Issue #313 resolved
zwarmapapa
created an issue

So I enabled public registration, and pretty much every day I had bots registering on it (primarily from "http://seobest.website/").

So I got a google recaptcha key (v2), put it in kallithea, and now the registering page has a recaptcha saying: "V1 SHUTDOWN ON 2018-03-31"

What should I do?

Comments (10)

  1. Thomas De Schampheleire

    Are you comfortable with programming? Honestly, the fastest way to get this solved would be if you could have a look at the existing code and propose changes to upgrade recaptcha support to use the v2 API.

    I think this page will contain the info you need, but I haven't investigated in detail and I've never looked at the Kallithea side before.

    If you're not comfortable with this, no problem, then someone else may have a look but it will probably take more time.

  2. zwarmapapa reporter

    I've never programmed python before, so it's probably not a good idea to make it myself.

    However, the v2 integration seems very simple.

    Client side:

    <script src='https://www.google.com/recaptcha/api.js'></script>
    <div class="g-recaptcha" data-sitekey="--public key here--"></div>  <!--paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear-->
    

    Server side:

    A post request to: https://www.google.com/recaptcha/api/siteverify with:

    secret=---secret key here---
    response=---value of 'g-recaptcha-response' here---
    remoteip=---client IP here---
    

    Then the response of that is a JSON object that contains: "success": true|false (see https://developers.google.com/recaptcha/docs/verify)

  3. Mads Kiilerich

    Yeah - for now, it seems like it would be better to hide this functionality.

    It seems like a somewhat interesting and easy problem to solve for someone who wants to use captcha or learn how to do it.

  4. zwarmapapa reporter

    Hmmm I don't know, it seems very simple.

    Just replace the current recaptcha in /templates/register.html by:

    <div class="g-recaptcha" data-sitekey="{c.captcha_public_key}"></div>
    

    Then in the controller/action of that page (/controllers/login.py), replace the old validation by a HTTP request with the content being:

    "secret" => captcha_private_key
    "response" => request.POST.get('g-recaptcha-response')
    "remoteip" => request.ip_addr
    

    Then parse the result (JSON) and check if "success" == true.

    Then, all that remains is to put the recaptcha library somewhere. Don't know where you place that, but the code of it is:

    <script src='https://www.google.com/recaptcha/api.js'></script>
    

    And that would be it. Done. Seems like that would take about the same effort as hiding the recaptcha functionality lol.

  5. zwarmapapa reporter

    Oh I didn't notice that file. Pretty much everything can be removed from it (v2 is a lot simpler than v1 was). Also, in v2, there is no challenge and response field anymore for as far as I know, it's just one field now ('g-recaptcha-response', which is the response I guess, which apparently means only the response is required in v2).

    Anyway, yeah you can't generate v1 keys anymore. Maybe the deprecation warning is caused by using v2 keys.

    I'll see if I can update the recaptcha code. Thing is though that I've never programmed python before, so I have no libraries or development kits or anything installed yet for it. But well we'll see.

  6. Log in to comment