add match captcha ttl, translate validation messages

Author: solverat

config/install/translations/admin.csv

@@ -63,6 +63,7 @@
 "form_builder_type.birthday_type","Birthday Type","Geburtstag Element"
 "form_builder_type.recaptcha_v3","reCAPTCHA v3 Field","reCAPTCHA v3 Feld"
 "form_builder_type.math_captcha","Math Captcha Field","Mathematisches Captcha Feld"
+"form_builder_type_field.math_captcha.validation_message_trans_note","Validation messages will be translated via pimcore translation manager: 'The given answer is not correct', 'Captcha has expired due to inactivity. Please refresh the page and try again.'","Validierungsmeldungen werden mit dem Pimcore Translation-Manager übersetzt: 'The given answer is not correct', 'Captcha has expired due to inactivity. Please refresh the page and try again.'"
 "form_builder_type_field.math_captcha.difficulty","Difficulty","Schwierigkeit"
 "form_builder_type.friendly_captcha","Friendly Captcha Field","Friendly Captcha Feld"
 "form_builder_type.cloudflare_turnstile","Cloudflare Turnstile Field","Cloudflare Turnstile Feld"

config/types/type/math_captcha.yaml

@@ -13,11 +13,15 @@ form_builder:
                     options.data: ~
                     options.value: ~
                     options.difficulty:
-                        display_group_id: attributes
+                        display_group_id: base
                         type: select
                         label: 'form_builder_type_field.math_captcha.difficulty'
                         config:
                             options:
                                 - ['easy','easy']
                                 - ['normal','normal']
-                                - ['hard','hard']
+                                - ['hard','hard']
+                    options.validation_message_trans_note:
+                        display_group_id: base
+                        type: label
+                        label: 'form_builder_type_field.math_captcha.validation_message_trans_note'

docs/03_SpamProtection.md

@@ -96,8 +96,10 @@ Since no session storage is required, it can be easily integrated with minimal o
 > However, it will give you time, to set up stronger spam protection like 
 > recaptcha, turnstile or friendly captcha (which are all supported by this bundle) to get rid of smart bots!
 
+### Encryption Secret
+
 > [!IMPORTANT]  
-> Match Captcha requires a valid encryption key!
+> Math Captcha requires a valid encryption key!
 > It uses the `%pimcore.encryption.secret%` as default, but you're able to set a dedicated one:
 
 ```yaml
@@ -107,6 +109,18 @@ form_builder:
             encryption_secret: 'my-very-long-encryption-secret'
 ```
 
+### Math Captcha TTL | Expiration
+To prevent replay attacks in a long-term view, a math captcha gets invalided after 30 minutes.
+
+If you want to change the value, you need to update the configuration
+
+```yaml
+form_builder:
+    spam_protection:
+        math_captcha:
+            hash_ttl: 30 # 30 minutes (default value)
+```
+
 ***
 
 ## Email Checker

src/DependencyInjection/Configuration.php

@@ -666,6 +666,7 @@ private function buildSpamProductionNode(): NodeDefinition
                     ->addDefaultsIfNotSet()
                     ->children()
                         ->scalarNode('encryption_secret')->defaultNull()->end()
+                        ->integerNode('hash_ttl')->defaultValue(30)->end()
                     ->end()
                 ->end()
 

src/Form/Type/MathCaptchaType.php

@@ -31,22 +31,24 @@ public function __construct(protected MathCaptchaProcessor $mathCaptchaProcessor
 
     public function buildForm(FormBuilderInterface $builder, array $options): void
     {
-        $challenge = $this->mathCaptchaProcessor->generateChallenge($options['difficulty']);
+        $stamp = $this->mathCaptchaProcessor->generateStamp();
+        $challenge = $this->mathCaptchaProcessor->generateChallenge($options['difficulty'], $stamp);
 
         $challengeFieldOptions = [
-            'label' => $challenge['user_challenge'],
+            'label'      => $challenge['user_challenge'],
             'label_attr' => [
                 'class' => 'math-captcha-challenge-label'
             ],
         ];
 
         if ($challenge['hash'] === null) {
             $challengeFieldOptions['attr']['disabled'] = true;
-            $challengeFieldOptions['label'] = 'No encryption secret found. cannot create challenge';
+            $challengeFieldOptions['label'] = 'No encryption secret found. cannot create challenge.';
         }
 
         $builder->add('challenge', TextType::class, $challengeFieldOptions);
         $builder->add('hash', HiddenType::class, ['data' => $challenge['hash']]);
+        $builder->add('stamp', HiddenType::class, ['data' => $stamp]);
     }
 
     public function buildView(FormView $view, FormInterface $form, array $options): void

src/Tool/MathCaptchaProcessor.php

@@ -13,17 +13,22 @@
 
 namespace FormBuilderBundle\Tool;
 
+use Carbon\Carbon;
 use FormBuilderBundle\Configuration\Configuration;
 
 class MathCaptchaProcessor implements MathCaptchaProcessorInterface
 {
+    public const VALIDATION_STATE_VALID = 'valid';
+    public const VALIDATION_STATE_INVALID_VALUE = 'invalid_value';
+    public const VALIDATION_STATE_EXPIRED = 'expired';
+
     public function __construct(
         protected ?string $pimcoreEncryptionSecret,
         protected Configuration $configuration
     ) {
     }
 
-    public function generateChallenge(string $difficulty): array
+    public function generateChallenge(string $difficulty, string $stamp): array
     {
         $numbers = match ($difficulty) {
             default => [
@@ -45,16 +50,30 @@ public function generateChallenge(string $difficulty): array
 
         return [
             'user_challenge' => $challenge,
-            'hash'           => $this->encryptChallenge(array_sum($numbers))
+            'hash'           => $this->encryptChallenge(array_sum($numbers), $stamp)
         ];
     }
 
-    public function verify(int $challenge, string $hash): bool
+    public function generateStamp(): string
+    {
+        return Carbon::now()->toIso8601String();
+    }
+
+    public function verify(int $challenge, string $hash, string $stamp): string
     {
-        return $hash === $this->encryptChallenge($challenge);
+        $now = Carbon::now();
+        $date = Carbon::parse($stamp)->addMinutes($this->getHashTtl());
+
+        if ($now->isAfter($date)) {
+            return self::VALIDATION_STATE_EXPIRED;
+        }
+
+        return $hash === $this->encryptChallenge($challenge, $stamp)
+            ? self::VALIDATION_STATE_VALID
+            : self::VALIDATION_STATE_INVALID_VALUE;
     }
 
-    public function encryptChallenge(int $challenge): ?string
+    public function encryptChallenge(int $challenge, string $stamp): ?string
     {
         $encryptionSecret = $this->getEncryptionSecret();
 
@@ -65,7 +84,7 @@ public function encryptChallenge(int $challenge): ?string
         return hash_hmac(
             'sha256',
             (string) $challenge,
-            $encryptionSecret
+            sprintf('%s%s', $encryptionSecret, $stamp)
         );
     }
 
@@ -81,4 +100,12 @@ private function getEncryptionSecret(): ?string
 
         return $encryptionSecret;
     }
+
+    private function getHashTtl(): int
+    {
+        $config = $this->configuration->getConfig('spam_protection');
+        $mathCaptchaConfig = $config['math_captcha'];
+
+        return $mathCaptchaConfig['hash_ttl'];
+    }
 }

src/Validator/Constraints/MathCaptcha.php

@@ -17,5 +17,6 @@
 
 final class MathCaptcha extends Constraint
 {
-    public string $message = 'The given answer is not correct.';
+    public string $invalidValueMessage = 'The given answer is not correct.';
+    public string $expiredMessage = 'Captcha has expired due to inactivity. Please refresh the page and try again.';
 }

src/Validator/Constraints/MathCaptchaValidator.php

@@ -17,11 +17,14 @@
 use Symfony\Component\Validator\Constraint;
 use Symfony\Component\Validator\ConstraintValidator;
 use Symfony\Component\Validator\Exception\UnexpectedTypeException;
+use Symfony\Contracts\Translation\TranslatorInterface;
 
 final class MathCaptchaValidator extends ConstraintValidator
 {
-    public function __construct(protected MathCaptchaProcessor $mathCaptchaProcessor)
-    {
+    public function __construct(
+        protected TranslatorInterface $translator,
+        protected MathCaptchaProcessor $mathCaptchaProcessor
+    ) {
     }
 
     public function validate(mixed $value, Constraint $constraint): void
@@ -36,20 +39,30 @@ public function validate(mixed $value, Constraint $constraint): void
 
         $challenge = $value['challenge'] ?? null;
         $hash = $value['hash'] ?? null;
+        $stamp = $value['stamp'] ?? null;
+
+        $validationState = $this->validateCaptcha($challenge, $hash, $stamp);
 
-        if (!$this->validateCaptcha($challenge, $hash)) {
-            $this->context->buildViolation($constraint->message)
-                ->setParameter('{{ value }}', $this->formatValue($value))
-                ->addViolation();
+        if ($validationState === MathCaptchaProcessor::VALIDATION_STATE_VALID) {
+            return;
         }
+
+        $validationMessage = $validationState === MathCaptchaProcessor::VALIDATION_STATE_EXPIRED
+            ? $constraint->expiredMessage
+            : $constraint->invalidValueMessage;
+
+        $this->context
+            ->buildViolation($this->translator->trans($validationMessage))
+            ->setParameter('{{ value }}', $this->formatValue($value))
+            ->addViolation();
     }
 
-    private function validateCaptcha(?string $value, $hash): bool
+    private function validateCaptcha(?string $value, ?string $hash, ?string $stamp): string
     {
-        if ($value === '' || $hash === null) {
-            return false;
+        if ($value === '' || $value === null || $hash === null || $stamp === null) {
+            return MathCaptchaProcessor::VALIDATION_STATE_INVALID_VALUE;
         }
 
-        return $this->mathCaptchaProcessor->verify((int) $value, $hash);
+        return $this->mathCaptchaProcessor->verify((int) $value, $hash, $stamp);
     }
 }