Fully working captcha for contact form

.gitignore

@@ -7,6 +7,7 @@ npm-debug.*
 *.swp
 .DS_Store
 .vscode
+nohup.out
 *.code-workspace
 .sass-cache
 node_modules

README.md

@@ -137,6 +137,7 @@ Edit `_data/faq.json` file to add a new Q/A couple object. Plain html e.g. `<br>
 Edit `partials/components/contact-form.html` file to modify the contact form and `src/form/contact-form-handler.php` to modify the form handler.
 
 To test it in a local environment, because there is PHP to execute, you will need to setup a apache vhost with the `dist` folder as the root and the phpmailer library installed.
+The captcha service is hCaptcha, you will need to create an account and get your own site key (change it in the contact form partial) and secret key.
 Add these lines to the vhost configuration file (here with mailtrap as smtp provider for testing purposes):
 
 ```
@@ -144,4 +145,5 @@ SetEnv ASTRO_SMTP_FROM test@astrolabe.test
 SetEnv ASTRO_SMTP_HOSTNAME sandbox.smtp.mailtrap.io
 SetEnv ASTRO_SMTP_USERNAME xxxxx
 SetEnv ASTRO_SMTP_PASSWORD xxxxx
+SetEnv HCAPTCHA_SECRET_KEY xxxxx
 ```

src/_includes/partials/components/contact-form.njk

@@ -56,6 +56,9 @@
           <label class="ohnohoney" for="email"></label>
           <input tabindex="-1" class="ohnohoney" autocomplete="off" type="email" id="email" name="email" placeholder="Your e-mail here">
         </li>
+
+        <div class="h-captcha" data-sitekey="b07c49fe-50ee-4432-af0a-96d675c6326a"></div>
+        <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
       </ol>
       {% if contactMember %}
         {{ hidden_field('contactTo', contactMember) }}

src/form/contact-form-handler.php

@@ -22,12 +22,41 @@ $wantedContact = (
     || empty($domainFromMyEmail)
 ) ? $myEmail : "$wantedContact@$domainFromMyEmail" ;
 
+/* hCaptcha */
+$hcaptchaSecret = getenv('HCAPTCHA_SECRET_KEY');
+$hcaptchaVerifyUrl = "https://api.hcaptcha.com/siteverify";
+
 if(empty($_POST['namezzz']) || empty($_POST['emailzzz']) || empty($_POST['message'])) {
-    $errors .= "\n Error: all fields are required";
+    $errors .= "\n Erreur : champs obligatoires manquants.";
 }
 
 if(!empty($_POST['name']) && !empty($_POST['email'])) {
-    $errors .= "\n Error: spam";
+    $errors .= "\n Erreur : spam détecté.";
+}
+
+/* Captcha verification */
+if(!empty($_POST['h-captcha-response'])) {
+    $responseKey = $_POST['h-captcha-response'];
+    $data = array(
+        'secret' => $hcaptchaSecret,
+        'response' => $responseKey
+    );
+
+    $checkRequest = curl_init();
+    curl_setopt($checkRequest, CURLOPT_URL, $hcaptchaVerifyUrl);
+    curl_setopt($checkRequest, CURLOPT_POST, 1);
+    curl_setopt($checkRequest, CURLOPT_POSTFIELDS, http_build_query($data));
+    curl_setopt($checkRequest, CURLOPT_RETURNTRANSFER, true);
+    $response = curl_exec($checkRequest);
+    curl_close($checkRequest);
+
+    $responseData = json_decode($response, true);
+
+    if(!$responseData['success']) {
+        $errors .= "\n Erreur lors de la validation du captcha.";
+    }
+} else {
+    $errors .= "\n Erreur lors de la validation du captcha.";
 }
 
 $name = $_POST['namezzz'];
@@ -37,7 +66,7 @@ $message = $_POST['message'];
 $subscribe = $_POST['subscribe'];
 
 if (!filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) {
-    $errors .= "\n Error: Invalid email address $emailAddress";
+    $errors .= "\n Erreur d'adresse e-mail invalide : $emailAddress";
 }
 
 if(empty($errors)) {
@@ -110,7 +139,8 @@ if(empty($errors)) {
 	<body>
 		<!-- This page is displayed only if there is some error -->
 		<?php
-        echo nl2br($errors);
-?>
+            echo nl2br($errors);
+        ?>
+        <a href="javascript:history.back()">Retour</a>
 	</body>
 </html>