1 I don't necessarily trust all OpenID providers to stop bots. I note that ikiwiki allows [[banned_users]], and that there are other todos such as [[todo/openid_user_filtering]] that would extend this. However, it might be nice to have a CAPTCHA system.
3 I imagine a plugin that modifies the login screen to use <http://recaptcha.net/>. You would then be required to fill in the captcha as well as log in in the normal way.
5 > I hate CAPTCHAs with a passion. Someone else is welcome to write such a
8 > If spam via openid (which I have never ever seen yet) becomes
9 > a problem, a provider whitelist/blacklist seems like a much nicer
10 > solution than a CAPTCHA. --[[Joey]]
12 >> Apparently there has been openid spam (you can google for it). But as for
13 >> white/black lists, were you thinking of listing the openids, or the content?
14 >> Something like the moinmoin global <http://master.moinmo.in/BadContent>
17 >>> OpenID can be thought of as pushing the problem of determining if
18 >>> someone is a human or a spambot back from the openid consumer to the
19 >>> openid provider. So, providers that make it possible for spambots to
20 >>> use their openids, or that are even set up explicitly for use in
21 >>> spamming, would be the ones to block. Or, providers that are known to
22 >>> use very good screening for humans would be the ones to allow.
23 >>> (Openid delegation makes it a bit harder than just looking at the
24 >>> openid url though.) --[[Joey]]
26 >>>> Well, OpenID only addresses authentication issues, not authorisation issues.
27 >>>> Given that it is trivial to set up your own OpenID provider (a full provider, not
28 >>>> just a forward to another provider), I can't see a
29 >>>> blacklist working in the long term (it would be like blacklisting email).
30 >>>> A whitelist might work (it would not be quite as bad as whitelisting email). In any case,
31 >>>> there is now a captcha plugin for those that want it. It is accessible
32 >>>> (there is an audio option) and serves a social purpose along with
33 >>>> keeping bots out (the captcha is used to help digitise hard to read
34 >>>> words in books for [Carnegie Mellon University](http://www.cs.cmu.edu/) and
35 >>>> [The Internet Archive](http://www.archive.org/) ). Finally, because the actual captcha is outsourced
36 >>>> it means that someone else is taking care of keeping it ahead of
39 Okie - I have a first pass of this. There are still some issues.
41 Currently the code verifies the CAPTCHA. If you get it right then you're fine.
42 If you get the CAPTCHA wrong then the current code tells formbuilder that
43 one of the fields is invalid. This stops the login from going through.
44 Unfortunately, formbuilder is caching this validity somewhere, and I haven't
45 found a way around that yet. This means that if you get the CAPTCHA
46 wrong, it will continue to fail. You need to load the login page again so
47 it doesn't have the error message on the screen, then it'll work again.
49 > fixed this - updated code is attached.
51 A second issue is that the OpenID login system resets the 'required' flags
52 of all the other fields, so using OpenID will cause the CAPTCHA to be
55 > This is still not fixed. I would have thought the following patch would
56 > have fixed this second issue, but it doesn't.
58 (code snipped as a working patch is below)
60 >> What seems to be happing here is that the openid plugin defines a
61 >> validate hook for openid_url that calls validate(). validate() in turn
62 >> redirects the user to the openid server for validation, and exits. If
63 >> the openid plugins' validate hook is called before your recaptcha
64 >> validator, your code never gets a chance to run. I don't know how to
65 >> control the other that FormBuilder validates fields, but the only fix I
66 >> can see is to somehow influence that order.
68 >> Hmm, maybe you need to move your own validation code out of the validate
69 >> hook. Instead, just validate the captcha in the formbuilder_setup hook.
70 >> The problem with this approach is that if validation fails, you can't
71 >> just flag it as invalid and let formbuilder handle that. Instead, you'd
72 >> have to hack something in to redisplay the captcha by hand. --[[Joey]]
74 >>> Fixed this. I just modified the OpenID plugin to check if the captcha
75 >>> succeeded or failed. Seeing as the OpenID plugin is the one that is
76 >>> abusing the normal validate method, I figured it was best to keep
77 >>> the fix in the same place. I also added a config switch so you can set if
78 >>> the captcha is needed for OpenID logins. OpenID defaults to ignoring
80 >>> Patch is inline below.
81 >>> I think this whole thing is working now.
83 --- a/IkiWiki/Plugin/openid.pm
84 +++ b/IkiWiki/Plugin/openid.pm
85 @@ -18,6 +18,7 @@ sub getopt () { #{{{
87 Getopt::Long::Configure('pass_through');
88 GetOptions("openidsignup=s" => \$config{openidsignup});
89 + GetOptions("openidneedscaptcha=s" => \$config{openidneedscaptcha});
92 sub formbuilder_setup (@) { #{{{
93 @@ -61,6 +62,7 @@ sub formbuilder_setup (@) { #{{{
94 # Skip all other required fields in this case.
95 foreach my $field ($form->field) {
96 next if $field eq "openid_url";
97 + next if $config{openidneedscaptcha} && $field eq "recaptcha";
98 $form->field(name => $field, required => 0,
101 @@ -96,6 +98,18 @@ sub validate ($$$;$) { #{{{
105 + if ($config{openidneedscaptcha} && defined $form->field("recaptcha")) {
106 + foreach my $field ($form->field) {
107 + next unless ($field eq "recaptcha");
108 + if (! $field->validate) {
109 + # if they didn't get the captcha right,
110 + # then just claim we validated ok so the
111 + # captcha can cause a fail
117 my $check_url = $claimed_identity->check_url(
118 return_to => IkiWiki::cgiurl(do => "postsignin"),
119 trust_root => $config{cgiurl},
125 You need to go to <http://recaptcha.net/api/getkey> and get a key set.
126 The keys are added as options.
128 reCaptchaPubKey => "LONGPUBLICKEYSTRING",
129 reCaptchaPrivKey => "LONGPRIVATEKEYSTRING",
131 You can also use "signInSSL" if you're using ssl for your login screen.
134 The following code is just inline. It will probably not display correctly, and you should just grab it from the page source.
139 # Ikiwiki password authentication.
140 package IkiWiki::Plugin::recaptcha;
147 hook(type => "formbuilder_setup", id => "recaptcha", call => \&formbuilder_setup);
151 eval q{use Getopt::Long};
153 Getopt::Long::Configure('pass_through');
154 GetOptions("reCaptchaPubKey=s" => \$config{reCaptchaPubKey});
155 GetOptions("reCaptchaPrivKey=s" => \$config{reCaptchaPrivKey});
158 sub formbuilder_setup (@) { #{{{
161 my $form=$params{form};
162 my $session=$params{session};
163 my $cgi=$params{cgi};
164 my $pubkey=$config{reCaptchaPubKey};
165 my $privkey=$config{reCaptchaPrivKey};
166 debug("Unknown Public Key. To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey")
167 unless defined $config{reCaptchaPubKey};
168 debug("Unknown Private Key. To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey")
169 unless defined $config{reCaptchaPrivKey};
170 my $tagtextPlain=<<EOTAG;
171 <script type="text/javascript"
172 src="http://api.recaptcha.net/challenge?k=$pubkey">
176 <iframe src="http://api.recaptcha.net/noscript?k=$pubkey"
177 height="300" width="500" frameborder="0"></iframe><br>
178 <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
179 <input type="hidden" name="recaptcha_response_field"
180 value="manual_challenge">
184 my $tagtextSSL=<<EOTAGS;
185 <script type="text/javascript"
186 src="https://api-secure.recaptcha.net/challenge?k=$pubkey">
190 <iframe src="https://api-secure.recaptcha.net/noscript?k=$pubkey"
191 height="300" width="500" frameborder="0"></iframe><br>
192 <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
193 <input type="hidden" name="recaptcha_response_field"
194 value="manual_challenge">
200 if ($config{signInSSL}) {
201 $tagtext = $tagtextSSL;
203 $tagtext = $tagtextPlain;
206 if ($form->title eq "signin") {
207 # Give up if module is unavailable to avoid
208 # needing to depend on it.
209 eval q{use LWP::UserAgent};
211 debug("unable to load LWP::UserAgent, not enabling reCaptcha");
215 die("To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey")
217 die("To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey")
219 die("To use reCAPTCHA you must know the remote IP address")
220 unless $session->remote_addr();
228 message => "CAPTCHA verification failed",
231 # validate the captcha.
232 if ($form->submitted && $form->submitted eq "Login" &&
233 defined $form->cgi_param("recaptcha_challenge_field") &&
234 length $form->cgi_param("recaptcha_challenge_field") &&
235 defined $form->cgi_param("recaptcha_response_field") &&
236 length $form->cgi_param("recaptcha_response_field")) {
238 my $challenge = "invalid";
239 my $response = "invalid";
240 my $result = { is_valid => 0, error => 'recaptcha-not-tested' };
242 $form->field(name => "recaptcha",
243 message => "CAPTCHA verification failed",
246 if ($challenge ne $form->cgi_param("recaptcha_challenge_field") or
247 $response ne $form->cgi_param("recaptcha_response_field")) {
248 $challenge = $form->cgi_param("recaptcha_challenge_field");
249 $response = $form->cgi_param("recaptcha_response_field");
250 debug("Validating: ".$challenge." ".$response);
251 $result = check_answer($privkey,
252 $session->remote_addr(),
253 $challenge, $response);
255 debug("re-Validating");
258 if ($result->{is_valid}) {
270 # The following function is borrowed from
271 # Captcha::reCAPTCHA by Andy Armstrong and are under the PERL Artistic License
274 my ( $privkey, $remoteip, $challenge, $response ) = @_;
277 "To use reCAPTCHA you must get an API key from http://recaptcha.net/api/getkey"
280 die "For security reasons, you must pass the remote ip to reCAPTCHA"
283 if (! ($challenge && $response)) {
284 debug("Challenge or response not set!");
285 return { is_valid => 0, error => 'incorrect-captcha-sol' };
288 my $ua = LWP::UserAgent->new();
290 my $resp = $ua->post(
291 'http://api-verify.recaptcha.net/verify',
293 privatekey => $privkey,
294 remoteip => $remoteip,
295 challenge => $challenge,
296 response => $response
300 if ( $resp->is_success ) {
301 my ( $answer, $message ) = split( /\n/, $resp->content, 2 );
302 if ( $answer =~ /true/ ) {
303 debug("CAPTCHA valid");
304 return { is_valid => 1 };
308 debug("CAPTCHA failed: ".$message);
309 return { is_valid => 0, error => $message };
313 debug("Unable to contact reCaptcha verification host!");
314 return { is_valid => 0, error => 'recaptcha-not-reachable' };