bookwyrm-social · mouse-reeve · Oct 18, 2024
diff --git a/.env.example b/.env.example
@@ -23,6 +23,10 @@ DEFAULT_LANGUAGE="English"
 
 MEDIA_ROOT=images/
 
+# hCaptcha configuration
+HCAPTCHA_SITEKEY=
+HCAPTCHA_SECRET=
+
 # Database configuration
 PGPORT=5432
 POSTGRES_PASSWORD=securedbypassword123

diff --git a/bookwyrm/forms/landing.py b/bookwyrm/forms/landing.py
@@ -4,6 +4,7 @@
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 
+from hcaptcha_field import hCaptchaField
 import pyotp
 
 from bookwyrm import models
@@ -38,9 +39,11 @@ def add_invalid_password_error(self):
 
 
 class RegisterForm(CustomForm):
+    hcaptcha = hCaptchaField()
+
     class Meta:
         model = models.User
-        fields = ["localname", "email", "password"]
+        fields = ["localname", "email", "password", "hcaptcha"]
         help_texts = {f: None for f in fields}
         widgets = {"password": forms.PasswordInput()}
 

diff --git a/bookwyrm/settings.py b/bookwyrm/settings.py
@@ -35,6 +35,9 @@
 
 JS_CACHE = "8a89cad7"
 
+HCAPTCHA_SITEKEY = env("HCAPTCHA_SITEKEY")
+HCAPTCHA_SECRET = env("HCAPTCHA_SECRET")
+
 # email
 EMAIL_BACKEND = env("EMAIL_BACKEND", "django.core.mail.backends.smtp.EmailBackend")
 EMAIL_HOST = env("EMAIL_HOST")
@@ -101,6 +104,7 @@
     "django.contrib.messages",
     "django.contrib.staticfiles",
     "django.contrib.humanize",
+    "hcaptcha_field",
     "oauth2_provider",
     "file_resubmit",
     "sass_processor",
@@ -479,8 +483,8 @@
     )
     MEDIA_FULL_URL = MEDIA_URL
     # Content Security Policy
-    CSP_DEFAULT_SRC = ["'self'", AZURE_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS
-    CSP_SCRIPT_SRC = ["'self'", AZURE_CUSTOM_DOMAIN] + CSP_ADDITIONAL_HOSTS
+    CSP_DEFAULT_SRC = ["'self'", AZURE_CUSTOM_DOMAIN] + env.list("CSP_ADDITIONAL_HOSTS")
+    CSP_SCRIPT_SRC = ["'self'", AZURE_CUSTOM_DOMAIN] + env.list("CSP_ADDITIONAL_HOSTS")
 else:
     # Storages
     STORAGES = {
@@ -504,8 +508,8 @@
     MEDIA_URL = "/images/"
     MEDIA_FULL_URL = BASE_URL + MEDIA_URL
     # Content Security Policy
-    CSP_DEFAULT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS
-    CSP_SCRIPT_SRC = ["'self'"] + CSP_ADDITIONAL_HOSTS
+    CSP_DEFAULT_SRC = ["'self'"] + env.list("CSP_ADDITIONAL_HOSTS")
+    CSP_SCRIPT_SRC = ["'self'"] + env.list("CSP_ADDITIONAL_HOSTS")
 
 CSP_INCLUDE_NONCE_IN = ["script-src"]
 

diff --git a/bookwyrm/templates/snippets/register_form.html b/bookwyrm/templates/snippets/register_form.html
@@ -60,6 +60,13 @@
 
 <input type="hidden" name="preferred_timezone" />
 
+<div class="field">
+    <div class="control">
+        {{ register_form.hcaptcha }}
+        {% include 'snippets/form_errors.html' with errors_list=register_form.hcaptcha.errors id="desc_hcaptcha_register" %}
+    </div>
+</div>
+
 <div class="field">
     <div class="control">
         <button class="button is-primary" type="submit">

diff --git a/requirements.txt b/requirements.txt
@@ -8,6 +8,7 @@ Django==4.2.16
 django-celery-beat==2.6.0
 django-compressor==4.4
 django-csp==3.8
+django-hcaptcha-field==1.4.0
 django-imagekit==5.0.0
 django-model-utils==4.4.0
 django-oauth-toolkit==2.3.0