Implement signed verification cookies and code quality improvements

- Add create_verification_cookie_value() and verify_verification_cookie() to accounts/model.py
- Update is_suspicious_visitor() to verify signed cookies instead of simple vf=1
- Update account_verify_human endpoint to create signed cookies
- Remove inline styles from challenge.html template
- Run black formatter on all modified Python files
- Update tests to work with signed cookie verification
- Add test for referer header check

Co-authored-by: mekarpeles <978325+mekarpeles@users.noreply.github.com>

Author: Copilot

openlibrary/accounts/model.py

@@ -95,6 +95,60 @@ def get_secret_key():
     return config.infobase['secret_key']
 
 
+def create_verification_cookie_value() -> str:
+    """Create a signed verification cookie value.
+
+    Returns:
+        str: Cookie value in format "vf/session_id,signature"
+    """
+    # Generate random session ID (server-side only)
+    session_id = secrets.token_urlsafe(32)
+
+    # Create the data portion
+    data = f"vf/{session_id}"
+
+    # Sign it (creates: "salt$hash")
+    signature = generate_hash(get_secret_key(), data)
+
+    # Combine into single cookie value
+    cookie_value = f"{data},{signature}"
+    # Result: "vf/kJ8x3mP...,a1b2c$d3e4f5"
+
+    return cookie_value
+
+
+def verify_verification_cookie(cookie_value: str) -> bool:
+    """Verify a verification cookie value.
+
+    Args:
+        cookie_value: The cookie value to verify
+
+    Returns:
+        bool: True if cookie is valid and properly signed, False otherwise
+    """
+    if not cookie_value:
+        return False
+
+    # Parse the single cookie
+    parts = cookie_value.split(",")
+    if len(parts) != 2:
+        return False  # Malformed cookie
+
+    data, signature = parts
+    # data = "vf/kJ8x3mP..."
+    # signature = "a1b2c$d3e4f5"
+
+    # Verify the signature (NO database lookup needed!)
+    if not verify_hash(get_secret_key(), data, signature):
+        return False  # Cookie was tampered with or forged
+
+    # Extract session ID (we can trust it because signature is valid)
+    if not data.startswith("vf/"):
+        return False
+
+    return True
+
+
 def generate_login_code_for_user(username: str) -> str:
     """
     Args:

openlibrary/plugins/openlibrary/code.py

@@ -1239,7 +1239,7 @@ def is_suspicious_visitor():
     A suspicious visitor is someone who is NOT:
     1. a recognized bot
     2. coming from a referer
-    3. carrying a verification cookie (vf=1)
+    3. carrying a valid signed verification cookie
     4. logged in
 
     Returns:
@@ -1253,8 +1253,11 @@ def is_suspicious_visitor():
     if web.ctx.env.get('HTTP_REFERER'):
         return False
 
-    # Check if visitor has already been verified (has vf=1 cookie)
-    if web.cookies().get('vf') == '1':
+    # Check if visitor has a valid signed verification cookie
+    from openlibrary.accounts.model import verify_verification_cookie
+
+    cookie_value = web.cookies().get('vf')
+    if cookie_value and verify_verification_cookie(cookie_value):
         return False
 
     # Check if user is logged in

openlibrary/plugins/openlibrary/tests/test_verification.py

@@ -28,8 +28,11 @@ def test_is_suspicious_visitor_when_logged_in(self, monkeypatch):
         mock_user = web.storage(key='/people/test_user')
         web.ctx.site.get_user = lambda: mock_user
 
-        # Mock is_bot to return False
-        monkeypatch.setattr(code, 'is_bot', lambda: False)
+        # Mock is_recognized_bot to return False
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: False)
+
+        # Mock no referer
+        web.ctx.env = {}
 
         # Mock no verification cookie
         def mock_cookies():
@@ -44,8 +47,8 @@ def test_is_suspicious_visitor_when_bot(self, monkeypatch):
         # Mock no logged in user
         web.ctx.site.get_user = lambda: None
 
-        # Mock is_bot to return True
-        monkeypatch.setattr(code, 'is_bot', lambda: True)
+        # Mock is_recognized_bot to return True
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: True)
 
         # Mock no verification cookie
         def mock_cookies():
@@ -55,17 +58,44 @@ def mock_cookies():
 
         assert code.is_suspicious_visitor() is False
 
-    def test_is_suspicious_visitor_with_cookie(self, monkeypatch):
-        """Test that visitors with vf=1 cookie are not suspicious."""
+    def test_is_suspicious_visitor_with_valid_cookie(self, monkeypatch):
+        """Test that visitors with valid signed cookie are not suspicious."""
+        from openlibrary.accounts import model
+
         # Mock no logged in user
         web.ctx.site.get_user = lambda: None
 
-        # Mock is_bot to return False
-        monkeypatch.setattr(code, 'is_bot', lambda: False)
+        # Mock is_recognized_bot to return False
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: False)
+
+        # Mock no referer
+        web.ctx.env = {}
+
+        # Create a valid signed cookie
+        valid_cookie = model.create_verification_cookie_value()
 
         # Mock verification cookie present
         def mock_cookies():
-            return {'vf': '1'}
+            return {'vf': valid_cookie}
+
+        monkeypatch.setattr(web, 'cookies', mock_cookies)
+
+        assert code.is_suspicious_visitor() is False
+
+    def test_is_suspicious_visitor_with_referer(self, monkeypatch):
+        """Test that visitors with referer are not suspicious."""
+        # Mock no logged in user
+        web.ctx.site.get_user = lambda: None
+
+        # Mock is_recognized_bot to return False
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: False)
+
+        # Mock referer present
+        web.ctx.env = {'HTTP_REFERER': 'https://example.com'}
+
+        # Mock no verification cookie
+        def mock_cookies():
+            return {}
 
         monkeypatch.setattr(web, 'cookies', mock_cookies)
 
@@ -76,8 +106,11 @@ def test_is_suspicious_visitor_when_all_checks_fail(self, monkeypatch):
         # Mock no logged in user
         web.ctx.site.get_user = lambda: None
 
-        # Mock is_bot to return False
-        monkeypatch.setattr(code, 'is_bot', lambda: False)
+        # Mock is_recognized_bot to return False
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: False)
+
+        # Mock no referer
+        web.ctx.env = {}
 
         # Mock no verification cookie
         def mock_cookies():
@@ -87,17 +120,20 @@ def mock_cookies():
 
         assert code.is_suspicious_visitor() is True
 
-    def test_is_suspicious_visitor_with_wrong_cookie_value(self, monkeypatch):
-        """Test that visitors with wrong cookie value are still suspicious."""
+    def test_is_suspicious_visitor_with_invalid_cookie(self, monkeypatch):
+        """Test that visitors with invalid cookie value are still suspicious."""
         # Mock no logged in user
         web.ctx.site.get_user = lambda: None
 
-        # Mock is_bot to return False
-        monkeypatch.setattr(code, 'is_bot', lambda: False)
+        # Mock is_recognized_bot to return False
+        monkeypatch.setattr(code, 'is_recognized_bot', lambda: False)
+
+        # Mock no referer
+        web.ctx.env = {}
 
-        # Mock verification cookie with wrong value
+        # Mock verification cookie with invalid value
         def mock_cookies():
-            return {'vf': '0'}
+            return {'vf': 'invalid_value'}
 
         monkeypatch.setattr(web, 'cookies', mock_cookies)
 

openlibrary/plugins/upstream/account.py

@@ -1317,8 +1317,15 @@ class account_verify_human(delegate.page):
 
     def POST(self):
         """Handle verification request."""
-        # Set the verification cookie (vf=1)
-        web.setcookie('vf', '1', expires=self.VERIFICATION_COOKIE_EXPIRES_SECONDS)
+        from openlibrary.accounts.model import create_verification_cookie_value
+
+        # Create a signed verification cookie
+        cookie_value = create_verification_cookie_value()
+
+        # Set the verification cookie
+        web.setcookie(
+            'vf', cookie_value, expires=self.VERIFICATION_COOKIE_EXPIRES_SECONDS
+        )
 
         # Track verification success
         stats.increment('ol.stats.verify_human.verified')

openlibrary/templates/lib/challenge.html

@@ -4,13 +4,29 @@
     <h1>$_("Human Verification")</h1>
 </div>
 
-<div id="contentBody" style="text-align: center; padding: 2rem;">
-    <p style="margin-bottom: 2rem;">$_("Please verify you are human to continue.")</p>
-    <button id="verify-human-btn" class="cta-btn cta-btn--shell" style="padding: 1rem 2rem; font-size: 1.1rem;">
+<div id="contentBody" class="verification-challenge">
+    <p class="verification-message">$_("Please verify you are human to continue.")</p>
+    <button id="verify-human-btn" class="cta-btn cta-btn--shell">
         $_("Verify you are human")
     </button>
 </div>
 
+<style>
+.verification-challenge {
+    text-align: center;
+    padding: 2rem;
+}
+
+.verification-message {
+    margin-bottom: 2rem;
+}
+
+#verify-human-btn {
+    padding: 1rem 2rem;
+    font-size: 1.1rem;
+}
+</style>
+
 <script>
 (function() {
     var button = document.getElementById('verify-human-btn');