Add in better captchas

Author: BenjaminMichaelis

.github/workflows/Build-Test-And-Deploy.yml

@@ -164,7 +164,8 @@ jobs:
               AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
               AIOptions__Endpoint=secretref:ai-endpoint AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
               AIOptions__SystemPrompt=secretref:ai-systemprompt ConnectionStrings__PostgresVectorStore=secretref:postgres-vectorstore-connectionstring \
-              TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection
+              TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection \
+              HCaptcha__ExpectedHostname=staging.essentialcsharp.com
       - name: Logout of Azure CLI
         if: always()
         uses: azure/CLI@v3
@@ -255,8 +256,8 @@ jobs:
               AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
               AIOptions__Endpoint=secretref:ai-endpoint AIOptions__VectorGenerationDeploymentName=secretref:ai-vectordeployment AIOptions__ChatDeploymentName=secretref:ai-chatdeployment \
               AIOptions__SystemPrompt=secretref:ai-systemprompt ConnectionStrings__PostgresVectorStore=secretref:postgres-vectorstore-connectionstring \
-              TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection
-
+              TryDotNet__Origin=$TRYDOTNET_ORIGIN DataProtection__AzureKeyVaultKeyUri=$KEYVAULTURI/keys/dataprotection \
+              HCaptcha__ExpectedHostname=essentialcsharp.com
 
       - name: Logout of Azure CLI
         if: always()

EssentialCSharp.Web.Tests/CombinedRateLimiterTests.cs

@@ -0,0 +1,69 @@
+using System.Threading.RateLimiting;
+using EssentialCSharp.Web.Services;
+
+namespace EssentialCSharp.Web.Tests;
+
+/// <summary>
+/// Unit tests for <see cref="CombinedRateLimiter"/> — no HTTP, no factory.
+/// AutoReplenishment is disabled so permits are consumed deterministically without timer callbacks.
+/// </summary>
+public class CombinedRateLimiterTests
+{
+    private static CombinedRateLimiter CreateLimiter(int perMinute, int perHour) =>
+        new(
+            new SlidingWindowRateLimiter(new SlidingWindowRateLimiterOptions
+            {
+                PermitLimit = perMinute,
+                Window = TimeSpan.FromMinutes(1),
+                SegmentsPerWindow = 3,
+                AutoReplenishment = false,
+                QueueLimit = 0
+            }),
+            new FixedWindowRateLimiter(new FixedWindowRateLimiterOptions
+            {
+                PermitLimit = perHour,
+                Window = TimeSpan.FromHours(1),
+                AutoReplenishment = false,
+                QueueLimit = 0
+            })
+        );
+
+    [Test]
+    public async Task PerMinuteLimitIsEnforced_WhenPerHourIsSufficient()
+    {
+        using var limiter = CreateLimiter(perMinute: 3, perHour: 1000);
+
+        for (int i = 0; i < 3; i++)
+        {
+            using var lease = limiter.AttemptAcquire();
+            await Assert.That(lease.IsAcquired).IsTrue();
+        }
+
+        using var rejected = limiter.AttemptAcquire();
+        await Assert.That(rejected.IsAcquired).IsFalse();
+    }
+
+    [Test]
+    public async Task PerHourLimitIsEnforced_WhenPerMinuteIsSufficient()
+    {
+        using var limiter = CreateLimiter(perMinute: 1000, perHour: 3);
+
+        for (int i = 0; i < 3; i++)
+        {
+            using var lease = limiter.AttemptAcquire();
+            await Assert.That(lease.IsAcquired).IsTrue();
+        }
+
+        using var rejected = limiter.AttemptAcquire();
+        await Assert.That(rejected.IsAcquired).IsFalse();
+    }
+
+    [Test]
+    public async Task BothLimitsPass_AcquiredLeaseIsSuccessful()
+    {
+        using var limiter = CreateLimiter(perMinute: 5, perHour: 5);
+
+        using var lease = limiter.AttemptAcquire();
+        await Assert.That(lease.IsAcquired).IsTrue();
+    }
+}

EssentialCSharp.Web.Tests/ContentRateLimitingTests.cs

@@ -0,0 +1,36 @@
+using System.Net;
+using Microsoft.AspNetCore.Mvc.Testing;
+
+namespace EssentialCSharp.Web.Tests;
+
+/// <summary>
+/// HTTP integration tests for the "content" rate limit policy.
+/// Uses its own factory (PerClass) to get a fresh in-memory rate limiter for each run.
+/// Anonymous users are limited to 10 requests per minute on chapter content pages.
+/// </summary>
+[ClassDataSource<WebApplicationFactory>(Shared = SharedType.PerClass)]
+public class ContentRateLimitingTests(WebApplicationFactory factory)
+{
+    [Test]
+    public async Task ContentEndpoint_ExceedingPerMinuteLimit_Returns429()
+    {
+        // AllowAutoRedirect = false prevents redirect-following from consuming extra permits.
+        HttpClient client = factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false
+        });
+
+        // Anonymous limit is 10/min. First 10 requests should not be rate-limited.
+        for (int i = 0; i < 10; i++)
+        {
+            using HttpResponseMessage response = await client.GetAsync("/hello-world");
+            await Assert.That(response.StatusCode)
+                .IsNotEqualTo(HttpStatusCode.TooManyRequests)
+                .Because($"request {i + 1} of 10 should be within the rate limit");
+        }
+
+        // 11th request must be rejected by the content rate limiter.
+        using HttpResponseMessage rateLimited = await client.GetAsync("/hello-world");
+        await Assert.That(rateLimited.StatusCode).IsEqualTo(HttpStatusCode.TooManyRequests);
+    }
+}

EssentialCSharp.Web.Tests/Integration/CaptchaTests.cs

@@ -12,7 +12,7 @@ public class CaptchaTests(CaptchaServiceProvider serviceProvider)
     [Test]
     public async Task CaptchaService_Verify_Success(CancellationToken cancellationToken)
     {
-        ICaptchaService captchaService = serviceProvider.ServiceProvider.GetRequiredService<ICaptchaService>();
+        CaptchaService captchaService = (CaptchaService)serviceProvider.ServiceProvider.GetRequiredService<ICaptchaService>();
 
         // From https://docs.hcaptcha.com/#integration-testing-test-keys
         string hCaptchaSecret = "0x0000000000000000000000000000000000000000";

EssentialCSharp.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml

@@ -9,18 +9,48 @@
 <hr />
 <div class="row">
     <div class="col-md-4">
-        <form method="post">
+        <form id="forgot-password-form" method="post">
             <div asp-validation-summary="ModelOnly" class="text-danger" role="alert"></div>
             <div class="form-floating mb-3">
                 <input asp-for="Input.Email" class="form-control" autocomplete="username" aria-required="true" placeholder="name@example.com" />
                 <label asp-for="Input.Email" class="form-label"></label>
                 <span asp-validation-for="Input.Email" class="text-danger"></span>
             </div>
+            <div id="forgot-password-captcha"></div>
+            <p class="small text-muted mt-2">
+                This site is protected by hCaptcha and its
+                <a href="https://www.hcaptcha.com/privacy" target="_blank" rel="noopener noreferrer">Privacy Policy</a>
+                and <a href="https://www.hcaptcha.com/terms" target="_blank" rel="noopener noreferrer">Terms of Service</a>
+                apply.
+            </p>
             <button type="submit" class="w-100 btn btn-lg btn-primary">Reset Password</button>
         </form>
     </div>
 </div>
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
+    <script>
+    (function () {
+        let forgotPwWidgetId;
+        let captchaSolved = false;
+        const form = document.getElementById('forgot-password-form');
+
+        document.addEventListener('DOMContentLoaded', function () {
+            forgotPwWidgetId = hcaptcha.render('forgot-password-captcha', {
+                sitekey: '@Model.CaptchaSiteKey',
+                size: 'invisible',
+                callback: function () { captchaSolved = true; form.requestSubmit(); },
+                'expired-callback': function () { captchaSolved = false; },
+                'error-callback': function () { captchaSolved = false; }
+            });
+            form.addEventListener('submit', function (e) {
+                if (!captchaSolved) {
+                    e.preventDefault();
+                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(forgotPwWidgetId); }
+                }
+            });
+        });
+    })();
+    </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml.cs

@@ -2,15 +2,18 @@
 using System.Text;
 using System.Text.Encodings.Web;
 using EssentialCSharp.Web.Areas.Identity.Data;
+using EssentialCSharp.Web.Models;
+using EssentialCSharp.Web.Services;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Identity.UI.Services;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Extensions.Options;
 
 namespace EssentialCSharp.Web.Areas.Identity.Pages.Account;
 
-public class ForgotPasswordModel(UserManager<EssentialCSharpWebUser> userManager, IEmailSender emailSender) : PageModel
+public class ForgotPasswordModel(UserManager<EssentialCSharpWebUser> userManager, IEmailSender emailSender, ICaptchaService captchaService, IOptions<CaptchaOptions> optionsAccessor) : PageModel
 {
     private InputModel? _Input;
     [BindProperty]
@@ -20,6 +23,8 @@ public InputModel Input
         set => _Input = value ?? throw new ArgumentNullException(nameof(value));
     }
 
+    public string CaptchaSiteKey { get; } = optionsAccessor.Value.SiteKey ?? string.Empty;
+
     public class InputModel
     {
 
@@ -30,6 +35,14 @@ public class InputModel
 
     public async Task<IActionResult> OnPostAsync()
     {
+        string? captchaToken = Request.Form[CaptchaOptions.HttpPostResponseKeyName];
+        HCaptchaResult? captchaResult = await captchaService.VerifyAsync(captchaToken, HttpContext.Connection.RemoteIpAddress?.ToString());
+        if (captchaResult?.Success != true)
+        {
+            ModelState.AddModelError(string.Empty, "Human verification failed. Please try again.");
+            return Page();
+        }
+
         if (ModelState.IsValid)
         {
             if (Input.Email is null)

EssentialCSharp.Web/Areas/Identity/Pages/Account/Login.cshtml

@@ -30,6 +30,13 @@
                     </label>
                 </div>
                 <div>
+                    <div id="login-captcha"></div>
+                    <p class="small text-muted mt-2">
+                        This site is protected by hCaptcha and its
+                        <a href="https://www.hcaptcha.com/privacy" target="_blank" rel="noopener noreferrer">Privacy Policy</a>
+                        and <a href="https://www.hcaptcha.com/terms" target="_blank" rel="noopener noreferrer">Terms of Service</a>
+                        apply.
+                    </p>
                     <button id="login-submit" type="submit" class="w-100 btn btn-lg btn-primary">Log in</button>
                 </div>
                 <div>
@@ -83,4 +90,27 @@
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
+    <script>
+    (function () {
+        let loginWidgetId;
+        let captchaSolved = false;
+        const form = document.getElementById('account');
+
+        document.addEventListener('DOMContentLoaded', function () {
+            loginWidgetId = hcaptcha.render('login-captcha', {
+                sitekey: '@Model.CaptchaSiteKey',
+                size: 'invisible',
+                callback: function () { captchaSolved = true; form.requestSubmit(); },
+                'expired-callback': function () { captchaSolved = false; },
+                'error-callback': function () { captchaSolved = false; }
+            });
+            form.addEventListener('submit', function (e) {
+                if (!captchaSolved) {
+                    e.preventDefault();
+                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(loginWidgetId); }
+                }
+            });
+        });
+    })();
+    </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Register.cshtml

@@ -47,7 +47,7 @@
                 <span asp-validation-for="Input.ConfirmPassword" class="text-danger"></span>
             </div>
             <div class="form-group">
-                <div class="h-captcha" data-sitekey=@Model.CaptchaOptions.SiteKey></div>
+                <partial name="_HCaptchaWidget" model='new EssentialCSharp.Web.Models.HCaptchaWidgetModel(Model.CaptchaSiteKey)' />
             </div>
             <button id="registerSubmit" type="submit" class="w-100 btn btn-lg btn-primary">Register</button>
         </form>
@@ -90,7 +90,6 @@
 </div>
 
 @section Scripts {
-    <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
     <partial name="_ValidationScriptsPartial" />
     <script type="module" src="~/js/password-strength.js" asp-append-version="true"></script>
 }