Add captcha challenge to staff login page

Signed-off-by: Keshav Priyadarshi <[email protected]>

Author: keshav-space

vulnerabilities/forms.py

@@ -8,6 +8,7 @@
 #
 
 from django import forms
+from django.contrib.admin.forms import AdminAuthenticationForm
 from django.core.validators import validate_email
 from django_recaptcha.fields import ReCaptchaField
 from django_recaptcha.widgets import ReCaptchaV2Checkbox
@@ -98,3 +99,12 @@ class PipelineSchedulePackageForm(forms.Form):
             },
         ),
     )
+
+
+class AdminLoginForm(AdminAuthenticationForm):
+    captcha = ReCaptchaField(
+        error_messages={
+            "required": ("Captcha is required"),
+        },
+        widget=ReCaptchaV2Checkbox(),
+    )

vulnerabilities/templates/admin_login.html

@@ -0,0 +1,70 @@
+{% extends "admin/base_site.html" %}
+{% load i18n static %}
+
+{% block extrastyle %}{{ block.super }}<link rel="stylesheet" href="{% static "admin/css/login.css" %}">
+{{ form.media }}
+{% endblock %}
+
+{% block bodyclass %}{{ block.super }} login{% endblock %}
+
+{% block usertools %}{% endblock %}
+
+{% block nav-global %}{% endblock %}
+
+{% block nav-sidebar %}{% endblock %}
+
+{% block content_title %}{% endblock %}
+
+{% block nav-breadcrumbs %}{% endblock %}
+
+{% block content %}
+
+{% if form.errors %}
+    {% if form.errors.captcha %}
+        {{ form.errors.captcha }}
+    {% else %}
+        {% for error in form.errors.values %}
+            {{ error }}
+        {% endfor %}
+    {% endif %}
+{% endif %}
+
+
+<div id="content-main">
+
+    {% if user.is_authenticated %}
+    <p class="errornote">
+        {% blocktranslate trimmed %}
+        You are authenticated as {{ username }}, but are not authorized to
+        access this page. Would you like to login to a different account?
+        {% endblocktranslate %}
+    </p>
+    {% endif %}
+
+    <form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
+        <div class="form-row">
+            {{ form.username.errors }}
+            {{ form.username.label_tag }} {{ form.username }}
+        </div>
+        <div class="form-row">
+            {{ form.password.errors }}
+            {{ form.password.label_tag }} {{ form.password }}
+            <input type="hidden" name="next" value="{{ next }}">
+        </div>
+        {% url 'admin_password_reset' as password_reset_url %}
+        {% if password_reset_url %}
+        <div class="password-reset-link">
+            <a href="{{ password_reset_url }}">{% translate 'Forgotten your password or username?' %}</a>
+        </div>
+        {% endif %}
+        <div class="field" style="padding-top: 1rem; text-align: center;">
+            <div class="control" style="display: inline-block;">
+                {{ form.captcha }}
+            </div>
+        </div>
+        <div class="submit-row">
+            <input type="submit" value="{% translate 'Log in' %}">
+        </div>
+    </form>
+</div>
+{% endblock %}

vulnerabilities/views.py

@@ -12,6 +12,7 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from django.contrib import messages
+from django.contrib.auth.views import LoginView
 from django.core.exceptions import ValidationError
 from django.core.mail import send_mail
 from django.db.models import Prefetch
@@ -27,6 +28,7 @@
 from django.views.generic.list import ListView
 
 from vulnerabilities import models
+from vulnerabilities.forms import AdminLoginForm
 from vulnerabilities.forms import ApiUserCreationForm
 from vulnerabilities.forms import PackageSearchForm
 from vulnerabilities.forms import PipelineSchedulePackageForm
@@ -418,3 +420,8 @@ def get_context_data(self, **kwargs):
         )
         context["pipeline_name"] = run.pipeline_class.__name__
         return context
+
+
+class AdminLoginView(LoginView):
+    template_name = "admin_login.html"
+    authentication_form = AdminLoginForm

vulnerablecode/settings.py

@@ -87,9 +87,14 @@
     "django_rq",
 )
 
-RECAPTCHA_PUBLIC_KEY = env.str("RECAPTCHA_PUBLIC_KEY", "")
-RECAPTCHA_PRIVATE_KEY = env.str("RECAPTCHA_PRIVATE_KEY", "")
-SILENCED_SYSTEM_CHECKS = ["captcha.recaptcha_test_key_error"]
+if env.str("RECAPTCHA_PUBLIC_KEY", None):
+    RECAPTCHA_PUBLIC_KEY = env.str("RECAPTCHA_PUBLIC_KEY")
+
+if env.str("RECAPTCHA_PRIVATE_KEY", None):
+    RECAPTCHA_PRIVATE_KEY = env.str("RECAPTCHA_PRIVATE_KEY")
+
+SILENCED_SYSTEM_CHECKS = ["django_recaptcha.recaptcha_test_key_error"]
+SILENCED_SYSTEM_CHECKS = ["django_recaptcha.recaptcha_test_key_error"]
 RECAPTCHA_DOMAIN = env.str("RECAPTCHA_DOMAIN", "www.recaptcha.net")
 
 

vulnerablecode/urls.py

@@ -24,6 +24,7 @@
 from vulnerabilities.api_v2 import PackageV2ViewSet
 from vulnerabilities.api_v2 import PipelineScheduleV2ViewSet
 from vulnerabilities.api_v2 import VulnerabilityV2ViewSet
+from vulnerabilities.views import AdminLoginView
 from vulnerabilities.views import ApiUserCreateView
 from vulnerabilities.views import HomePage
 from vulnerabilities.views import PackageDetails
@@ -60,6 +61,7 @@ def __init__(self, *args, **kwargs):
 
 
 urlpatterns = [
+    path("admin/login/", AdminLoginView.as_view(), name="admin-login"),
     path("api/v2/", include(api_v2_router.urls)),
     path(
         "robots.txt",