server side verification done

weDevsOfficial · Oct 30, 2024 · 89e7c24 · 89e7c24
1 parent 0dbd738
commit 89e7c24
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 4 deletions.
diff --git a/assets/css/frontend-forms.css b/assets/css/frontend-forms.css
@@ -84,7 +84,7 @@ body .wpuf-error {
   background-color: #f2dede;
   color: #a94442;
   border: 1px solid #ebccd1;
-  margin: 10px 10px 20px;
+  margin: 10px 0 20px 0;
   padding: 10px;
   -webkit-border-radius: 3px;
   -moz-border-radius: 3px;

diff --git a/assets/less/frontend-forms.less b/assets/less/frontend-forms.less
@@ -116,7 +116,7 @@ body {
     background-color: #f2dede;
     color: #a94442;
     border: 1px solid #ebccd1;
-    margin: 10px 10px 20px;
+    margin: 10px 0 20px 0;
     padding: 10px;
     .border-radius(3px);
     font-size: 13px;

diff --git a/includes/Free/Simple_Login.php b/includes/Free/Simple_Login.php
@@ -19,6 +19,13 @@ class Simple_Login {
 
     private $messages = [];
 
+    /**
+     * Cloudflare Turnstile messages
+     *
+     * @var array
+     */
+    private $cf_messages = [];
+
     private static $_instance;
 
     public function __construct() {
@@ -415,6 +422,52 @@ public function login_form() {
         return ob_get_clean();
     }
 
+    /**
+     * Verify if cloudflare turnstile request is successful
+     *
+     * @since WPUF_SINCE
+     *
+     * @return bool
+     */
+    private function verify_cloudflare_turnstile_on_login() {
+        $nonce = isset( $_POST['wpuf-login-nonce'] ) ? sanitize_key( wp_unslash( $_POST['wpuf-login-nonce'] ) ) : '';
+
+        if ( isset( $nonce ) && ! wp_verify_nonce( $nonce, 'wpuf_login_action' ) ) {
+            return false;
+        }
+
+        $secret = wpuf_get_option( 'turnstile_secret_key', 'wpuf_general', '' );
+
+        if ( empty( $secret ) ) {
+            return false;
+        }
+
+        $remote_addr = ! empty( $_SERVER['REMOTE_ADDR'] ) ? sanitize_url(
+            wp_unslash( $_SERVER['REMOTE_ADDR'] )
+        ) : '';
+
+        $cf_url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
+        $token  = ! empty( $_POST['cf-turnstile-response'] ) ? sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ) : '';
+
+        // Request data
+        $data = [
+            'secret'   => $secret,
+            'response' => $token,
+            'remoteip' => $remote_addr,
+        ];
+
+        $response = wp_remote_post( $cf_url, [ 'body' => $data ] );
+        $body     = json_decode( wp_remote_retrieve_body( $response ), true );
+
+        if ( ! empty( $body['success'] ) ) {
+            return true;
+        } else {
+            $this->cf_messages[] = ! empty( $body['error-codes'] ) ? $body['error-codes'] : '';
+
+            return false;
+        }
+    }
+
     /**
      * Remove selected cookie to have consistency with the login nonce.
      * fixes WooCommerce Stripe Gateway plugin conflict
@@ -452,10 +505,24 @@ public function process_login() {
             return;
         }
 
-        $log = isset( $_POST['log'] ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
-        $pwd = isset( $_POST['pwd'] ) ? trim( $_POST['pwd'] ) : '';
+        $log = isset( $_POST['log'] ) ? sanitize_text_field( wp_unslash( $_POST['log'] ) ) : '';
+        $pwd = isset( $_POST['pwd'] ) ? sanitize_text_field( ( wp_unslash( $_POST['pwd'] ) ) ) : '';
         // $g_recaptcha_response = isset( $_POST['g-recaptcha-response'] ) ? sanitize_text_field( wp_unslash( $_POST['g-recaptcha-response'] ) ) : '';
 
+        if ( ! $this->verify_cloudflare_turnstile_on_login() ) {
+            $errors = ! empty( $this->cf_messages[0] ) ? $this->cf_messages[0] : '';
+            $errors = implode( ', ', $errors );
+            $this->login_errors[] =
+            sprintf(
+                // translators: %1$s and %2$s are strong tags, %3$s is the error message
+                __( '%1$sError%2$s: Cloudflare Turnstile verification failed. Reasons: [%3$s]', 'wp-user-frontend' ),
+                '<strong>',
+                '</strong>',
+                $errors
+            );
+                '<strong>' . __( 'Error', 'wp-user-frontend' ) . ':</strong> ' . __( 'Cloudflare Turnstile verification failed. Reasons: [', 'wp-user-frontend' );
+        }
+
         $validation_error = new WP_Error();
         $validation_error = apply_filters( 'wpuf_process_login_errors', $validation_error, $log, $pwd );