaptchaSitekey}}" data-instance-url="{{.McaptchaURL}}"></div>
-						</div>
-					{{end}}
+
+					{{template "user/auth/captcha" .}}
+
 					<div class="inline field">
 						<label for="openid">OpenID URI</label>
 						<input id="openid" value="{{.OpenID}}" readonly>