Add Feature flag to whitelist users from recaptcha check(PROJQUAY-3697) (#1454)

Signed-off-by: harishsurf <hgovinda@redhat.com>
2025-07-30 07:43:13 +03:00 · 2022-07-22 16:18:45 -04:00
parent 9eb4fb6aa4
commit 1c8f5df6e2
7 changed files with 39 additions and 13 deletions
--- a/config.py
+++ b/config.py
@ -592,6 +592,9 @@ class DefaultConfig(ImmutableConfig):
    RECAPTCHA_SITE_KEY: Optional[str] = None
    RECAPTCHA_SECRET_KEY: Optional[str] = None

+    # List of users allowed to pass through recaptcha security check to enable org/user creation via API
+    RECAPTCHA_WHITELISTED_USERS: List[str] = []
+
    # Server where TUF metadata can be found
    TUF_SERVER = None

--- a/endpoints/api/organization.py
+++ b/endpoints/api/organization.py
@ -173,13 +173,14 @@ class OrganizationList(ApiResource):

        # If recaptcha is enabled, then verify the user is a human.
        if features.RECAPTCHA:
-            recaptcha_response = org_data.get("recaptcha_response", "")
-            result = recaptcha2.verify(
-                app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
-            )
-
-            if not result["success"]:
-                return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400
+            # check if the user is whitelisted to bypass recaptcha security check
+            if user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]:
+                recaptcha_response = org_data.get("recaptcha_response", "")
+                result = recaptcha2.verify(
+                    app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
+                )
+                if not result["success"]:
+                    return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400

        is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
        try:
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -516,13 +516,16 @@ class User(ApiResource):

        # If recaptcha is enabled, then verify the user is a human.
        if features.RECAPTCHA:
-            recaptcha_response = user_data.get("recaptcha_response", "")
-            result = recaptcha2.verify(
-                app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
-            )
+            user = get_authenticated_user()
+            # check if the user is whitelisted to bypass recaptcha security check
+            if user is None or (user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]):
+                recaptcha_response = user_data.get("recaptcha_response", "")
+                result = recaptcha2.verify(
+                    app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
+                )

-            if not result["success"]:
-                return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400
+                if not result["success"]:
+                    return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400

        is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
        try:
--- a/features/init.pyi
+++ b/features/init.pyi
@ -128,6 +128,9 @@ REPO_MIRROR: FeatureNameValue
 # Site key and secret key for using recaptcha.
 RECAPTCHA: FeatureNameValue

+# List of users allowed to pass through recaptcha security check to enable org/user creation via API
+RECAPTCHA_WHITELISTED_USERS: FeatureNameValue
+
 # Feature Flag: Whether team syncing from the backing auth is enabled.
 TEAM_SYNCING: FeatureNameValue

--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -814,6 +814,12 @@ class TestCreateNewUser(ApiTestCase):
                details["recaptcha_response"] = "somecode"
                self.postResponse(User, data=details, expected_code=200)

+    def test_recaptcha_whitelisted_users(self):
+        self.login(READ_ACCESS_USER)
+        with (self.toggleFeature("RECAPTCHA", True)):
+            app.config["RECAPTCHA_WHITELISTED_USERS"] = READ_ACCESS_USER
+            self.postResponse(User, data=NEW_USER_DETAILS, expected_code=200)
+
    def test_createuser_withteaminvite(self):
        inviter = model.user.get_user(ADMIN_ACCESS_USER)
        team = model.team.get_organization_team(ORGANIZATION, "owners")
--- a/test/testconfig.py
+++ b/test/testconfig.py
@ -90,6 +90,7 @@ class TestConfig(DefaultConfig):

    RECAPTCHA_SITE_KEY = "somekey"
    RECAPTCHA_SECRET_KEY = "somesecretkey"
+    RECAPTCHA_WHITELISTED_USERS: List[str] = []

    FEATURE_APP_REGISTRY = True
    FEATURE_TEAM_SYNCING = True
--- a/util/config/schema.py
+++ b/util/config/schema.py
@ -811,6 +811,15 @@ CONFIG_SCHEMA = {
            "type": ["string", "null"],
            "description": "If recaptcha is enabled, the secret key for the Recaptcha service",
        },
+        # Pass through recaptcha for whitelisted users to support org/user creation via API
+        "RECAPTCHA_WHITELISTED_USERS": {
+            "type": "array",
+            "description": "Quay usernames of those users allowed to create org/user via API bypassing recaptcha security check",
+            "uniqueItems": True,
+            "items": {
+                "type": "string",
+            },
+        },
        # External application tokens.
        "FEATURE_APP_SPECIFIC_TOKENS": {
            "type": "boolean",