fix: add configurable hcaptcha timeout (#441)

J0 · Joel Lee · web-flow · commit c353dbb60055 · 2022-06-06T17:52:08.000-07:00
* initial commit

* feat: minor fixes

* fix: directly use env var

* fix: run gofmt

* chore: remove context import

* Update test.env

* Update example.env

Co-authored-by: Joel Lee &lt;joel@joellee.org&gt;
diff --git a/README.md b/README.md
@@ -509,7 +509,8 @@ Whether captcha middleware is enabled
 
 for now the only option supported is: `hcaptcha`
 
-`SECURITY_CAPTCHA_SECRET` - `string`
+- `SECURITY_CAPTCHA_SECRET` - `string`
+- `SECURITY_CAPTCHA_TIMEOUT` - `string`
 
 Retrieve from hcaptcha account
 
diff --git a/api/middleware.go b/api/middleware.go
@@ -234,6 +234,7 @@ func (a *API) verifyCaptcha(w http.ResponseWriter, req *http.Request) (context.C
 	if secret == "" {
 		return nil, internalServerError("server misconfigured")
 	}
+
 	verificationResult, err := security.VerifyRequest(req, secret)
 	if err != nil {
 		logrus.WithField("err", err).Infof("failed to validate result")
diff --git a/api/phone.go b/api/phone.go
@@ -30,7 +30,7 @@ func (a *API) validatePhone(phone string) (string, error) {
 	return phone, nil
 }
 
-// validateE165Format checks if phone number follows the E.164 format
+// validateE164Format checks if phone number follows the E.164 format
 func (a *API) validateE164Format(phone string) bool {
 	// match should never fail as long as regexp is valid
 	matched, _ := regexp.Match(e164Format, []byte(phone))
diff --git a/example.env b/example.env
@@ -178,6 +178,7 @@ GOTRUE_SMS_VONAGE_FROM=""
 GOTRUE_SECURITY_CAPTCHA_ENABLED="false"
 GOTRUE_SECURITY_CAPTCHA_PROVIDER="hcaptcha"
 GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"
+GOTRUE_SECURITY_CAPTCHA_TIMEOUT="10s"
 GOTRUE_SESSION_KEY=""
 
 # SAML config
diff --git a/hack/test.env b/hack/test.env
@@ -94,3 +94,4 @@ GOTRUE_TRACING_TAGS="env:test"
 GOTRUE_SECURITY_CAPTCHA_ENABLED="false"
 GOTRUE_SECURITY_CAPTCHA_PROVIDER="hcaptcha"
 GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"
+GOTRUE_SECURITY_CAPTCHA_TIMEOUT="10s"
diff --git a/security/hcaptcha.go b/security/hcaptcha.go
@@ -5,8 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -40,8 +42,17 @@ const (
 var Client *http.Client
 
 func init() {
-	// TODO (darora): make timeout configurable
-	Client = &http.Client{Timeout: 10 * time.Second}
+	var defaultTimeout time.Duration = time.Second * 10
+	timeoutStr := os.Getenv("GOTRUE_SECURITY_CAPTCHA_TIMEOUT")
+	if timeoutStr != "" {
+		if timeout, err := time.ParseDuration(timeoutStr); err != nil {
+			log.Fatalf("error loading GOTRUE_SECURITY_CAPTCHA_TIMEOUT: %v", err.Error())
+		} else if timeout != 0 {
+			defaultTimeout = timeout
+		}
+	}
+
+	Client = &http.Client{Timeout: defaultTimeout}
 }
 
 func VerifyRequest(r *http.Request, secretKey string) (VerificationResult, error) {

Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,7 @@ func (a API) verifyCaptcha(w http.ResponseWriter, req http.Request) (context.C`
`234`	`234`	`if secret == "" {`
`235`	`235`	`return nil, internalServerError("server misconfigured")`
`236`	`236`	`}`
	`237`	`+`
`237`	`238`	`verificationResult, err := security.VerifyRequest(req, secret)`
`238`	`239`	`if err != nil {`
`239`	`240`	`logrus.WithField("err", err).Infof("failed to validate result")`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func (a *API) validatePhone(phone string) (string, error) {`
`30`	`30`	`return phone, nil`
`31`	`31`	`}`
`32`	`32`
`33`		`-// validateE165Format checks if phone number follows the E.164 format`
	`33`	`+// validateE164Format checks if phone number follows the E.164 format`
`34`	`34`	`func (a *API) validateE164Format(phone string) bool {`
`35`	`35`	`// match should never fail as long as regexp is valid`
`36`	`36`	`matched, _ := regexp.Match(e164Format, []byte(phone))`