feat: captcha

* Added Revis distributed cash to enhance our Captcha Verification system so that we prevent our system from replay attacks

* Fix: There was an error with the implementation of Redis, so I reverted to our previous version that uses in memory storage

* Integrated the captcha verification system into our sign in Form. The captcha verification system now works on both login and sign int

* Remove test files from captcha module

* Update src/backend/src/modules/captcha/middleware/captcha-middleware.js

Co-authored-by: Eric Dubé <[email protected]>

* Update src/backend/src/modules/captcha/middleware/captcha-middleware.js

Co-authored-by: Eric Dubé <[email protected]>

* Now the captcha can be requested on condition, this llaows extenstions to control wether a captcha should be required,
I fixed the code in CaptchaModule to use config
and got rid of the lines that made captcha middleware available since it wasn't used anywhre

* I split the middleware into two distinct parts, so that the frontend can now determine captach requirements. PuterHomePageService can set GUI parameters for captcha requirements. The /whoarewe endpoint provides captcha requirement information and the extensuo system integration is maintained

* Fix security issues with password handling in URL query parameters

* Made sure that the enter key, submits the login request instead of refreshing the captcha

* In development we can now disable the Captcha verification system by running it with CAPTCHA_ENABLED=false npm start

* Went back and modified checkCaptcha so that it checks at the start to check what CAPTCHA_ENABLED is equal to

* Refactor captcha system to use configuration values instead of environment variables

* Fix captcha verification and align with project standards

* Update src/backend/src/modules/captcha/README.md

Co-authored-by: Eric Dubé <[email protected]>

* fix: incorrect service name

* dev: use Endpoint for captcha endpoints

Use Endpoint class, which uses eggspress behind the scenes, which handles
async errors in handlers automatically.

* dev: add extension support and simplify captcha

- removed extra error handling
- removed dormant code
- no distinction between login and signup (for now)

* clean: remove local files

* fix: undefined edge case

---------

Co-authored-by: Eric Dubé <[email protected]>

Author: Jomaguy

.gitignore

@@ -29,4 +29,4 @@ dist/
 
 # Local Netlify folder
 .netlify
-src/emulator/release/
+src/emulator/release/

package-lock.json

@@ -49,6 +49,7 @@
   "dependencies": {
     "@heyputer/putility": "^1.0.2",
     "dedent": "^1.5.3",
+    "ioredis": "^5.6.0",
     "javascript-time-ago": "^2.5.11",
     "json-colorizer": "^3.0.1",
     "open": "^10.1.0",

package.json

@@ -39,6 +39,7 @@ const { InternetModule } = require("./src/modules/internet/InternetModule.js");
 const { PuterExecModule } = require("./src/modules/puterexec/PuterExecModule.js");
 const { MailModule } = require("./src/modules/mail/MailModule.js");
 const { ConvertModule } = require("./src/modules/convert/ConvertModule.js");
+const { CaptchaModule } = require("./src/modules/captcha/CaptchaModule.js");
 
 module.exports = {
     helloworld: () => {
@@ -61,6 +62,7 @@ module.exports = {
         WebModule,
         TemplateModule,
         AppsModule,
+        CaptchaModule,
     ],
 
     // Pre-built modules
@@ -76,6 +78,7 @@ module.exports = {
     InternetModule,
     MailModule,
     ConvertModule,
+    CaptchaModule,
 
     // Development modules
     PerfMonModule,

src/backend/exports.js

@@ -24,7 +24,7 @@
     "@smithy/node-http-handler": "^2.2.2",
     "args": "^5.0.3",
     "aws-sdk": "^2.1383.0",
-    "axios": "^1.4.0",
+    "axios": "^1.8.2",
     "bcrypt": "^5.1.0",
     "better-sqlite3": "^11.9.0",
     "busboy": "^1.6.0",
@@ -73,6 +73,7 @@
     "ssh2": "^1.13.0",
     "string-hash": "^1.1.3",
     "string-length": "^6.0.0",
+    "svg-captcha": "^1.4.0",
     "svgo": "^3.0.2",
     "tiktoken": "^1.0.16",
     "together-ai": "^0.6.0-alpha.4",

src/backend/package.json

@@ -483,7 +483,17 @@ module.exports = class APIError {
         'not_yet_supported': {
             status: 400,
             message: ({ message }) => message,
-        }
+        },
+
+        // Captcha errors
+        'captcha_required': {
+            status: 400,
+            message: ({ message }) => message || 'Captcha verification required',
+        },
+        'captcha_invalid': {
+            status: 400,
+            message: ({ message }) => message || 'Invalid captcha response',
+        },
     };
 
     /**

src/backend/src/api/APIError.js

@@ -51,6 +51,13 @@ config.require_email_verification_to_publish_website = false;
 config.kv_max_key_size = 1024;
 config.kv_max_value_size = 400 * 1024;
 
+// Captcha configuration
+config.captcha = {
+    enabled: false,                 // Enable captcha by default
+    expirationTime: 10 * 60 * 1000, // 10 minutes default expiration time
+    difficulty: 'medium'            // Default difficulty level
+};
+
 config.monitor = {
     metricsInterval: 60000,
     windowSize: 30,

src/backend/src/config.js

@@ -20,10 +20,12 @@
 
 const { Kernel } = require("./Kernel");
 const CoreModule = require("./CoreModule");
+const { CaptchaModule } = require("./modules/captcha/CaptchaModule"); // Add CaptchaModule
 
 const testlaunch = () => {
     const k = new Kernel();
     k.add_module(new CoreModule());
+    k.add_module(new CaptchaModule()); // Register the CaptchaModule
     k.boot();
 }
 

src/backend/src/index.js

@@ -0,0 +1,58 @@
+// METADATA // {"ai-commented":{"service":"claude"}}
+/*
+ * Copyright (C) 2024-present Puter Technologies Inc.
+ *
+ * This file is part of Puter.
+ *
+ * Puter is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+const { AdvancedBase } = require("@heyputer/putility");
+const CaptchaService = require('./services/CaptchaService');
+
+/**
+ * @class CaptchaModule
+ * @extends AdvancedBase
+ * @description Module that provides captcha verification functionality to protect
+ * against automated abuse, particularly for login and signup flows. Registers
+ * a CaptchaService for generating and verifying captchas as well as middlewares
+ * that can be used to protect routes and determine captcha requirements.
+ */
+class CaptchaModule extends AdvancedBase {
+    async install(context) {
+        console.log('DIAGNOSTIC: CaptchaModule.install - Start of method');
+        
+        // Get services from context
+        const services = context.get('services');
+        if (!services) {
+            throw new Error('Services not available in context');
+        }
+        
+        // Register the captcha service
+        console.log('DIAGNOSTIC: CaptchaModule.install - Before service registration');
+        services.registerService('captcha', CaptchaService);
+        console.log('DIAGNOSTIC: CaptchaModule.install - After service registration');
+        
+        // Log the captcha service status
+        try {
+            const captchaService = services.get('captcha');
+            console.log(`Captcha service registered and ${captchaService.enabled ? 'enabled' : 'disabled'}`);
+            console.log('TOKENS_TRACKING: Retrieved CaptchaService instance with ID:', captchaService.serviceId);
+        } catch (error) {
+            console.error('Failed to get captcha service after registration:', error);
+        }
+    }
+}
+
+module.exports = { CaptchaModule }; 

src/backend/src/modules/captcha/CaptchaModule.js

@@ -0,0 +1,73 @@
+# Captcha Module
+
+This module provides captcha verification functionality to protect against automated abuse, particularly for login and signup flows.
+
+## Components
+
+- **CaptchaModule.js**: Registers the service and middleware
+- **CaptchaService.js**: Provides captcha generation and verification functionality
+- **captcha-middleware.js**: Express middleware for protecting routes with captcha verification
+
+## Integration
+
+The CaptchaService is registered by the CaptchaModule and can be accessed by other services:
+
+```javascript
+const captchaService = services.get('captcha');
+```
+
+### Example Usage
+
+```javascript
+// Generate a captcha
+const captcha = captchaService.generateCaptcha();
+// captcha.token - The token to verify later
+// captcha.image - SVG image data to display to the user
+
+// Verify a captcha
+const isValid = captchaService.verifyCaptcha(token, userAnswer);
+```
+
+## Configuration
+
+The CaptchaService can be configured with the following options in the configuration file (`config.json`):
+
+- `captcha.enabled`: Whether the captcha service is enabled (default: false)
+- `captcha.expirationTime`: How long captcha tokens are valid in milliseconds (default: 10 minutes)
+- `captcha.difficulty`: The difficulty level of the captcha ('easy', 'medium', 'hard') (default: 'medium')
+
+These options are set in the main configuration file. For example:
+
+```json
+{
+  "services": {
+    "captcha": {
+      "enabled": false,
+      "expirationTime": 600000,
+      "difficulty": "medium"
+    }
+  }
+}
+```
+
+### Development Configuration
+
+For local development, you can disable captcha by creating or modifying your local configuration file (e.g., in `volatile/config/config.json` or using a profile configuration):
+
+```json
+{
+  "$version": "v1.1.0",
+  "$requires": [
+    "config.json"
+  ],
+  "config_name": "local",
+  
+  "services": {
+    "captcha": {
+      "enabled": false
+    }
+  }
+}
+```
+
+These options are set when registering the service in CaptchaModule.js. 

src/backend/src/modules/captcha/README.md

@@ -0,0 +1,160 @@
+# Captcha Middleware
+
+This middleware provides captcha verification for routes that need protection against automated abuse.
+
+## Middleware Components
+
+The captcha system is now split into two middleware components:
+
+1. **checkCaptcha**: Determines if captcha verification is required but doesn't perform verification.
+2. **requireCaptcha**: Performs actual captcha verification based on the result from checkCaptcha.
+
+This split allows frontend applications to know in advance whether captcha verification will be needed for a particular action.
+
+## Usage Patterns
+
+### Using Both Middlewares (Recommended)
+
+For best user experience, use both middlewares together:
+
+```javascript
+const express = require('express');
+const router = express.Router();
+
+// Get both middleware components from the context
+const { checkCaptcha, requireCaptcha } = context.get('captcha-middleware');
+
+// Determine if captcha is required for this route
+router.post('/login', checkCaptcha({ eventType: 'login' }), (req, res, next) => {
+  // Set a flag in the response so frontend knows if captcha is needed
+  res.locals.captchaRequired = req.captchaRequired;
+  next();
+}, requireCaptcha(), (req, res) => {
+  // Handle login logic
+  // If captcha was required, it has been verified at this point
+});
+```
+
+### Using Individual Middlewares
+
+You can also access each middleware separately:
+
+```javascript
+const checkCaptcha = context.get('check-captcha-middleware');
+const requireCaptcha = context.get('require-captcha-middleware');
+```
+
+### Using Only requireCaptcha (Legacy Mode)
+
+For backward compatibility, you can still use only the requireCaptcha middleware:
+
+```javascript
+const requireCaptcha = context.get('require-captcha-middleware');
+
+// Always require captcha for this route
+router.post('/sensitive-route', requireCaptcha({ always: true }), (req, res) => {
+  // Route handler
+});
+
+// Conditionally require captcha based on extensions
+router.post('/normal-route', requireCaptcha(), (req, res) => {
+  // Route handler
+});
+```
+
+## Configuration Options
+
+### checkCaptcha Options
+
+- `always` (boolean): Always require captcha regardless of other factors
+- `strictMode` (boolean): If true, fails closed on errors (more secure)
+- `eventType` (string): Type of event for extensions (e.g., 'login', 'signup')
+
+### requireCaptcha Options
+
+- `strictMode` (boolean): If true, fails closed on errors (more secure)
+
+## Frontend Integration
+
+There are two ways to integrate with the frontend:
+
+### 1. Using the checkCaptcha Result in API Responses
+
+You can include the captcha requirement in API responses:
+
+```javascript
+router.get('/whoarewe', checkCaptcha({ eventType: 'login' }), (req, res) => {
+  res.json({
+    // Other environment information
+    captchaRequired: {
+      login: req.captchaRequired
+    }
+  });
+});
+```
+
+### 2. Setting GUI Parameters
+
+For PuterHomepageService, you can add captcha requirements to GUI parameters:
+
+```javascript
+// In PuterHomepageService.js
+gui_params: {
+  // Other parameters
+  captchaRequired: {
+    login: req.captchaRequired
+  }
+}
+```
+
+## Client-Side Integration
+
+To integrate with the captcha middleware, the client needs to:
+
+1. Check if captcha is required for the action (using /whoarewe or GUI parameters)
+2. If required, call the `/api/captcha/generate` endpoint to get a captcha token and image
+3. Display the captcha image to the user and collect their answer
+4. Include the captcha token and answer in the request body:
+
+```javascript
+// Example client-side code
+async function submitWithCaptcha(formData) {
+  // Check if captcha is required
+  const envInfo = await fetch('/api/whoarewe').then(r => r.json());
+  
+  if (envInfo.captchaRequired?.login) {
+    // Get and display captcha to user
+    const captcha = await getCaptchaFromServer();
+    showCaptchaToUser(captcha);
+    
+    // Add captcha token and answer to the form data
+    formData.captchaToken = captcha.token;
+    formData.captchaAnswer = await getUserCaptchaAnswer();
+  }
+  
+  // Submit the form
+  const response = await fetch('/api/login', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(formData)
+  });
+  
+  // Handle response
+  const data = await response.json();
+  if (response.status === 400 && data.error === 'captcha_required') {
+    // Show captcha to the user if not already shown
+    showCaptcha();
+  }
+}
+```
+
+## Error Handling
+
+The middleware will throw the following errors:
+
+- `captcha_required`: When captcha verification is required but no token or answer was provided.
+- `captcha_invalid`: When the provided captcha answer is incorrect.
+
+These errors can be caught by the API error handler and returned to the client.