fix: prevent sitekey abuse with account secret authentication for access token validation

SUMMARY At present, sitekey can be abused by installing it on a third-party site as verifying the access token returned from CAPTCHA validation doesn't require any authentication. This fix uses account secret authentication to verify access tokens credits: by @gusted
2026-02-12 10:35:39 +00:00 · 2022-07-22 19:44:35 +05:30
parent 85f91cb79b
commit 7d0e4c6be4
4 changed files with 87 additions and 23 deletions
--- a/db/db-core/src/tests.rs
+++ b/db/db-core/src/tests.rs
@@ -176,6 +176,10 @@ pub async fn database_works<'a, T: MCDatabase>(
    assert!(db.captcha_exists(None, c.key).await.unwrap());
    assert!(db.captcha_exists(Some(p.username), c.key).await.unwrap());

+    // get secret from captcha key
+    let secret_from_captcha = db.get_secret_from_captcha(&c.key).await.unwrap();
+    assert_eq!(secret_from_captcha.secret, p.secret, "user secret matches");
+
    // get captcha configuration
    let captcha = db.get_captcha_config(p.username, c.key).await.unwrap();
    assert_eq!(captcha.key, c.key);