diff options
author | Péter Szilágyi <peterke@gmail.com> | 2017-04-20 22:42:36 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-20 22:42:36 +0800 |
commit | d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42 (patch) | |
tree | 74dce173cd1ef71a734a5a74d1ce864686284851 /cmd/faucet/faucet.go | |
parent | 5aa21d8b32206867631950ac07645ec8854434b4 (diff) | |
parent | af48a331bf1ec8d30cff7d411afcce37741cbede (diff) | |
download | dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar.gz dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar.bz2 dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar.lz dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar.xz dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.tar.zst dexon-d2fda73ad7f4771dadb265d1cbfaecaaabb2cb42.zip |
Merge pull request #14339 from karalabe/faucet-block-banned-users
cmd/faucet: further user validations and bot protection
Diffstat (limited to 'cmd/faucet/faucet.go')
-rw-r--r-- | cmd/faucet/faucet.go | 54 |
1 files changed, 49 insertions, 5 deletions
diff --git a/cmd/faucet/faucet.go b/cmd/faucet/faucet.go index fd34cdec1..f87cfdb72 100644 --- a/cmd/faucet/faucet.go +++ b/cmd/faucet/faucet.go @@ -29,6 +29,7 @@ import ( "io/ioutil" "math/big" "net/http" + "net/url" "os" "path/filepath" "strings" @@ -73,6 +74,9 @@ var ( githubUser = flag.String("github.user", "", "GitHub user to authenticate with for Gist access") githubToken = flag.String("github.token", "", "GitHub personal token to access Gists with") + captchaToken = flag.String("captcha.token", "", "Recaptcha site key to authenticate client side") + captchaSecret = flag.String("captcha.secret", "", "Recaptcha secret key to authenticate server side") + logFlag = flag.Int("loglevel", 3, "Log level to use for Ethereum and the faucet") ) @@ -96,9 +100,10 @@ func main() { } website := new(bytes.Buffer) template.Must(template.New("").Parse(string(tmpl))).Execute(website, map[string]interface{}{ - "Network": *netnameFlag, - "Amount": *payoutFlag, - "Period": period, + "Network": *netnameFlag, + "Amount": *payoutFlag, + "Period": period, + "Recaptcha": *captchaToken, }) // Load and parse the genesis block requested by the user blob, err := ioutil.ReadFile(*genesisFlag) @@ -297,7 +302,8 @@ func (f *faucet) apiHandler(conn *websocket.Conn) { for { // Fetch the next funding request and validate against github var msg struct { - URL string `json:"url"` + URL string `json:"url"` + Captcha string `json:"captcha"` } if err := websocket.JSON.Receive(conn, &msg); err != nil { return @@ -308,6 +314,33 @@ func (f *faucet) apiHandler(conn *websocket.Conn) { } log.Info("Faucet funds requested", "gist", msg.URL) + // If captcha verifications are enabled, make sure we're not dealing with a robot + if *captchaToken != "" { + form := url.Values{} + form.Add("secret", *captchaSecret) + form.Add("response", msg.Captcha) + + res, err := http.PostForm("https://www.google.com/recaptcha/api/siteverify", form) + if err != nil { + websocket.JSON.Send(conn, map[string]string{"error": err.Error()}) + continue + } + var result struct { + Success bool `json:"success"` + Errors json.RawMessage `json:"error-codes"` + } + err = json.NewDecoder(res.Body).Decode(&result) + res.Body.Close() + if err != nil { + websocket.JSON.Send(conn, map[string]string{"error": err.Error()}) + continue + } + if !result.Success { + log.Warn("Captcha verification failed", "err", string(result.Errors)) + websocket.JSON.Send(conn, map[string]string{"error": "Beep-boop, you're a robot!"}) + continue + } + } // Retrieve the gist from the GitHub Gist APIs parts := strings.Split(msg.URL, "/") req, _ := http.NewRequest("GET", "https://api.github.com/gists/"+parts[len(parts)-1], nil) @@ -334,7 +367,7 @@ func (f *faucet) apiHandler(conn *websocket.Conn) { continue } if gist.Owner.Login == "" { - websocket.JSON.Send(conn, map[string]string{"error": "Nice try ;)"}) + websocket.JSON.Send(conn, map[string]string{"error": "Anonymous Gists not allowed"}) continue } // Iterate over all the files and look for Ethereum addresses @@ -348,6 +381,17 @@ func (f *faucet) apiHandler(conn *websocket.Conn) { websocket.JSON.Send(conn, map[string]string{"error": "No Ethereum address found to fund"}) continue } + // Validate the user's existence since the API is unhelpful here + if res, err = http.Head("https://github.com/" + gist.Owner.Login); err != nil { + websocket.JSON.Send(conn, map[string]string{"error": err.Error()}) + continue + } + res.Body.Close() + + if res.StatusCode != 200 { + websocket.JSON.Send(conn, map[string]string{"error": "Invalid user... boom!"}) + continue + } // Ensure the user didn't request funds too recently f.lock.Lock() var ( |