rivet-gg · ABCxFF · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024
diff --git a/deno.lock b/deno.lock
diff --git a/modules/auth_email/scripts/verify_add_email_pass.ts b/modules/auth_email/scripts/verify_add_email_pass.ts
@@ -30,7 +30,7 @@ export async function run(
 	}
 
 	// Ensure that the email is not associated with ANY accounts in ANY way.
-	const providedUser = await ctx.modules.users.authenticateToken({
+	const providedUser = await ctx.modules.users.authenticateTokenInternal({
 		userToken: req.userToken,
 	});
 	await ensureNotAssociatedAll(ctx, email, new Set([providedUser.userId]));

diff --git a/modules/auth_email/scripts/verify_add_no_pass.ts b/modules/auth_email/scripts/verify_add_no_pass.ts
@@ -21,7 +21,7 @@ export async function run(
 	const { email } = await verifyCode(ctx, req.verificationToken, req.code);
 
 	// Ensure that the email is not already associated with another account
-	const providedUser = await ctx.modules.users.authenticateToken({
+	const providedUser = await ctx.modules.users.authenticateTokenInternal({
 		userToken: req.userToken,
 	});
 	await ensureNotAssociatedAll(ctx, email, new Set([providedUser.userId]));

diff --git a/modules/auth_email/scripts/verify_link_email.ts b/modules/auth_email/scripts/verify_link_email.ts
@@ -21,7 +21,7 @@ export async function run(
 	const { email } = await verifyCode(ctx, req.verificationToken, req.code);
 
 	// Ensure that the email is not already associated with another account
-	const providedUser = await ctx.modules.users.authenticateToken({
+	const providedUser = await ctx.modules.users.authenticateTokenInternal({
 		userToken: req.userToken,
 	});
 	await ensureNotAssociatedAll(ctx, email, new Set([providedUser.userId]));

diff --git a/modules/auth_email/tests/already_used.ts b/modules/auth_email/tests/already_used.ts
@@ -129,7 +129,7 @@ test("email_link_then_add_pass", async (ctx: TestContext) => {
 	const password = faker.internet.password();
 
 	const { userToken } = await signUpEmailLink(ctx, email);
-	const { user } = await ctx.modules.users.authenticateToken({
+	const { user } = await ctx.modules.users.authenticateTokenInternal({
 		userToken,
 		fetchUser: true,
 	});
@@ -161,7 +161,7 @@ test("email_link_then_add_no_pass", async (ctx: TestContext) => {
 	const email = faker.internet.email();
 
 	const { userToken } = await signUpEmailLink(ctx, email);
-	const { user } = await ctx.modules.users.authenticateToken({
+	const { user } = await ctx.modules.users.authenticateTokenInternal({
 		userToken,
 		fetchUser: true,
 	});

diff --git a/modules/auth_email/tests/common.ts b/modules/auth_email/tests/common.ts
@@ -45,7 +45,7 @@ export async function checkLogin(
 	newToken: string,
 ) {
 	const { userId: signedInUserId, user: signedInUser } = await ctx.modules.users
-		.authenticateToken({
+		.authenticateTokenInternal({
 			userToken: newToken,
 			fetchUser: true,
 		});

diff --git a/modules/auth_email/tests/create.ts b/modules/auth_email/tests/create.ts
@@ -22,7 +22,7 @@ test("create_with_email_and_login_passwordless", async (ctx: TestContext) => {
 		userToken = signUpRes.userToken;
 	}
 
-	const { user } = await ctx.modules.users.authenticateToken({
+	const { user } = await ctx.modules.users.authenticateTokenInternal({
 		userToken,
 		fetchUser: true,
 	});
@@ -65,7 +65,7 @@ test("create_with_email_and_login_password", async (ctx: TestContext) => {
 		userToken = signUpRes.userToken;
 	}
 
-	const { user } = await ctx.modules.users.authenticateToken({
+	const { user } = await ctx.modules.users.authenticateTokenInternal({
 		userToken,
 		fetchUser: true,
 	});

diff --git a/modules/auth_email/utils/link_assertions.ts b/modules/auth_email/utils/link_assertions.ts
@@ -41,7 +41,7 @@ export async function ensureNotAssociated(
 		}
 	}
 	// Email matches an existing identity using this provider
-	const existingUser = await ctx.modules.users.authenticateToken(
+	const existingUser = await ctx.modules.users.authenticateTokenInternal(
 		existingIdentity,
 	);
 

diff --git a/modules/auth_username_password/tests/e2e.ts b/modules/auth_username_password/tests/e2e.ts
@@ -13,7 +13,7 @@ test("test_sign_up", async (ctx: TestContext) => {
 		password,
 	});
 
-	const { userId } = await ctx.modules.users.authenticateToken({
+	const { userId } = await ctx.modules.users.authenticateTokenInternal({
 		userToken: token.token,
 	});
 
@@ -51,7 +51,7 @@ test("test_sign_in", async (ctx: TestContext) => {
 		password,
 	});
 
-	const { userId } = await ctx.modules.users.authenticateToken({
+	const { userId } = await ctx.modules.users.authenticateTokenInternal({
 		userToken: token.token,
 	});
 

diff --git a/modules/captcha/actors/throttle.ts b/modules/captcha/actors/throttle.ts
@@ -0,0 +1,44 @@
+import { ActorBase, ActorContext, Empty } from "../module.gen.ts";
+import { ThrottleRequest, ThrottleResponse } from "../utils/types.ts";
+
+type Input = undefined;
+
+interface State {
+	start: number;
+	count: number;
+}
+
+export class Actor extends ActorBase<Input, State> {
+	public initialize(_ctx: ActorContext): State {
+		// Will refill on first call of `throttle`
+		return {
+			start: 0,
+			count: 0,
+		};
+	}
+
+	throttle(_ctx: ActorContext, req: ThrottleRequest): ThrottleResponse {
+		const now = Date.now();
+
+        if (now - this.state.start > req.period) {
+            this.state.start = now;
+            this.state.count = 1;
+            return { success: true };
+        }
+
+        if (this.state.count >= req.requests) {
+            return { success: false };
+        }
+
+        this.state.count += 1;
+
+        return { success: true };
+	}
+
+	reset(_ctx: ActorContext, req: Empty): Empty {
+		this.state.start = 0;
+		this.state.count = 0;
+
+		return {};
+	}
+}
diff --git a/modules/captcha/module.json b/modules/captcha/module.json
@@ -0,0 +1,34 @@
+{
+	"status": "stable",
+	"name": "Captcha",
+	"description": "",
+	"icon": "",
+	"tags": [],
+	"authors": [
+		"rivet-gg",
+		"ABCxFF"
+	],
+	"scripts": {
+		"verify_captcha_token": {
+			"name": "Verify Captcha Response",
+			"public": false
+		},
+		"guard": {
+			"name": "Ratelimit Guarded with Captcha Challenge",
+			"public": false
+		}
+	},
+	"errors": {
+		"captcha_failed": {
+			"name": "Captcha Challenge Failed",
+			"internal": false
+		},
+		"captcha_needed": {
+			"name": "Captcha Required (Rate Limit Exceeded)",
+			"internal": false
+		}
+	},
+	"actors": {
+		"throttle": {}
+	}
+}
diff --git a/modules/captcha/scripts/guard.ts b/modules/captcha/scripts/guard.ts
@@ -0,0 +1,54 @@
+import { RuntimeError, ScriptContext } from "../module.gen.ts";
+import { getPublicConfig } from "../utils/get_sitekey.ts";
+// import { getPublicConfig } from "../utils/get_sitekey.ts";
+import type { CaptchaProvider, ThrottleRequest, ThrottleResponse } from "../utils/types.ts";
+
+export interface Request {
+    type: string;
+    key: string;
+    requests: number;
+    period: number;
+    captchaToken?: string | null,
+    captchaProvider: CaptchaProvider
+}
+
+export type Response = Record<string, never>;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+	const key = `${JSON.stringify(req.type)}.${JSON.stringify(req.key)}`;
+
+    if (req.captchaToken) {
+        try {
+            await ctx.modules.captcha.verifyCaptchaToken({
+                token: req.captchaToken,
+                provider: req.captchaProvider
+            });
+
+            await ctx.actors.throttle.getOrCreateAndCall<undefined, {}, {}>(key, undefined, "reset", {});
+
+            return {};
+        } catch {
+            // If we error, it means the captcha failed, we can continue with our normal ratelimitting
+        }
+    }
+
+    const res = await ctx.actors.throttle.getOrCreateAndCall<
+        undefined,
+        ThrottleRequest,
+        ThrottleResponse
+    >(key, undefined, "throttle", {
+        requests: req.requests,
+        period: req.period,
+    });
+
+    if (!res.success) {
+        throw new RuntimeError("captcha_needed", {
+            meta: getPublicConfig(req.captchaProvider)
+        });
+    }
+
+    return {};
+}
diff --git a/modules/captcha/scripts/verify_captcha_token.ts b/modules/captcha/scripts/verify_captcha_token.ts
@@ -0,0 +1,36 @@
+import { RuntimeError, ScriptContext } from "../module.gen.ts";
+import { validateHCaptchaResponse } from "../utils/providers/hcaptcha.ts";
+import { validateCFTurnstileResponse } from "../utils/providers/turnstile.ts";
+// import { validateHCaptchaResponse } from "../providers/hcaptcha.ts";
+// import { validateCFTurnstileResponse } from "../providers/turnstile.ts";
+import { CaptchaProvider } from "../utils/types.ts";
+
+export interface Request {
+    token: string,
+    provider: CaptchaProvider
+}
+
+export type Response = Record<string, never>;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+    const captchaToken = req.token;
+    const captchaProvider = req.provider;
+
+    let success: boolean = false;
+    if ("hcaptcha" in captchaProvider) {
+        success = await validateHCaptchaResponse(captchaProvider.hcaptcha.secret, captchaToken);
+    } else if ("turnstile" in captchaProvider) {
+        success = await validateCFTurnstileResponse(captchaProvider.turnstile.secret, captchaToken);
+    } else {
+        success = true;
+    }
+
+    if (!success) {
+        throw new RuntimeError("captcha_failed");
+    }
+
+    return {};
+}
diff --git a/modules/captcha/tests/e2e_guard.ts b/modules/captcha/tests/e2e_guard.ts
@@ -0,0 +1,45 @@
+import { test, TestContext } from "../module.gen.ts";
+import { assertEquals } from "https://deno.land/[email protected]/assert/mod.ts";
+
+const didFail = async (x: () => Promise<void>) => {
+    try {
+        await x();
+        return false
+    } catch {
+        return true;
+    }
+}
+
+test("e2e success and failure", async (ctx: TestContext) => {
+    const PERIOD = 5000;
+    const REQUESTS = 5;
+
+    const captchaProvider = {
+        turnstile: {
+            secret: "0x0000000000000000000000000000000000000000",
+            sitekey: "" // doesn't really matter here
+        }
+    }
+
+    assertEquals(false, await didFail(async () => {
+        for (let i = 0; i < REQUESTS; ++i) {
+            await ctx.modules.captcha.guard({
+                type: "ip",
+                key: "aaaa",
+                requests: REQUESTS,
+                period: PERIOD,
+                captchaProvider
+            });
+        }
+    }));
+
+    assertEquals(true, await didFail(async () => {
+        await ctx.modules.captcha.guard({
+            type: "ip",
+            key: "aaaa",
+            requests: REQUESTS,
+            period: PERIOD,
+            captchaProvider
+        });
+    }));
+});
diff --git a/modules/captcha/tests/e2e_verify_token.ts b/modules/captcha/tests/e2e_verify_token.ts
@@ -0,0 +1,75 @@
+import { test, TestContext } from "../module.gen.ts";
+import { assertEquals } from "https://deno.land/[email protected]/assert/mod.ts";
+
+const didFail = async (x: () => Promise<void>) => {
+    try {
+        await x();
+        return false
+    } catch {
+        return true;
+    }
+}
+
+test(
+	"hcaptcha success and failure",
+	async (ctx: TestContext) => {
+        const shouldBeFalse = await didFail(async () => {
+            await ctx.modules.captcha.verifyCaptchaToken({
+                provider: {
+                    hcaptcha: {
+                        secret: "0x0000000000000000000000000000000000000000",
+                        sitekey: "" // doesn't really matter here
+                    }
+                },
+                token: "10000000-aaaa-bbbb-cccc-000000000001"
+            });
+        });
+        assertEquals(shouldBeFalse, false);
+
+        const shouldBeTrue = await didFail(async () => {
+            await ctx.modules.captcha.verifyCaptchaToken({
+                provider: {
+                    hcaptcha: {
+                        secret: "0x0000000000000000000000000000000000000000",
+                        sitekey: "" // doesn't really matter here
+                    }
+                },
+                token: "lorem"
+            });
+        });
+        assertEquals(shouldBeTrue, true);
+	},
+);
+
+test(
+	"turnstile success and failure",
+	async (ctx: TestContext) => {
+        // Always passes
+        const shouldBeTrue = await didFail(async () => {
+            await ctx.modules.captcha.verifyCaptchaToken({
+                provider: {
+                    turnstile: {
+                        secret: "2x0000000000000000000000000000000AA",
+                        sitekey: ""  // doesn't really matter here
+                    }
+                },
+                token: "lorem"
+            });
+        });
+        assertEquals(shouldBeTrue, true);
+
+        // Always fails
+        const shouldBeFalse = await didFail(async () => {
+            await ctx.modules.captcha.verifyCaptchaToken({
+                provider: {
+                    turnstile: {
+                        secret: "1x0000000000000000000000000000000AA",
+                        sitekey: ""  // doesn't really matter here
+                    }
+                },
+                token: "ipsum"
+            });
+        });
+        assertEquals(shouldBeFalse, false);
+	},
+);