From 51499c45c0647c10505892934642663df607c24a Mon Sep 17 00:00:00 2001
From: Tushar Goel <tushar.goel.dav@gmail.com>
Date: Thu, 20 Mar 2025 15:08:27 +0530
Subject: [PATCH] Add captcha for user signup

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
---
 requirements.txt                                     |  1 +
 setup.cfg                                            |  2 ++
 vulnerabilities/forms.py                             |  6 ++++++
 .../templates/api_user_creation_form.html            | 12 +++++++++---
 vulnerablecode/settings.py                           |  7 +++++++
 5 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 347259791..b80ec6fb9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -31,6 +31,7 @@ Django==4.2.17
 django-crispy-forms==2.3
 django-environ==0.11.2
 django-filter==24.3
+django-recaptcha==4.0.0
 django-widget-tweaks==1.5.0
 djangorestframework==3.15.2
 doc8==0.11.1
diff --git a/setup.cfg b/setup.cfg
index a3db96abd..8c6dc03c0 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -99,6 +99,8 @@ install_requires =
     python-dotenv
     texttable
 
+    django-recaptcha>=4.0.0
+
 
 [options.extras_require]
 dev =
diff --git a/vulnerabilities/forms.py b/vulnerabilities/forms.py
index a00885637..50511571d 100644
--- a/vulnerabilities/forms.py
+++ b/vulnerabilities/forms.py
@@ -9,6 +9,8 @@
 
 from django import forms
 from django.core.validators import validate_email
+from django_recaptcha.fields import ReCaptchaField
+from django_recaptcha.widgets import ReCaptchaV2Checkbox
 
 from vulnerabilities.models import ApiUser
 
@@ -38,6 +40,10 @@ class ApiUserCreationForm(forms.ModelForm):
     Support a simplified creation for API-only users directly from the UI.
     """
 
+    captcha = ReCaptchaField(
+        error_messages={"required": ("Captcha is required")}, widget=ReCaptchaV2Checkbox
+    )
+
     class Meta:
         model = ApiUser
         fields = (
diff --git a/vulnerabilities/templates/api_user_creation_form.html b/vulnerabilities/templates/api_user_creation_form.html
index c7b2291f0..4c596f094 100644
--- a/vulnerabilities/templates/api_user_creation_form.html
+++ b/vulnerabilities/templates/api_user_creation_form.html
@@ -14,11 +14,17 @@
         </article>
       {% endfor %}
       <div id="form-errors" class="message is-danger {% if not form.errors %}is-hidden{% endif %}">
-        {% for field_name, errors in form.errors.items %}
+        {% if form.errors.captcha %}
         <div class="message-body">
-          {{ errors }}
+            {{ form.errors.captcha }}
         </div>
-        {% endfor %}
+        {% else %}
+        <div class="message-body">
+            {% for error in form.errors.values %}
+                {{ error }}
+            {% endfor %}
+        </div>
+        {% endif %}
       </div>
     <h2 class="subtitle mb-0 pt-2 mb-2">
       <b>VulnerableCode API key request</b>
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
index 0e545e0f2..a0e1bf1c0 100644
--- a/vulnerablecode/settings.py
+++ b/vulnerablecode/settings.py
@@ -83,8 +83,15 @@
     "drf_spectacular",
     # required for Django collectstatic discovery
     "drf_spectacular_sidecar",
+    "django_recaptcha",
 )
 
+RECAPTCHA_PUBLIC_KEY = env.str("RECAPTCHA_PUBLIC_KEY", "")
+RECAPTCHA_PRIVATE_KEY = env.str("RECAPTCHA_PRIVATE_KEY", "")
+SILENCED_SYSTEM_CHECKS = ["captcha.recaptcha_test_key_error"]
+RECAPTCHA_DOMAIN = env.str("RECAPTCHA_DOMAIN", "www.recaptcha.net")
+
+
 MIDDLEWARE = (
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",