[TICKET] - add reCAPTCHA to login view

[cootook]

Short Summary:

There is reCAPTCHA checkbox (challenge) on signup page. It protects the app from automated registration of new users. We also need reCAPTCHA on login page. Along with adding reCAPTCHA on the page declaring a new environment variable should be done.

Stake Holders:

@cootook

Impact/Urgency:

middle priority, no impact on app's logic, docs should be updated because of new environment variable

Full Description:

reCAPTCHA protects the website from fraud and abuse. We use automatically rendered the reCAPTCHA widget. reCaptcha requires using of two keys:

• sitekey for HTML, now this key hardcoded in signup.html template. We are going to declare a new variable

  SITE_KEY_RECAPTCHA

  and to inject new variables automatically into the context of a template via @app.context_processor, how to put reCAPTCHA on page

• verification key to verify a user's response on backend, configured as SECRET_RECAPTCHA in .env file in the root directory, how to verify

  FLASK_APP=studio_app.webapp
  FLASK_ENV=development
  FLASK_DEBUG=1
  MAIL_USERNAME=*
  MAIL_APP_KEY=*
  MAIL_DEFAULT_SENDER=*
  SECRET_KEY=*
  SECRET_RECAPTCHA=*
  KEY_CHANGE_ROLE_LIST=*
  KEY_CHANGE_ROLE=*

  To verify the response we have function validate_recaptcha in helpers.py. We pass token that we received with submitted form as a parameter to function.

  def validate_recaptcha (token):
  try:
      url = "https://www.google.com/recaptcha/api/siteverify"
      params = {
      "secret": os.environ.get('SECRET_RECAPTCHA'),
      "response": token
      }
  
      recaptcha = requests.post(url, params)
      recaptcha_respond_dict = json.loads(recaptcha.text)
  
      if not recaptcha_respond_dict['success']:
          return False
      else: 
          return True
  except Exception as er:
      print("#helpers.validate_recaptchs ---recaptcha request")
      print(er)
      return  False

  How it looks in signup.py

  
  if request.method == "POST":
          token = request.form.get("g-recaptcha-response")
          # ... some code 
          if not validate_recaptcha(token):
              return  render_template("apology.html", error_message="Sorry. Something went wrong with anti robot, maybe reCaptcha that you have just checked expired. Please, try arain.")

Using JS we should disable **singin** button is reCAPTCHA not passed
```javascript
    function set_is_recaptcha_false() {
        is_recaptcha = false;
        validate_pass()
    }

    function set_is_recaptcha_true() {
        is_recaptcha = true;
        validate_pass()
    }

HTML attributes that call these functions: data-callback="set_is_recaptcha_true" data-expired-callback="set_is_recaptcha_false"

Test Cases:

route "/signin/" with dev tools in browser enable submit button and try without passing reCAPTCHA

Resources:

Flask context-processors reCAPTCHA v2

[cootook]

commits for this ticket https://github.com/cootook/project/commit/9a1a7c820f8b3de45d21f0ed403e0716e1e531c0 https://github.com/cootook/project/commit/4200287988cf9d588eb9a01d16940d13318bdf16