fix: prevent sitekey abuse with account secret authentication for access token validation

SUMMARY At present, sitekey can be abused by installing it on a third-party site as verifying the access token returned from CAPTCHA validation doesn't require any authentication. This fix uses account secret authentication to verify access tokens credits: by @gusted
2026-02-11 01:55:40 +00:00 · 2022-07-22 19:44:35 +05:30
parent 85f91cb79b
commit 7d0e4c6be4
4 changed files with 87 additions and 23 deletions
--- a/db/db-core/src/lib.rs
+++ b/db/db-core/src/lib.rs
@@ -134,6 +134,9 @@ pub trait MCDatabase: std::marker::Send + std::marker::Sync + CloneSPDatabase {
    /// get a user's secret
    async fn get_secret(&self, username: &str) -> DBResult<Secret>;

+    /// get a user's secret from a captcha key
+    async fn get_secret_from_captcha(&self, key: &str) -> DBResult<Secret>;
+
    /// update a user's secret
    async fn update_secret(&self, username: &str, secret: &str) -> DBResult<()>;

--- a/db/db-core/src/tests.rs
+++ b/db/db-core/src/tests.rs
@@ -176,6 +176,10 @@ pub async fn database_works<'a, T: MCDatabase>(
    assert!(db.captcha_exists(None, c.key).await.unwrap());
    assert!(db.captcha_exists(Some(p.username), c.key).await.unwrap());

+    // get secret from captcha key
+    let secret_from_captcha = db.get_secret_from_captcha(&c.key).await.unwrap();
+    assert_eq!(secret_from_captcha.secret, p.secret, "user secret matches");
+
    // get captcha configuration
    let captcha = db.get_captcha_config(p.username, c.key).await.unwrap();
    assert_eq!(captcha.key, c.key);