READ BEFORE USE
I ask to others developers for check if it is implemented correctly.
Useful Links
- Google reCAPTCHA: https://www.google.com/recaptcha/intro/v3.html
- reCAPTCHA v3 Documentation: https://developers.google.com/recaptcha/docs/v3
- header.php - added google code before </head>
- incCommon.php - implemented code for POST response from reCAPTCHA score and result (logInMember() function)
- login.php - added google hidden field for reCAPTCHA
header.php - before </head>
Code: Select all
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_RECAPTCHA_SITE_KEY"></script>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('YOUR_RECAPTCHA_SITE_KEY', {action: 'homepage'}).then(function(token) {
var recaptcharesponse = document.getElementById('recaptcharesponse');
recaptcharesponse.value = token;
});
});
</script>
Code: Select all
function logInMember() {
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {
$recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
$recaptcha_secret = 'YOUR_RECAPTCHA_SECRET_KEY';
$recaptcha_response = $_POST['recaptcha_response'];
$recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
$recaptcha = json_decode($recaptcha);
if ($recaptcha->success == true && $recaptcha->score >= 0.9) {
$redir = 'index.php';
if($_POST['signIn'] != '') {
if($_POST['username'] != '' && $_POST['password'] != '') {
$username = makeSafe(strtolower($_POST['username']));
$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
$password = $_POST['password'];
if(password_match($password, $hash)) {
$_SESSION['memberID'] = $username;
$_SESSION['memberGroupID'] = sqlValue("SELECT `groupID` FROM `membership_users` WHERE LCASE(`memberID`)='{$username}'");
if($_POST['rememberMe'] == 1) {
RememberMe::login($username);
}else{
RememberMe::delete();
}
// harden user's password hash
password_harden($username, $password, $hash);
// hook: login_ok
if(function_exists('login_ok')) {
$args=array();
if(!$redir=login_ok(getMemberInfo(), $args)) {
$redir='index.php';
}
}
redirect($redir);
exit;
}
}
}
} else {
// hook: login_failed
if(function_exists('login_failed')) {
$args=array();
login_failed(array(
'username' => $_POST['username'],
'password' => $_POST['password'],
'IP' => $_SERVER['REMOTE_ADDR']
), $args);
}
}
// hook: login_failed
if(function_exists('login_failed')) {
$args=array();
login_failed(array(
'username' => $_POST['username'],
'password' => $_POST['password'],
'IP' => $_SERVER['REMOTE_ADDR']
), $args);
}
if(!headers_sent()) header('HTTP/1.0 403 Forbidden');
redirect("index.php?loginFailed=1");
exit;
}
/* do we have a JWT auth header? */
jwt_check_login();
if(!empty($_SESSION['memberID']) && !empty($_SESSION['memberGroupID'])) return;
/* check if a rememberMe cookie exists and sign in user if so */
if(RememberMe::check()) {
$username = makeSafe(strtolower(RememberMe::user()));
$_SESSION['memberID'] = $username;
$_SESSION['memberGroupID'] = sqlValue("SELECT `groupID` FROM `membership_users` WHERE LCASE(`memberID`)='{$username}'");
}
}
Code: Select all
<input type="hidden" name="recaptcha_response" id="recaptcharesponse">
YOU MUST INFORM USERS OF reCAPTCHA v3 USE
Legal info: https://developers.google.com/recaptcha ... is-allowed
Code: Select all
.grecaptcha-badge {
visibility: hidden;
}