<?php
if ( ! defined( 'ABSPATH' ) ) {
	die( 'You are not allowed to call this page directly.' );
}

/**
 * @since 3.0
 */
class FrmFieldCaptcha extends FrmFieldType {

	/**
	 * @var string
	 * @since 3.0
	 */
	protected $type = 'captcha';

	/**
	 * @return string
	 */
	protected function include_form_builder_file() {
		return FrmAppHelper::plugin_path() . '/classes/views/frm-fields/back-end/field-captcha.php';
	}

	/**
	 * Returns the image name for a captcha.
	 *
	 * @return string
	 */
	public static function get_captcha_image_name() {
		$frm_settings   = FrmAppHelper::get_settings();
		$active_captcha = $frm_settings->active_captcha;
		if ( $active_captcha === 'recaptcha' && $frm_settings->re_type === 'v3' ) {
			$image_name = 'recaptcha_v3';
		} else {
			$image_name = $active_captcha;
		}

		return $image_name;
	}

	/**
	 * @return array
	 */
	protected function field_settings_for_type() {
		$settings = FrmCaptchaFactory::get_settings_object();
		return array(
			'required'                  => false,
			'invalid'                   => true,
			'captcha_size'              => $settings->should_show_captcha_size(),
			'captcha_theme'             => $settings->should_show_captcha_theme(),
			'captcha_theme_auto_option' => $settings->should_show_captcha_theme_auto_option(),
			'default'                   => false,
		);
	}

	/**
	 * @return array
	 */
	protected function new_field_settings() {
		$frm_settings = FrmAppHelper::get_settings();

		return array(
			'invalid' => $frm_settings->re_msg,
		);
	}

	/**
	 * @return array
	 */
	protected function extra_field_opts() {
		return array(
			'label'         => 'none',
			'captcha_size'  => 'normal',
			'captcha_theme' => 'light',
		);
	}

	/**
	 * Replace the "for" attribute for captcha field so it matches the response ID.
	 *
	 * @param array  $args
	 * @param string $html
	 *
	 * @return string
	 */
	protected function before_replace_html_shortcodes( $args, $html ) {
		$settings = FrmCaptchaFactory::get_settings_object();
		return str_replace( ' for="field_[key]"', ' for="' . esc_attr( $settings->token_field ) . '"', $html );
	}

	/**
	 * @param array $args
	 * @param array $shortcode_atts
	 * @return string
	 */
	public function front_field_input( $args, $shortcode_atts ) {
		$frm_settings = FrmAppHelper::get_settings();
		if ( ! self::should_show_captcha() ) {
			return '';
		}

		$settings       = FrmCaptchaFactory::get_settings_object();
		$div_attributes = array(
			'id'           => $args['html_id'],
			'class'        => $this->class_prefix( $frm_settings ) . $this->captcha_class( $frm_settings ),
			'data-sitekey' => $settings->get_pubkey(),
		);
		if ( 'turnstile' === $frm_settings->active_captcha ) {
			$captcha_language = $this->get_captcha_language();
			if ( $captcha_language ) {
				$div_attributes['data-language'] = $captcha_language;
			}
		}
		$div_attributes = $settings->add_front_end_element_attributes( $div_attributes, $this->field );
		$html           = '<div ' . FrmAppHelper::array_to_html_params( $div_attributes ) . '></div>';

		return $html;
	}

	/**
	 * @since 6.25
	 *
	 * @return string
	 */
	private function get_captcha_language() {
		/**
		 * Allows updating the captcha language.
		 *
		 * @since 6.25
		 *
		 * @param string $lang
		 * @param array $field
		 */
		return apply_filters( 'frm_captcha_lang', get_bloginfo( 'language' ), $this->field );
	}

	/**
	 * @return void
	 */
	protected function load_field_scripts( $args ) {
		$api_js_url = $this->api_url();

		wp_register_script( 'captcha-api', $api_js_url, array( 'formidable' ), '3', true );
		wp_enqueue_script( 'captcha-api' );
	}

	/**
	 * Get the URL for the script JS that is loaded on the front end.
	 *
	 * @return string
	 */
	protected function api_url() {
		$frm_settings = FrmAppHelper::get_settings();
		$active_mode  = $frm_settings->active_captcha;

		if ( 'recaptcha' === $active_mode ) {
			return $this->recaptcha_api_url( $frm_settings );
		}

		if ( 'hcaptcha' === $active_mode ) {
			return $this->hcaptcha_api_url();
		}

		return $this->turnstile_api_url();
	}

	/**
	 * @param FrmSettings $frm_settings
	 * @return string
	 */
	protected function recaptcha_api_url( $frm_settings ) {
		$api_js_url = 'https://www.google.com/recaptcha/api.js?';

		if ( $this->allow_multiple( $frm_settings ) ) {
			$api_js_url .= '&onload=frmRecaptcha&render=explicit';
		}

		$lang = apply_filters( 'frm_recaptcha_lang', $frm_settings->re_lang, $this->field );
		if ( $lang ) {
			$api_js_url .= '&hl=' . $lang;
		}

		// Since this URL initially ends with ? and we never use add_query_arg, remove the extra
		// & that appears immediately after the ?
		$api_js_url = str_replace( '?&', '?', $api_js_url );

		/**
		 * @param string $api_js_url
		 */
		$api_js_url = apply_filters( 'frm_recaptcha_js_url', $api_js_url );

		return $api_js_url;
	}

	/**
	 * @since 6.0
	 *
	 * @return string
	 */
	protected function hcaptcha_api_url() {
		$api_js_url = 'https://js.hcaptcha.com/1/api.js';

		$lang = $this->get_captcha_language();
		if ( $lang ) {
			// Language might be in the format of en-US, fr-FR, etc. In that case, we need to extract the first part to comply with the hcaptcha api request format.
			$lang_parts  = explode( '-', $lang );
			$api_js_url .= '?hl=' . $lang_parts[0];
		}

		$api_js_url = add_query_arg( 'onload', 'frmHcaptcha', $api_js_url );

		/**
		 * Allows updating hcaptcha js api url.
		 *
		 * @since 6.0
		 *
		 * @param string $api_js_url
		 */
		$api_js_url = apply_filters( 'frm_hcaptcha_js_url', $api_js_url );

		return $api_js_url;
	}

	/**
	 * @since 6.8.4
	 *
	 * @return string
	 */
	protected function turnstile_api_url() {
		$api_js_url = 'https://challenges.cloudflare.com/turnstile/v0/api.js?onload=frmTurnstile&render=explicit';

		/**
		 * Allows updating hcaptcha js api url.
		 *
		 * @since 6.8.4
		 *
		 * @param string $api_js_url
		 */
		$api_js_url = apply_filters( 'frm_turnstile_js_url', $api_js_url );

		// Prevent render=explicit from happening twice in case someone patched
		// the double rendering issue using the frm_turnstile_js_url hook.
		$api_js_url = str_replace(
			'&render=explicit&render=explicit',
			'&render=explicit',
			$api_js_url
		);

		return $api_js_url;
	}

	/**
	 * @param FrmSettings $frm_settings
	 *
	 * @return string
	 *
	 * @psalm-return ''|'frm-'
	 */
	protected function class_prefix( $frm_settings ) {
		return FrmCaptchaFactory::get_settings_object()->get_class_prefix( $this->allow_multiple( $frm_settings ) );
	}

	/**
	 * @param FrmSettings $frm_settings This isn't used anymore. It's only there for backwards compatibility.
	 *
	 * @return string
	 *
	 * @psalm-return 'g-recaptcha'|'h-captcha'
	 */
	protected function captcha_class( $frm_settings ) {
		$settings = FrmCaptchaFactory::get_settings_object();
		return $settings->get_element_class_name();
	}

	protected function allow_multiple( $frm_settings ) {
		return $frm_settings->re_multi;
	}

	/**
	 * @since 4.07
	 * @param array $args
	 * @return array
	 */
	protected function validate_against_api( $args ) {
		$errors       = array();
		$frm_settings = FrmAppHelper::get_settings();
		$resp         = $this->send_api_check( $frm_settings );
		$response     = json_decode( wp_remote_retrieve_body( $resp ), true );

		if ( is_wp_error( $resp ) ) {
			$error_string                     = $resp->get_error_message();
			$errors[ 'field' . $args['id'] ]  = __( 'There was a problem verifying your captcha', 'formidable' );
			$errors[ 'field' . $args['id'] ] .= ' ' . $error_string;
			return $errors;
		}

		if ( ! is_array( $response ) ) {
			return $errors;
		}

		if ( $frm_settings->active_captcha === 'recaptcha' ) {
			if ( 'v3' === $frm_settings->re_type && array_key_exists( 'score', $response ) ) {
				$threshold = floatval( $frm_settings->re_threshold );
				$score     = floatval( $response['score'] );

				$this->set_score( $score );

				if ( $score < $threshold ) {
					$response['success'] = false;
				}
			}
		}

		if ( isset( $response['success'] ) && ! $response['success'] ) {
			// What happens when the CAPTCHA was entered incorrectly
			$invalid_message = FrmField::get_option( $this->field, 'invalid' );
			if ( $invalid_message === __( 'The reCAPTCHA was not entered correctly', 'formidable' ) ) {
				$invalid_message = '';
			}
			$errors[ 'field' . $args['id'] ] = ( $invalid_message === '' ? $frm_settings->re_msg : $invalid_message );
		}

		return $errors;
	}

	/**
	 * @param float $score
	 * @return void
	 */
	private function set_score( $score ) {
		global $frm_vars;
		if ( ! isset( $frm_vars['captcha_scores'] ) ) {
			$frm_vars['captcha_scores'] = array();
		}
		$form_id = is_object( $this->field ) ? $this->field->form_id : $this->field['form_id'];
		if ( ! isset( $frm_vars['captcha_scores'][ $form_id ] ) ) {
			$frm_vars['captcha_scores'][ $form_id ] = $score;
		}
	}

	/**
	 * @param array $args
	 * @return array
	 */
	public function validate( $args ) {
		if ( ! $this->should_validate() ) {
			return array();
		}

		$missing_token = ! self::post_data_includes_token();
		if ( $missing_token ) {
			return array( 'field' . $args['id'] => __( 'The captcha is missing from this form', 'formidable' ) );
		}

		return $this->validate_against_api( $args );
	}

	/**
	 * @since 6.8.4
	 *
	 * @return bool
	 */
	protected static function post_data_includes_token() {
		$settings = FrmCaptchaFactory::get_settings_object();
		// phpcs:ignore WordPress.Security.NonceVerification.Missing
		return ! empty( $_POST[ $settings->token_field ] );
	}

	/**
	 * Check if the active captcha type's public key is set.
	 *
	 * @since 4.07
	 *
	 * @return bool
	 */
	public static function should_show_captcha() {
		$settings = FrmCaptchaFactory::get_settings_object();
		return $settings->has_pubkey();
	}

	/**
	 * @return bool
	 */
	protected function should_validate() {
		$is_hidden_field = apply_filters( 'frm_is_field_hidden', false, $this->field, wp_unslash( $_POST ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing
		if ( FrmAppHelper::is_admin() || $is_hidden_field ) {
			return false;
		}

		// don't require the captcha if it shouldn't be shown
		return self::should_show_captcha();
	}

	/**
	 * @param FrmSettings $frm_settings
	 */
	protected function send_api_check( $frm_settings ) {
		$captcha_settings = FrmCaptchaFactory::get_settings_object();
		$arg_array        = array(
			'body' => array(
				'secret'   => $captcha_settings->secret,
				'response' => FrmAppHelper::get_param( $captcha_settings->token_field, '', 'post', 'sanitize_text_field' ),
				'remoteip' => FrmAppHelper::get_ip_address(),
			),
		);

		return wp_remote_post( $captcha_settings->endpoint, $arg_array );
	}

	/**
	 * Updates field name in page builder to the currently activated captcha if it is set to the default.
	 *
	 * @since 6.0
	 *
	 * @param array $values
	 *
	 * @return array $values
	 */
	public static function update_field_name( $values ) {
		if ( $values['type'] === 'captcha' ) {
			$name = $values['name'];
			if ( in_array( $name, array( __( 'reCAPTCHA', 'formidable' ), __( 'hCaptcha', 'formidable' ) ), true ) ) {
				$values['name'] = __( 'Captcha', 'formidable' );
			}
		}

		return $values;
	}

	/**
	 * @param FrmSettings $frm_settings
	 * @return string
	 */
	protected function captcha_size( $frm_settings ) {
		_deprecated_function( __METHOD__, '6.8.4' );
		return 'normal';
	}
}

• [F] FrmFieldCaptcha.php
  Delete
• [F] FrmFieldCheckbox.php
  Delete
• [F] FrmFieldCombo.php
  Delete
• [F] FrmFieldCreditCard.php
  Delete
• [F] FrmFieldDefault.php
  Delete
• [F] FrmFieldEmail.php
  Delete
• [F] FrmFieldGdpr.php
  Delete
• [F] FrmFieldHidden.php
  Delete
• [F] FrmFieldHTML.php
  Delete
• [F] FrmFieldName.php
  Delete
• [F] FrmFieldNumber.php
  Delete
• [F] FrmFieldPhone.php
  Delete
• [F] FrmFieldRadio.php
  Delete
• [F] FrmFieldSelect.php
  Delete
• [F] FrmFieldSubmit.php
  Delete
• [F] FrmFieldText.php
  Delete
• [F] FrmFieldTextarea.php
  Delete
• [F] FrmFieldType.php
  Delete
• [F] FrmFieldUrl.php
  Delete
• [F] FrmFieldUserID.php
  Delete