Skip to content

Commit

Permalink
Generate hash to validate parameters
Browse files Browse the repository at this point in the history
  • Loading branch information
@maccabeelevine
maccabeelevine committed Nov 27, 2024
1 parent d16b4b0 commit 4b0a894
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
14 changes: 14 additions & 0 deletions module/VuFind/src/VuFind/Controller/TurnstileController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ class TurnstileController extends AbstractBase implements
use HttpServiceAwareTrait;
use LoggerAwareTrait;

protected $hashKeys = ['siteKey', 'policyId', 'destination'];

/**
* Present the Turnstile challenge to the user
*
Expand All @@ -64,6 +66,8 @@ public function challengeAction()
$context['siteKey'] = $config['Turnstile']['siteKey'];
$context['jsLibraryUrl'] = $config['Turnstile']['jsLibraryUrl'] ??
'https://challenges.cloudflare.com/turnstile/v0/api.js';
$hmac = $this->getService(\VuFind\Crypt\HMAC::class);
$context['hash'] = $hmac->generate($this->hashKeys, $context);

$this->layout()->searchbox = false;
return $this->createViewModel($context);
Expand All @@ -79,6 +83,16 @@ public function verifyAction()
$token = $this->params()->fromPost('token');
$policyId = $this->params()->fromPost('policyId');
$destination = $this->params()->fromPost('destination');
$priorHash = $this->params()->fromPost('hash');

$hmac = $this->getService(\VuFind\Crypt\HMAC::class);
$yamlReader = $this->getService(\VuFind\Config\YamlReader::class);
$config = $yamlReader->get('RateLimiter.yaml');
$siteKey = $config['Turnstile']['siteKey'];
$newHash = $hmac->generate($this->hashKeys, compact($this->hashKeys));
if ($newHash != $priorHash) {
throw new \Exception('Wrong hash value used in Turnstile verification.');
}

// Call the Turnstile verify API to validate the token
$yamlReader = $this->getService(\VuFind\Config\YamlReader::class);
Expand Down
1 change: 1 addition & 0 deletions themes/bootstrap5/templates/turnstile/challenge.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,5 @@
<input id="turnstile_token" name="token" type="hidden">
<input name="policyId" type="hidden" value="<?=$this->escapeHtml($policyId)?>">
<input name="destination" type="hidden" value="<?=$this->escapeHtml($destination)?>">
<input name="hash" type="hidden" value="<?=$this->escapeHtml($hash)?>">
</form>

0 comments on commit 4b0a894

Please sign in to comment.