trac-hacks/trac-recaptcharegister

trac-recaptcharegister using old google api

samm-git opened this issue · 21 comments

Google now uses v2 api which allows to detect humans w/o entering captcha in many cases. It would be great to support it.

You may want to look at using TracSpamFilter. It provides captchas for the registration page, and works with reCaptcha2.

@rjollos thank you for suggestion, i am already using it, but i did not found how to enable recpatcha ONLY for the registration page and show it always on it? SpamFilter protects site from spam pretty well, but unfortunately not from registration of the spammers, so i have now > 15k users were 90% of them are spam accounts. This is why i installed this extension.

Which version of SpamFilter do have you installed? You definitely don't need this plugin if you have SpamFilter. SpamFilter is running on both trac-hacks.org and trac.edgewall.org and doing a very good job of protecting from spam registration and postings. Make sure to install the latest SpamFilter, be running Trac 1.0.x and read all the configuration hints in the SpamFilter documentation.

i am using 1.0.9dev, upgraded yesterday. I read all documentation. Once again - it works well by preventing spam, its filtering, i would say, 99% of the spam submissions. BUT, at least on my resource (smartmontools.org) registration mostly succeed, because on the time of registration this addresses/emails are not yet in the spam bases, so all checks are passed. So this users cant do anything, but database of users is constantly growing. This is why i decided to use this plugin to enable captcha on the registration page only. May be i am missed something and it is possible with spamfilter as well, but i did not found how to do that (captcha on reg page only).
P.S. thank you for your all hard work on trac project.

Which version of AccountManagerPlugin are you running?

I think you need to enable RegistrationFilterAdapter in SpamFilterPlugin, and then append it to the list of registration checks in AccountManagerPlugin's configuration:

[account-manager]
register_check = BasicCheck, EmailCheck, BotTrapCheck, RegExpCheck, UsernamePermCheck, RegistrationFilterAdapter

I am using AccountManagerPlugin 0.4.4. My register_check contains:
register_check = BasicCheck, EmailCheck, BotTrapCheck, RegExpCheck, UsernamePermCheck, RegistrationFilterAdapter and RegistrationFilterAdapter is enabled. I see that it works, because if email is in the spam databases or bot trap check is fired it is not allowing registration. However it will not show captcha for the new user if it is not in the spam databases. + i dont want captcha to be shown anywhere but on registration page. I did not found how to implement such logic (captcha only for registration page) with SpamFilter, thats why i am using now this plugin which implements this functionality.

We can probably find a way to make the Captcha only show on the registration page, implementing an enhancement if necessary. Anyway, it seems you don't allow anonymous edits so it should be possible to prevent it from showing for authenticated users.

I would focus on getting SpamFilter to filter registration attempts correctly first. Are you using the external spam services?: Akismet, HTTP:BL, StopForumSpan and BotScout. SpamFilter author tells me Akismet is the most useful.

To prevent captcha for authenticated users, go to /admin/spamfilter/config and select Trust authenticated users. Alternatively, you can just increase the karma for an authenticated session on that same page, and possibly increase karma for SessionFilterStrategy.

@rjollos yes, i am, and as i mentioned - it works great for the most of the spams, so this bots cant do anything but to register. It is great idea to implement this feature in the SpamFilter. I think it is chicken and the egg problem:

  1. When bot is registering botnet can use "clean" ip not in the databases. So SPF fails.
  2. If botnet is smart enough - it will not get into spamtrap + wont use any of the spamwords in the submission - so bayes and other content analyses will fail as well.
  3. After registration bot will try to post spam, but wont be able to do this because of SpamFilter. But this bot will be in the user db already. And at some point most of the entries in the user db will be like that.

@rjollos - i disabled "Trust authenticated users" because it was helping spammers, as i mentioned that registration often succeed, so i dont want to give this bots any additional karma. So again, i think that for my case best is to force captcha only on registration page, to add kind of additional forced protection for it. Thats why i installed this plugin, but i would be happy to see this functionality in the SpamFilter itself.

I'm fairly confident the feature you want is already possible with SpamFilter. I'm having trouble following your argument, but it sounds like Captcha is not appearing on the registration page and you'd like it to. I think you can probably achieve it by adjusting Karma, such as karma for CaptchaSystem. From our conversation thus far I have doubts that I can help you. You could try posting to the trac-users MailingList and SpamFilter author may reply.

I haven't seen any activity from the author of this plugin so I doubt there will be any development of it. Good luck!

mitar commented

I am not yet upgrading my installations where I am using this plugin, so for me it works well. If you have some fixes to improve it, feel free to make pull requests.

@rjollos sorry, my arguments are very simple.

  1. I want to have captcha on registration page (always) and only on it.
  2. I dont want to have different karma for the registred and non-registred users.
    Thats it.

@mitar thank you, i will try to update API to v2 and submit pull request.

@rjollos jfyi - i did a corresponding feature request.

mitar commented

I looked into it a bit, and it seems that the library this package is using has not been upgraded to Recaptcha 2. I think I will leave as it is for now, but a pull request is welcome.

See Pull Request #4 - there's now an alternate version of the recaptcha.client library that supports the new v2 API. We've used the code in this PR along with that updated library to add v2 support to our Trac instance.

Merged #4.

There's an update in PR #5 - I hadn't realised (and hadn't caught in testing) that API v2 uses a response field named g-recaptcha-response instead of recaptcha_response_field.

there's now an alternate version of the recaptcha.client library that supports the new v2 API.

Is the client library available on PyPI?

Installing from source results in:

Processing dependencies for TracRecaptchaRegister==0.3.3
Searching for recaptcha_client>=2.0.1
Reading https://pypi.python.org/simple/recaptcha_client/
No local packages or working download links found for recaptcha_client>=2.0.1
error: Could not find suitable distribution for Requirement.parse('recaptcha_client>=2.0.1')

So at a minimum the installation requirements need to be updated.

The original client library appears to be unmaintained.

The updated version is at https://github.com/redhat-infosec/python-recaptcha but is not (AFAIK) in PyPi. [NB: I'm not a Python guy - I just got the job of fixing this on our site]