Feat: Replace Google ReCAPTCHA with ALTCHA using API - non-tracking, GDPR compliant without cookies or fingerprinting.

2025-03-13 15:36:41 +00:00
parent 29205de12f
commit b843849af9
12 changed files with 2856 additions and 722 deletions
--- a/forms/contact.py
+++ b/forms/contact.py
@@ -16,12 +16,63 @@ Defines Flask-WTF form for handling user input on Contact Us page.
 # from models.model_view_store import Model_View_Store # circular
 from forms.base import Form_Base
 # external
+from flask import Flask, render_template, request, flash, redirect, url_for, current_app
 from flask_wtf import FlaskForm
-from wtforms import StringField, TextAreaField, SubmitField, BooleanField, IntegerField, SelectField, FloatField
-from wtforms.validators import InputRequired, NumberRange, Regexp, DataRequired, Optional
+from wtforms import StringField, TextAreaField, SubmitField, HiddenField, BooleanField
+from wtforms.validators import DataRequired, Email, ValidationError
 from flask_wtf.recaptcha import RecaptchaField
 from abc import ABCMeta, abstractmethod
+import requests
+import json
+import hmac
+import hashlib
+import base64
+import urllib.parse

+"""
+def validate_altcha(form, field):
+    if not field.data:
+        raise ValidationError('Please complete the ALTCHA challenge')
+    
+    try:
+        # Decode the base64-encoded payload
+        payload_json = base64.b64decode(field.data).decode('utf-8')
+        payload = json.loads(payload_json)
+        
+        # Verify ALTCHA response
+        if not payload.get('verified', False):
+            raise ValidationError('ALTCHA verification failed')
+        
+        # Verify signature
+        verification_data = payload.get('verificationData', '')
+        received_signature = payload.get('signature', '')
+        algorithm = payload.get('algorithm', 'SHA-256')
+        
+        # Calculate the hash of verification data
+        verification_hash = hashlib.sha256(verification_data.encode()).digest()
+        
+        # Calculate HMAC signature
+        hmac_key = current_app.config['ALTCHA_SECRET_KEY'].encode()
+        calculated_signature = hmac.new(
+            hmac_key, 
+            verification_hash, 
+            getattr(hashlib, algorithm.lower().replace('-', ''))
+        ).hexdigest()
+        
+        if calculated_signature != received_signature:
+            raise ValidationError('Invalid ALTCHA signature')
+            
+        # Optional: If using the spam filter, you could parse verification_data
+        # and reject submissions classified as spam
+        # Example:
+        parsed_data = dict(urllib.parse.parse_qsl(verification_data))
+        if parsed_data.get('classification') == 'BAD':
+            raise ValidationError('This submission was classified as spam')
+            
+    except Exception as e:
+        current_app.logger.error(f"ALTCHA validation error: {str(e)}")
+        raise ValidationError('ALTCHA validation failed')
+"""

 class Form_Contact(FlaskForm):
    email = StringField('Email')
@@ -29,5 +80,6 @@ class Form_Contact(FlaskForm):
    company_name = StringField('Company')
    message = TextAreaField('Message')
    receive_marketing = BooleanField('I would like to receive marketing emails.')
-    recaptcha = RecaptchaField()
+    # recaptcha = RecaptchaField()
+    altcha = HiddenField('ALTCHA') # , validators=[validate_altcha]
    submit = SubmitField('Send Message')