2 files changed, 36 insertions, 0 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index cecfa318c..beba6b235 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -448,6 +448,9 @@ sub check_csrf_token : Private {
         unless $time
             && $time > time() - 3600
             && $token eq $gen_token;
+
+    # Also check recaptcha if needed
+    $c->cobrand->call_hook('check_recaptcha');
 }
 
 sub no_csrf_token : Private {
diff --git a/perllib/FixMyStreet/Cobrand/UK.pm b/perllib/FixMyStreet/Cobrand/UK.pm
index a42ff58a6..4c62dd538 100644
--- a/perllib/FixMyStreet/Cobrand/UK.pm
+++ b/perllib/FixMyStreet/Cobrand/UK.pm
@@ -3,6 +3,7 @@ use base 'FixMyStreet::Cobrand::Default';
 use strict;
 
 use JSON::MaybeXS;
+use LWP::UserAgent;
 use mySociety::MaPit;
 use mySociety::VotingArea;
 use Utils;
@@ -422,4 +423,36 @@ sub report_new_munge_before_insert {
     }
 }
 
+# To use recaptcha, add a RECAPTCHA key to your config, with subkeys secret and
+# site_key, taken from the recaptcha site. This shows it to non-UK IP addresses
+# on alert and report pages.
+
+sub requires_recaptcha {
+    my $self = shift;
+    my $c = $self->{c};
+
+    return 0 if $c->user_exists;
+    return 0 if !FixMyStreet->config('RECAPTCHA');
+    return 0 if $c->user_country eq 'GB';
+    return 0 unless $c->action =~ /^(alert|report)/;
+    return 1;
+}
+
+sub check_recaptcha {
+    my $self = shift;
+    my $c = $self->{c};
+
+    return unless $self->requires_recaptcha;
+
+    my $url = 'https://www.google.com/recaptcha/api/siteverify';
+    my $res = LWP::UserAgent->new->post($url, {
+        secret => FixMyStreet->config('RECAPTCHA')->{secret},
+        response => $c->get_param('g-recaptcha-response'),
+        remoteip => $c->req->address,
+    });
+    $res = decode_json($res->content);
+    $c->detach('/page_error_400_bad_request', ['Bad recaptcha'])
+        unless $res->{success};
+}
+
 1;