Support reCAPTCHA on critical anonymous views

[dcramer]

To prevent bots from abusing certain endpoints (specifically things like registration) we want to enable reCAPTCHA on various endpoints.

At minimum this will be the signup endpoint, but there is value in ensuring this can be used now or in the future for several other endpoints, including login and password recovery.

Implementation likely includes:

• a feature flag for the action to determine if the request should be captcha bound
• API verifies reCAPTCHA payload when flag is present
• UI implements invisible reCAPTCHA possibly using something like react-recaptcha
• TBD: getting configuration into the signup endpoints so they understnad if they do or do not need to require captcha. this also needs some carry over into getsentry's custom signup entrypoint.

[BYK]

@dcramer which team is owning this initiative?

[dcramer]

@BYK right now I am

[dcramer]

I spent some time on this today and itll be more tricky than I hoped given the changes that have occurred in the cloud service codebase.

New plan:

• Pull getsentry's signup code (API based) into sentry core. Basically expose a /auth/register/ endpoint which eventually getsentry can inherit/overload (assuming it still needs to)
• Move /auth/login/'s register code to use the API client (or another abstraction) so they can share the same validation code.
• Push the recaptcha validation logic into the API endpoint. This basically makes it only serviceable to getsentry, or via a getsentry embedded iframe, but that should be ok.
• TBD: Update the legacy UI code (which is HTML generated) to somehow embed recaptcha

Once the above is done, it can be merged/released. Then changes can be staged in getsentry:

• Update the signup endpoints to use the new sentry API(s)
• Update the signup frontend code to use react-recaptcha or whatever abstraction exists

It's possible it might be simpler to pull in Google's core recaptcha support so we have one library that is shared between react and non-react pages, and just implement a tiny layer for the react page. I dont think it needs to do much (hook a submit event, bind some data), so it's likely not much code.

[dcramer]

After a good nights rest I've had the realization that our bot issue is likely due to the fact that CSRF protections were removed from the signup endpoint. Will be exploring how to get that resolved as a first step pre-captcha. The new session auth will enforce it, but that means the page needs to ensure a CSRF cookie is present first.

[dcramer]

Had to revert the CSRF change as the upstream signup page is not clearing auth classes (wrong code comment) and the signup page def breaks due to CSRF

[dcramer]

Another item identified is we should probably require CORS (e.g. SENTRY_ALLOWED_DOMAINS) on session-based API views. That's a little tricky of a change today (likely) as it requires passing an object to request.auth, which in many scenarios we assume the lack of object = session auth. Also might mean we could just hijack it and enforce that meaning in the core endpoint class.