fix: prevent sitekey abuse with account secret authentication for access token validation

SUMMARY At present, sitekey can be abused by installing it on a third-party site as verifying the access token returned from CAPTCHA validation doesn't require any authentication. This fix uses account secret authentication to verify access tokens credits: by @gusted
2025-05-01 12:51:01 +03:00 · 2022-07-22 19:44:35 +05:30 · 2022-07-22 19:44:35 +05:30 · 7d0e4c6be4
commit 7d0e4c6be4
parent 85f91cb79b
4 changed files with 87 additions and 23 deletions
--- a/db/db-sqlx-postgres/src/lib.rs
+++ b/db/db-sqlx-postgres/src/lib.rs
@ -299,6 +299,22 @@ impl MCDatabase for Database {
        Ok(secret)
    }

+    /// get a user's secret from a captcha key
+    async fn get_secret_from_captcha(&self, key: &str) -> DBResult<Secret> {
+        let secret = sqlx::query_as!(
+            Secret,
+            r#"SELECT secret  FROM mcaptcha_users WHERE ID = (
+                    SELECT user_id FROM mcaptcha_config WHERE key = $1
+                    )"#,
+            key,
+        )
+        .fetch_one(&self.pool)
+        .await
+        .map_err(|e| map_row_not_found_err(e, DBError::AccountNotFound))?;
+
+        Ok(secret)
+    }
+
    /// update a user's secret
    async fn update_secret(&self, username: &str, secret: &str) -> DBResult<()> {
        sqlx::query!(