Kallithea issues archive

Are you comfortable with programming? Honestly, the fastest way to get this solved would be if you could have a look at the existing code and propose changes to upgrade recaptcha support to use the v2 API.

I think this page will contain the info you need, but I haven't investigated in detail and I've never looked at the Kallithea side before.

If you're not comfortable with this, no problem, then someone else may have a look but it will probably take more time.

I've never programmed python before, so it's probably not a good idea to make it myself.

However, the v2 integration seems very simple.

Client side:

<script src='https://www.google.com/recaptcha/api.js'></script>
<div class="g-recaptcha" data-sitekey="--public key here--"></div>  <!--paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear-->

Server side:

A post request to: https://www.google.com/recaptcha/api/siteverify with:

secret=---secret key here---
response=---value of 'g-recaptcha-response' here---
remoteip=---client IP here---

Then the response of that is a JSON object that contains: "success": true|false (see https://developers.google.com/recaptcha/docs/verify)

Yeah - for now, it seems like it would be better to hide this functionality.

It seems like a somewhat interesting and easy problem to solve for someone who wants to use captcha or learn how to do it.

Hmmm I don't know, it seems very simple.

Just replace the current recaptcha in /templates/register.html by:

<div class="g-recaptcha" data-sitekey="{c.captcha_public_key}"></div>

Then in the controller/action of that page (/controllers/login.py), replace the old validation by a HTTP request with the content being:

"secret" => captcha_private_key
"response" => request.POST.get('g-recaptcha-response')
"remoteip" => request.ip_addr

Then parse the result (JSON) and check if "success" == true.

Then, all that remains is to put the recaptcha library somewhere. Don't know where you place that, but the code of it is:

<script src='https://www.google.com/recaptcha/api.js'></script>

And that would be it. Done. Seems like that would take about the same effort as hiding the recaptcha functionality lol.

It seems you're already halfway the solution :-)

The existing code is at kallithea/lib/recaptcha.py with some bits in the templates too. https://kallithea-scm.org/repos/kallithea-incoming/files/88d885e2aa99e6f90a34523832642e53a156123a/kallithea/lib/recaptcha.py I did a quick test with the google test keys on the existing v1 code but did not see the deprecation warning.

Oh I didn't notice that file. Pretty much everything can be removed from it (v2 is a lot simpler than v1 was). Also, in v2, there is no challenge and response field anymore for as far as I know, it's just one field now ('g-recaptcha-response', which is the response I guess, which apparently means only the response is required in v2).

Anyway, yeah you can't generate v1 keys anymore. Maybe the deprecation warning is caused by using v2 keys.

I'll see if I can update the recaptcha code. Thing is though that I've never programmed python before, so I have no libraries or development kits or anything installed yet for it. But well we'll see.

I've updated the recaptcha code to v2.

Pull request: https://bitbucket.org/conservancy/kallithea/pull-requests/394/updated-recaptcha-to-v2/diff

changes pushed, thanks a lot for your contribution!