reCAPTCHA v3 for Login Form

The recommended method of customizing your AppGini-generated application is through hooks. But sometimes you might need to add functionality not accessible through hooks. You can discuss this here.
Post Reply
mghielmi
Posts: 10
Joined: 2019-01-08 01:27

reCAPTCHA v3 for Login Form

Post by mghielmi » 2019-10-27 16:59

Hi, I've tried to add reCAPTCHA v3 for Login Form.

READ BEFORE USE
I ask to others developers for check if it is implemented correctly.

Useful Links File changed
  • header.php - added google code before </head>
  • incCommon.php - implemented code for POST response from reCAPTCHA score and result (logInMember() function)
  • login.php - added google hidden field for reCAPTCHA

header.php - before </head>

Code: Select all

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_RECAPTCHA_SITE_KEY"></script>
<script>
grecaptcha.ready(function() {
    grecaptcha.execute('YOUR_RECAPTCHA_SITE_KEY', {action: 'homepage'}).then(function(token) {
		var recaptcharesponse = document.getElementById('recaptcharesponse');                  
		recaptcharesponse.value = token;    
    });
});
</script>
incCommon.php - logInMember() function (you can change reCAPTCHA score check)

Code: Select all

function logInMember() {
	if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {
	    $recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';      
	    $recaptcha_secret = 'YOUR_RECAPTCHA_SECRET_KEY';      
	    $recaptcha_response = $_POST['recaptcha_response'];

	    $recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);      
   		$recaptcha = json_decode($recaptcha);  

   		if ($recaptcha->success == true && $recaptcha->score >= 0.9) {
			$redir = 'index.php';
			if($_POST['signIn'] != '') {
				if($_POST['username'] != '' && $_POST['password'] != '') {
					$username = makeSafe(strtolower($_POST['username']));
					$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
					$password = $_POST['password'];

					if(password_match($password, $hash)) {
						$_SESSION['memberID'] = $username;
						$_SESSION['memberGroupID'] = sqlValue("SELECT `groupID` FROM `membership_users` WHERE LCASE(`memberID`)='{$username}'");

						if($_POST['rememberMe'] == 1) {
							RememberMe::login($username);
						}else{
							RememberMe::delete();
						}

						// harden user's password hash
						password_harden($username, $password, $hash);

						// hook: login_ok
						if(function_exists('login_ok')) {
							$args=array();
							if(!$redir=login_ok(getMemberInfo(), $args)) {
								$redir='index.php';
							}
						}

						redirect($redir);
						exit;
					}
				}
			}
		} else {
			// hook: login_failed
			if(function_exists('login_failed')) {
				$args=array();
				login_failed(array(
					'username' => $_POST['username'],
					'password' => $_POST['password'],
					'IP' => $_SERVER['REMOTE_ADDR']
					), $args);
			}
		}

		// hook: login_failed
		if(function_exists('login_failed')) {
			$args=array();
			login_failed(array(
				'username' => $_POST['username'],
				'password' => $_POST['password'],
				'IP' => $_SERVER['REMOTE_ADDR']
				), $args);
		}

		if(!headers_sent()) header('HTTP/1.0 403 Forbidden');
		redirect("index.php?loginFailed=1");
		exit;
	}

	/* do we have a JWT auth header? */
	jwt_check_login();

	if(!empty($_SESSION['memberID']) && !empty($_SESSION['memberGroupID'])) return;

	/* check if a rememberMe cookie exists and sign in user if so */
	if(RememberMe::check()) {
		$username = makeSafe(strtolower(RememberMe::user()));
		$_SESSION['memberID'] = $username;
		$_SESSION['memberGroupID'] = sqlValue("SELECT `groupID` FROM `membership_users` WHERE LCASE(`memberID`)='{$username}'");
	}
}
login.php - after button signIn code

Code: Select all

<input type="hidden" name="recaptcha_response" id="recaptcharesponse"> 
Remove Google reCAPTCHA v3 badge (CSS)
YOU MUST INFORM USERS OF reCAPTCHA v3 USE

Legal info: https://developers.google.com/recaptcha ... is-allowed

Code: Select all

.grecaptcha-badge {
    visibility: hidden;
}

Post Reply