Feat: Replace Google ReCAPTCHA with ALTCHA using API - non-tracking, GDPR compliant without cookies or fingerprinting.

controllers/core.py

@@ -18,14 +18,17 @@ from models.model_view_contact import Model_View_Contact
 from models.model_view_home import Model_View_Home
 import lib.argument_validation as av
 # external
-from flask import Flask, render_template, jsonify, request,  render_template_string, send_from_directory, redirect, url_for, session, Blueprint, current_app
+from flask import Flask, render_template, jsonify, request,  render_template_string, send_from_directory, redirect, url_for, session, Blueprint, current_app, flash
 from flask_mail import Mail, Message
 from extensions import db, oauth, mail
 from urllib.parse import quote_plus, urlencode
 from authlib.integrations.flask_client import OAuth
 from authlib.integrations.base_client import OAuthError
 from urllib.parse import quote, urlparse, parse_qs
-
+import json
+import base64
+import hmac
+import hashlib
 
 routes_core = Blueprint('routes_core', __name__)
 
@@ -54,20 +57,82 @@ def contact_post():
     try:
         form = Form_Contact()
         if form.validate_on_submit():
-            # Handle form submission
-            email = form.email.data
-            CC = form.CC.data # not in use
-            contact_name = form.contact_name.data
-            company_name = form.company_name.data
-            message = form.message.data
-            receive_marketing = form.receive_marketing.data
-            receive_marketing_text = "I would like to receive marketing emails." if receive_marketing else ""
-            # send email
-            mailItem = Message("PARTS Website Contact Us Message", recipients=[current_app.config['MAIL_CONTACT_PUBLIC']])
-            mailItem.body = f"Dear Lord Edward Middleton-Smith,\n\n{message}\n{receive_marketing_text}\nKind regards,\n{contact_name}\n{company_name}\n{email}"
-            mail.send(mailItem)
-            return "Submitted."
+            altcha_payload = form.altcha.data
+            if not altcha_payload:
+                flash('Please complete the ALTCHA challenge', 'danger')
+                return "Invalid. ALTCHA challenge failed."
+                    # Decode and verify the ALTCHA payload
+            try:
+                decoded_payload = json.loads(base64.b64decode(altcha_payload))
+                
+                # Verify the signature
+                if verify_altcha_signature(decoded_payload):
+                    # Parse the verification data
+                    verification_data = urllib.parse.parse_qs(decoded_payload['verificationData'])
+                    
+                    # Check if the verification was successful
+                    if verification_data.get('verified', ['false'])[0] == 'true':
+                        # If spam filter is enabled, check the classification
+                        if 'classification' in verification_data:
+                            classification = verification_data.get('classification', [''])[0]
+                            score = float(verification_data.get('score', ['0'])[0])
+                            
+                            # If the classification is BAD and score is high, reject the submission
+                            if classification == 'BAD' and score > 5:
+                                flash('Your submission was flagged as potential spam', 'error')
+                                return render_template('contact.html', form=form)
+                        
+                        # Process the form submission
+                        email = form.email.data
+                        CC = form.CC.data # not in use
+                        contact_name = form.contact_name.data
+                        company_name = form.company_name.data
+                        message = form.message.data
+                        receive_marketing = form.receive_marketing.data
+                        receive_marketing_text = "I would like to receive marketing emails." if receive_marketing else ""
+                        # send email
+                        mailItem = Message("PARTS Website Contact Us Message", recipients=[current_app.config['MAIL_CONTACT_PUBLIC']])
+                        mailItem.body = f"Dear Lord Edward Middleton-Smith,\n\n{message}\n{receive_marketing_text}\nKind regards,\n{contact_name}\n{company_name}\n{email}"
+                        mail.send(mailItem)
+                        flash('Thank you for your message. We will get back to you soon!', 'success')
+                        return "Submitted."
+                    else:
+                        flash('CAPTCHA verification failed', 'error')
+                else:
+                    flash('Invalid verification signature', 'error')
+            except Exception as e:
+                flash(f'Error verifying CAPTCHA: {str(e)}', 'error')
         return "Invalid. Failed to submit."
         # html_body = render_template('pages/core/_contact.html', model = model)
     except Exception as e:
         return jsonify(error=str(e)), 403
+
+
+def verify_altcha_signature(payload):
+    """Verify the ALTCHA signature"""
+    if 'algorithm' not in payload or 'signature' not in payload or 'verificationData' not in payload:
+        return False
+    
+    algorithm = payload['algorithm']
+    signature = payload['signature']
+    verification_data = payload['verificationData']
+    
+    # Calculate SHA hash of the verification data
+    if algorithm == 'SHA-256':
+        hash_func = hashlib.sha256
+    else:
+        # Fallback to SHA-256 if algorithm not specified
+        hash_func = hashlib.sha256
+    
+    # Calculate the hash of verification_data
+    data_hash = hash_func(verification_data.encode('utf-8')).digest()
+    
+    # Calculate the HMAC signature
+    calculated_signature = hmac.new(
+        current_app.config["ALTCHA_SECRET_KEY"].encode('utf-8'),
+        data_hash,
+        hash_func
+    ).hexdigest()
+    
+    # Compare the calculated signature with the provided signature
+    return hmac.compare_digest(calculated_signature, signature)