Added self-hosted GDPR compliant captcha module #109
Conversation
| } | ||
|
|
||
| $request = Mage::app()->getRequest(); | ||
| if ($request->getActionName() == 'prelogin' || !$request->isPost()) { |
There was a problem hiding this comment.
I don't like this line...
|
Converted to draft because of altcha-org/altcha#92 |
|
I found a way to work around the limitation of a single captcha per page so I think this PR is testable |
|
As per https://altcha.org/docs/server-integration/
we have to create a database table to store solved challanges and a cleanup routing after a few days (I'd use 7) |
|
hey @justinbeaty, I think the PR is at a point that it finally works 🤞🤞🤞 |
Sweet -- I'll test now. |
|
I really like this implementation! However I did find a few issues if you submit the form while the captcha is validating (either the first time, or revalidating). You'd get a JS alert that says "please wait..." but actually you need to close the alert and re-submit the form. If you wait as instructed you'll be waiting forever...
After you dismiss the alert, you also get a JS error In any case, what I tried to do (and think it's working) is to add an event listener for form submission, and if the captcha is still validating, show a "loader" and then once it's validated submit the form programmatically. In Also note, I updated the "CSS Selectors" to include this.frontendSelectors += ', #page-login #loginForm';I actually have to leave the house very shortly, so normally I'd write more and test more thoroughly before pushing. If there's a problem as always we can revert or modify. |
|
I've changed a few things like auto-verification, lazy-load, backend selector. I don't love that the js became a bit too complex in my opinion and it's a separate http request but probably it's good cause it can be cached. I think it should be testable again. |
|
+1 to all the changes. Yes, sorry the JS became more complicated. The form submit issue was just annoying UX wise and the fix was more complicated to keep it inline. I have a few more things to review if that's okay. One thing I was thinking of, could we replace the mysql table (and thus model, resource model, and install scripts) by instead using Mage's cache? Something like this (not tested). protected function checkLoggedChallenge(string $payload): bool
{
Mage::app()->getCache()->test($payload) !== false;
}
protected function logChallenge(string $payload): void
{
Mage::app()->getCache()->save(time(), $payload, ['maho_captcha'], 3600);
} |
no hurry
I thought about it but I think somebody could need to monitor the size of that table (to see if there are attacks or something like that) and magento's cache is impossible to monitor or, if it grows too much, could it create problems (for example redis with limite resources or file system cache)? |
|
with the "check for verification" feature, for example the newsletter form gets stuck this way: 
doesn't the feature replace the original submit handler for the form? Another thing is that it seems not to work in the checkout if I click the "continue" button without first focusing the form, I get an "server returned an invalid json" :-\ I'll try to do more debug asap |
This PR adds a new Maho_Captcha module, which implements self-hosted GDPR compliant captcha based on https://altcha.org. Research was done but Altcha seems to be the most active other open source PoW based captcha project.
At the moment the implementation is almost the same as my Turnstile module: https://github.com/fballiano/openmage-cloudflare-turnstile with a lot of observers and a "css selectors" settings that (IMHO) allows for maximum flexibility.
I called it Maho_Captcha cause I think Maho should provide a basic captcha module and, since this one doesn't rely on 3rd party services (like cloudflare/recaptcha) it seems the perfect candidate.
Questions:
maho_captcha.(xml|csv)naming instead of justcaptcha.(xml|csv)because I didn't want it to collide with the old Mage_Captcha. Is this a good choice?maho/captcha/footer.htmlas folder structure for templates. I don't like that it differs from maho_captcha but at the same time made more sense to have all modules under themaho/folder. Is this a good choice?Since the module positions the captcha widget "just before the ending" of theactivating the "floating" catpcha if works perfectlyform, this position may not be perfectly aligned, is this a dealbreaker? ideas on how to make it better?