Kallithea issues archive

Issue #313: Recaptcha not working?

Reported by: zwarmapapa
State: resolved
Created on: 2018-04-02 10:22
Updated on: 2018-04-08 18:16


So I enabled public registration, and pretty much every day I had bots registering on it (primarily from "http://seobest.website/").

So I got a google recaptcha key (v2), put it in kallithea, and now the registering page has a recaptcha saying: "V1 SHUTDOWN ON 2018-03-31"

What should I do?



Comment by zwarmapapa, on 2018-04-02 10:22

Comment by Thomas De Schampheleire, on 2018-04-02 10:46

Are you comfortable with programming? Honestly, the fastest way to get this solved would be if you could have a look at the existing code and propose changes to upgrade recaptcha support to use the v2 API.

I think this page will contain the info you need, but I haven't investigated in detail and I've never looked at the Kallithea side before.

If you're not comfortable with this, no problem, then someone else may have a look but it will probably take more time.

Comment by zwarmapapa, on 2018-04-02 11:29

I've never programmed python before, so it's probably not a good idea to make it myself.

However, the v2 integration seems very simple.

Client side:

<script src='https://www.google.com/recaptcha/api.js'></script>
<div class="g-recaptcha" data-sitekey="--public key here--"></div>  <!--paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear-->

Server side:

A post request to: https://www.google.com/recaptcha/api/siteverify with:

secret=---secret key here---
response=---value of 'g-recaptcha-response' here---
remoteip=---client IP here---

Then the response of that is a JSON object that contains: "success": true|false (see https://developers.google.com/recaptcha/docs/verify)

Comment by Mads Kiilerich, on 2018-04-02 11:46

Yeah - for now, it seems like it would be better to hide this functionality.

It seems like a somewhat interesting and easy problem to solve for someone who wants to use captcha or learn how to do it.

Comment by zwarmapapa, on 2018-04-02 13:15

Hmmm I don't know, it seems very simple.

Just replace the current recaptcha in /templates/register.html by:

<div class="g-recaptcha" data-sitekey="{c.captcha_public_key}"></div>

Then in the controller/action of that page (/controllers/login.py), replace the old validation by a HTTP request with the content being:

"secret" => captcha_private_key
"response" => request.POST.get('g-recaptcha-response')
"remoteip" => request.ip_addr

Then parse the result (JSON) and check if "success" == true.

Then, all that remains is to put the recaptcha library somewhere. Don't know where you place that, but the code of it is:

<script src='https://www.google.com/recaptcha/api.js'></script>

And that would be it. Done. Seems like that would take about the same effort as hiding the recaptcha functionality lol.

Comment by Thomas De Schampheleire, on 2018-04-02 13:57

It seems you're already halfway the solution :-)

The existing code is at kallithea/lib/recaptcha.py with some bits in the templates too. https://kallithea-scm.org/repos/kallithea-incoming/files/88d885e2aa99e6f90a34523832642e53a156123a/kallithea/lib/recaptcha.py I did a quick test with the google test keys on the existing v1 code but did not see the deprecation warning.

Comment by zwarmapapa, on 2018-04-03 10:36

Comment by zwarmapapa, on 2018-04-03 10:45

Oh I didn't notice that file. Pretty much everything can be removed from it (v2 is a lot simpler than v1 was). Also, in v2, there is no challenge and response field anymore for as far as I know, it's just one field now ('g-recaptcha-response', which is the response I guess, which apparently means only the response is required in v2).

Anyway, yeah you can't generate v1 keys anymore. Maybe the deprecation warning is caused by using v2 keys.

I'll see if I can update the recaptcha code. Thing is though that I've never programmed python before, so I have no libraries or development kits or anything installed yet for it. But well we'll see.

Comment by zwarmapapa, on 2018-04-03 12:32

Comment by Thomas De Schampheleire, on 2018-04-08 18:16

changes pushed, thanks a lot for your contribution!