[BUG] CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile' ?

Question

[BUG] CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile' ?

Pierre-ZACHARY opened this issue 5 months ago · 9 comments

Describe the bug 🐛
Traefik is logging an error saying "CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'"

2024-06-09T02:07:06Z ERR error="CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'" entryPointName=web routerName=whoamiapp-whoami-ingress-whoami-pierre-zachary-fr@kubernetes

I've followed the examples/kubernetes setup

Expected behavior 👀
CrowdsecLapiScheme should be http or https

I've tested with recaptcha and the behaviour is the one expected; seems to only happen with cloudflare

Context 🔎
Middleware values :
spec:
plugin:
bouncer:
CrowdsecLapiKey: 40796d93c2958f9e58345514e67740e5
Enabled: "true"
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
crowdsecLapiScheme: http
captchaHTMLFilePath: /html/captcha.html
banHtmlFilePath: /html/ban.html
captchaProvider: turnsite
captchaGracePeriodSeconds: 1800
captchaSiteKey: ...
captchaSecretKey: ...

Version (please complete the following information):
Traefik 3.0.1
Crowdsec v1.6.1-2
crowdsec-bouncer-traefik-plugin1.3.1

To Reproduce
Deploy whoami with above configurations and labels :
traefik.ingress.kubernetes.io/router.middlewares: kube-system-bouncer@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: web

Answer 1 · 2024-06-09T08:27:14.000Z

Hello,

Thank you for the report, I looked at the validation code and indead the error message you got was confusing:

        if !contains([]string{HTTP, HTTPS}, config.CrowdsecLapiScheme) {
		return errors.New("CrowdsecLapiScheme: must be one of 'http' or 'https'")
	}
	if !contains([]string{"", HcaptchaProvider, RecaptchaProvider, TurnstileProvider}, config.CaptchaProvider) {
		return errors.New("CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'")
	}

I will replace with CaptchaProvider : must be one of 'hcaptcha', 'recaptcha' or 'turnstile'

In your configuration, you have misspelled turnstile with turnsite.

To be transparent we haven't tested a lot the turnstile provider, and we would be thankfull if you could give us some feedback on it.

Answer 2 · 2024-06-12T07:39:12.000Z

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision
But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Answer 3 · 2024-06-16T09:26:25.000Z

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Thanks for the feedback, we'll look into it @maxlerebourg

Answer 4 · 2024-06-19T06:27:00.000Z

Hey @Pierre-ZACHARY,
I just created a PR to fix the class name of the captcha element, thanks to notify us for that.
But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

Answer 5 · 2024-06-19T18:15:11.000Z

Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

We will keep testing in the upcoming days and release a new version afterwards.
Please feel free to share if that made your setup work, or if you think something is still wrong there.

Answer 6 · 2024-06-20T17:38:53.000Z

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision
But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Without looking at any of the issues, I did the same thing and reached the same outcome with turnstile: captcha passes, a post request is made, but the bouncer doesn't get the response. The logs in DEBUG mode state the following every time the captcha page is reloaded and the captcha passes:

CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request

EDIT:
Here is a visual representation of what the user sees:

I hope this helps debugging. Thank you for developing this plugin @mathieuHa @maxlerebourg!

Answer 7 · 2024-06-20T19:05:04.000Z

Hey @Ivomola, I've released v1.3.3-beta1 in the meantime to help test with non-dev instances.
This contains a first patch for Turstile.
We'll keep testing in the weekend.

Answer 8 · 2024-06-20T19:14:36.000Z

Just deployed and tested it, I can confirm it works now and the loop is gone. Thank you!!

Answer 9 · 2024-07-17T07:53:46.000Z

We've released v1.3.3 as latest release with this patch.