Use API Key instead of secret key for recaptcha enterprise

wso2-extensions · Sep 5, 2023 · bdadd5c · bdadd5c
1 parent 4823ca6
commit bdadd5c
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 11 deletions.
diff --git a/...ty.captcha/src/main/java/org/wso2/carbon/identity/captcha/internal/CaptchaDataHolder.java b/...ty.captcha/src/main/java/org/wso2/carbon/identity/captcha/internal/CaptchaDataHolder.java
@@ -47,6 +47,8 @@ public class CaptchaDataHolder {
 
     private String reCaptchaSecretKey;
 
+    private String reCaptchaAPIKey;
+
     private String reCaptchaProjectID;
 
     private String reCaptchaErrorRedirectUrls;
@@ -140,6 +142,14 @@ public void setReCaptchaSecretKey(String reCaptchaSecretKey) {
         this.reCaptchaSecretKey = reCaptchaSecretKey;
     }
 
+    public String getReCaptchaAPIKey() {
+        return reCaptchaAPIKey;
+    }
+
+    public void setReCaptchaAPIKey(String reCaptchaAPIKey) {
+        this.reCaptchaAPIKey = reCaptchaAPIKey;
+    }
+
     public String getReCaptchaRequestWrapUrls() {
         return reCaptchaRequestWrapUrls;
     }

diff --git a/...dentity.captcha/src/main/java/org/wso2/carbon/identity/captcha/util/CaptchaConstants.java b/...dentity.captcha/src/main/java/org/wso2/carbon/identity/captcha/util/CaptchaConstants.java
@@ -49,6 +49,8 @@ public class CaptchaConstants {
 
     public static final String RE_CAPTCHA_SECRET_KEY = "recaptcha.secret.key";
 
+    public static final String RE_CAPTCHA_API_KEY = "recaptcha.api.key";
+
     public static final String RE_CAPTCHA_REQUEST_WRAP_URLS = "recaptcha.request.wrap.urls";
 
     public static final String FAIL_LOGIN_ATTEMPT_VALIDATOR_ENABLED = "failLoginAttemptValidator.enable";

diff --git a/...bon.identity.captcha/src/main/java/org/wso2/carbon/identity/captcha/util/CaptchaUtil.java b/...bon.identity.captcha/src/main/java/org/wso2/carbon/identity/captcha/util/CaptchaUtil.java
@@ -278,9 +278,9 @@ private static HttpPost createReCaptchaEnterpriseVerificationHttpPost(String reC
         String recaptchaUrl = CaptchaDataHolder.getInstance().getReCaptchaVerifyUrl();
         String projectID = CaptchaDataHolder.getInstance().getReCaptchaProjectID();
         String siteKey = CaptchaDataHolder.getInstance().getReCaptchaSiteKey();
-        String secretKey = CaptchaDataHolder.getInstance().getReCaptchaSecretKey();
+        String apiKey = CaptchaDataHolder.getInstance().getReCaptchaAPIKey();
 
-        String verifyUrl = recaptchaUrl + "/v1/projects/" + projectID + "/assessments?key=" + secretKey;
+        String verifyUrl = recaptchaUrl + "/v1/projects/" + projectID + "/assessments?key=" + apiKey;
         httpPost = new HttpPost(verifyUrl);
 
         httpPost.setHeader(HttpHeaders.CONTENT_TYPE, "application/json");
@@ -571,6 +571,19 @@ private static void setReCaptchaConfigs(Properties properties) {
                 throw new RuntimeException(getValidationErrorMessage(CaptchaConstants.RE_CAPTCHA_PROJECT_ID));
             }
             CaptchaDataHolder.getInstance().setReCaptchaProjectID(reCaptchaProjectID);
+
+            String reCaptchaAPIKey = properties.getProperty(CaptchaConstants.RE_CAPTCHA_API_KEY);
+            if (StringUtils.isBlank(reCaptchaAPIKey)) {
+                throw new RuntimeException(getValidationErrorMessage(CaptchaConstants.RE_CAPTCHA_API_KEY));
+            }
+            CaptchaDataHolder.getInstance().setReCaptchaAPIKey(reCaptchaAPIKey);
+        } else {
+            // Secret Key is only required if recaptcha enterprise is not enabled
+            String reCaptchaSecretKey = properties.getProperty(CaptchaConstants.RE_CAPTCHA_SECRET_KEY);
+            if (StringUtils.isBlank(reCaptchaSecretKey)) {
+                throw new RuntimeException(getValidationErrorMessage(CaptchaConstants.RE_CAPTCHA_SECRET_KEY));
+            }
+            CaptchaDataHolder.getInstance().setReCaptchaSecretKey(reCaptchaSecretKey);
         }
 
         String reCaptchaAPIUrl = properties.getProperty(CaptchaConstants.RE_CAPTCHA_API_URL);
@@ -591,12 +604,6 @@ private static void setReCaptchaConfigs(Properties properties) {
         }
         CaptchaDataHolder.getInstance().setReCaptchaSiteKey(reCaptchaSiteKey);
 
-        String reCaptchaSecretKey = properties.getProperty(CaptchaConstants.RE_CAPTCHA_SECRET_KEY);
-        if (StringUtils.isBlank(reCaptchaSecretKey)) {
-            throw new RuntimeException(getValidationErrorMessage(CaptchaConstants.RE_CAPTCHA_SECRET_KEY));
-        }
-        CaptchaDataHolder.getInstance().setReCaptchaSecretKey(reCaptchaSecretKey);
-
         String reCaptchaRequestWrapUrls = properties.getProperty(CaptchaConstants.RE_CAPTCHA_REQUEST_WRAP_URLS);
         if (reCaptchaRequestWrapUrls == null) {
             throw new RuntimeException(getValidationErrorMessage(CaptchaConstants.RE_CAPTCHA_REQUEST_WRAP_URLS));

diff --git a/...identity.captcha/src/test/java/org/wso2/carbon/identity/captcha/util/CaptchaUtilTest.java b/...identity.captcha/src/test/java/org/wso2/carbon/identity/captcha/util/CaptchaUtilTest.java
@@ -40,6 +40,7 @@
 public class CaptchaUtilTest {
 
     private final String RECAPTCHA_API_URL = "https://www.google.com/recaptcha/api/siteverify";
+    private final String RECAPTCHA_ENTERPRISE_API_URL = "https://recaptchaenterprise.googleapis.com";
 
     @BeforeMethod
     public void setUp() {
@@ -103,16 +104,16 @@ private JsonObject getReCaptchaJsonObject(boolean valid, double score) {
     public void testCreateReCaptchaEnterpriseVerificationHttpPost() throws NoSuchMethodException,
             InvocationTargetException, IllegalAccessException {
 
-        CaptchaDataHolder.getInstance().setReCaptchaVerifyUrl(RECAPTCHA_API_URL);
-        CaptchaDataHolder.getInstance().setReCaptchaSecretKey("dummyKey");
+        CaptchaDataHolder.getInstance().setReCaptchaVerifyUrl(RECAPTCHA_ENTERPRISE_API_URL);
+        CaptchaDataHolder.getInstance().setReCaptchaAPIKey("dummyKey");
         CaptchaDataHolder.getInstance().setReCaptchaSiteKey("dummySiteKey");
         CaptchaDataHolder.getInstance().setReCaptchaProjectID("dummyProjectId");
 
 
 
         Method method = getCreateReCaptchaEnterpriseVerificationHttpPostMethod();
         HttpPost httpPost = (HttpPost) method.invoke(null, "reCaptchaEnterpriseResponse");
-        String expectedURI = RECAPTCHA_API_URL+ "/v1/projects/dummyProjectId/assessments?key=dummyKey";
+        String expectedURI = RECAPTCHA_ENTERPRISE_API_URL+ "/v1/projects/dummyProjectId/assessments?key=dummyKey";
         Assert.assertEquals(httpPost.getURI().toString(), expectedURI);
 
     }

diff --git a/...g.wso2.carbon.identity.captcha.server.feature/resources/conf/captcha-config.properties.j2 b/...g.wso2.carbon.identity.captcha.server.feature/resources/conf/captcha-config.properties.j2
@@ -56,3 +56,6 @@ recaptcha.request.wrap.urls={{recaptcha.request_wrap_urls}}
 
 # recaptcha v3 score threshold
 recaptcha.threshold={{recaptcha.threshold}}
+
+# reCaptcha API key for enterprise recaptcha
+recaptcha.api.key={{recaptcha.api_key}}