Odoo18-Base/addons/website_cf_turnstile/models/ir_http.py

# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
import logging
import requests

from odoo import api, models, _
from odoo.http import request
from odoo.exceptions import UserError, ValidationError

logger = logging.getLogger(__name__)


class Http(models.AbstractModel):
    _inherit = 'ir.http'

    @api.model
    def get_frontend_session_info(self):
        """Add the Turnstile public key to the given session_info object"""
        session = super().get_frontend_session_info()

        site_key = self.env['ir.config_parameter'].sudo().get_param('cf.turnstile_site_key')
        if site_key:
            session['turnstile_site_key'] = site_key

        return session

    @api.model
    def _verify_request_recaptcha_token(self, action):
        """ Verify the recaptcha token for the current request.
            If no recaptcha private key is set the recaptcha verification
            is considered inactive and this method will return True.
        """
        res = super()._verify_request_recaptcha_token(action)

        if not res:  # check result of google_recaptcha
            return res

        ip_addr = request.httprequest.remote_addr
        token = request.params.pop('turnstile_captcha', False)
        turnstile_result = request.env['ir.http']._verify_turnstile_token(ip_addr, token, action)
        if turnstile_result in ['is_human', 'no_secret']:
            return True
        if turnstile_result == 'wrong_secret':
            raise ValidationError(_("The Cloudflare turnstile private key is invalid."))
        elif turnstile_result == 'wrong_token':
            raise ValidationError(_("The CloudFlare human validation failed."))
        elif turnstile_result == 'timeout':
            raise UserError(_("Your request has timed out, please retry."))
        elif turnstile_result == 'bad_request':
            raise UserError(_("The request is invalid or malformed."))
        else:  # wrong_action e.g.
            return False

    @api.model
    def _verify_turnstile_token(self, ip_addr, token, action=False):
        """
            Verify a turnstile token and returns the result as a string.
            Turnstile verify DOC: https://developers.cloudflare.com/turnstile/get-started/server-side-validation/

            :return: The result of the call to the cloudflare API:
                     is_human: The token is valid and the user trustworthy.
                     is_bot: The user is not trustworthy and most likely a bot.
                     no_secret: No private key in settings.
                     wrong_action: the action performed to obtain the token does not match the one we are verifying.
                     wrong_token: The token provided is invalid or empty.
                     wrong_secret: The private key provided in settings is invalid.
                     timeout: The request has timout or the token provided is too old.
                     bad_request: The request is invalid or malformed.
                     internal-error: The request failed.
            :rtype: str
        """
        private_key = request.env['ir.config_parameter'].sudo().get_param('cf.turnstile_secret_key')
        if not private_key:
            return 'no_secret'
        try:
            r = requests.post('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
                'secret': private_key,
                'response': token,
                'remoteip': ip_addr,
            }, timeout=3.05)
            result = r.json()
            res_success = result['success']
            res_action = res_success and action and result['action']
        except requests.exceptions.Timeout:
            logger.error("Turnstile verification timeout for ip address %s", ip_addr)
            return 'timeout'
        except Exception:
            logger.error("Turnstile verification bad request response")
            return 'bad_request'

        if res_success:
            if res_action and res_action != action:
                logger.warning("Turnstile verification for ip address %s failed with action %f, expected: %s.", ip_addr, res_action, action)
                return 'wrong_action'
            logger.info("Turnstile verification for ip address %s succeeded", ip_addr)
            return 'is_human'
        errors = result.get('error-codes', [])
        logger.warning("Turnstile verification for ip address %s failed error codes %r. token was: [%s]", ip_addr, errors, token)
        for error in errors:
            if error in ['missing-input-secret', 'invalid-input-secret']:
                return 'wrong_secret'
            if error in ['missing-input-response', 'invalid-input-response']:
                return 'wrong_token'
            if error in ('timeout-or-duplicate', 'internal-error'):
                return 'timeout'
            if error == 'bad-request':
                return 'bad_request'
        return 'is_bot'