FreeCAPTCHA/app.py

from flask import Flask, render_template, request, make_response, redirect
from freecaptcha import captcha
import uuid
import os
from cryptography.fernet import Fernet
import jwt
import base64

# Generate a new AES key
key = Fernet.generate_key()

JWT_SECRET_KEY = 'obviously this needs to be an env variable secret thingie.'

# Create an instance of the Fernet cipher with the key
cipher = Fernet(key)

# Encrypt a message
message = b'This is a secret message.'
ciphertext = cipher.encrypt(message)

# Decrypt the ciphertext
app = Flask(__name__, static_url_path='', static_folder='static',)


@app.route("/captcha", methods=['GET', 'POST'])
def captcha_handler():
    if request.method == "POST":
        captcha_attempt = len(list(request.form))
        token = request.cookies.get('Authorization').split('Bearer ')[-1]
        try:
            # TODO: set JWT to expire very soon.
            payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=['HS256'])
            b64_and_encrypted_correct_answer = payload['encrypted_correct_answer']
            n = payload['n']
            encrypted_correct_answer_bytes = base64.b64decode(b64_and_encrypted_correct_answer)
            correct_answer = cipher.decrypt(encrypted_correct_answer_bytes).decode('utf-8').split('|||')[0]
            ## Redirect to the original page the user wanted - with a token letting that they can validate from us that says that the user passed a specific captcha attempt (we will sign the attempt with a code we give them with the captcha, like an id, so they know it was that specific attempt)
            return f'''
            The correct answer was {correct_answer}
            You flipped it {int(captcha_attempt) % n}
            '''

        except jwt.ExpiredSignatureError:
            return 'Token expired. Please log in again.'

        except jwt.InvalidTokenError:
            return 'Invalid token. Authentication required.'
        ## Get their guess from POST body
        ## Get JWT cookie
        ## Decrypt payload
        ## Check if guess (from post body) == correct answer (from decrypted JWT payload)
        ## If so: give them a new JWT for winning the CAPTCHA, and forward them to the URL they originally wanted to access precaptcha (just like oauth does)
        ## If not: Redirect them to the GET version of this same URL, with warning enabled to tell them they failed
    if request.method == "GET":
        image_path = captcha.random_image()
        n = 6
        answer, options = captcha.captchafy(image_path, n)
        print('the correct answer is: ', answer)
        # remember to store the salt since we'll need it when we compare the hashes
        salt = uuid.uuid4()
        plaintext_bytes = bytes(str(answer) + '|||' + str(salt), 'utf-8')
        encrypted_bytes = cipher.encrypt(plaintext_bytes)

        ciphertext = base64.b64encode(encrypted_bytes).decode('utf-8')
        token = jwt.encode({
            'encrypted_correct_answer': ciphertext,
            'salt': str(salt),
            'n': n
        }, JWT_SECRET_KEY, algorithm='HS256')

        # Set the Authorization header cookie with the JWT
        resp = make_response(captcha.generate_captcha_html(list(options)))
        resp.set_cookie('Authorization', f'Bearer {token}')

        return resp
        # Set JWT with encrypted answer as HTTP cookie
        # issue: they could compare our encrypted answer with how we encrypt all numbers 1-6, since they will have seem them before.
        # We could solve this with a salt, but then we have to store salts. We could include the salt in plaintext, but then they could build a rainbow table of our guess + salts (since there are only 6 possible guesses)
        # the solution is to use salts big enough that we don't have to fear them repeating / being turned into a rainbow table.
        # We will use UUID's as the salts.
        #
        # Anyway, we pass the data to our Jinja template and render it.
    else:
        return "Unsupported HTTP method."
    # Flask should take care of unsupported methods for us.