choiceof.dev Fighting h@ckers with Google Recaptcha v3

For now, the website can easily be hacked. Someone with little knowledge can send a request with a new fake IP every time and voting 1000th times easily for the same response. This is what happened with Php vs JavaScript. A backend dev discovered the breach and decided to put 6000 votes for PHP... Don't worry, we will catch up with these 6000 fake votes with 6001 real people's vote for javascript.

To fight this, several solutions has been proposed

auth or auth0 : I don't want any authentication system that would break the fun and the friendly ux.
Entering a mail: I don't want either
Using Google Recaptcha v3 to generate a token than the person must attach to his request

I like this last solution but I don't have too much time to dig into how to implement that but if someone wants to do it... You're welcome!!

Nov 21 '22 21:11 bdebon

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/

Don't break internet again, it might cost you a bit

Nov 22 '22 17:11 kmartin91

A lot of e-commerces uses cloudflare bot management to block scrapers.

I think, it can be a good solution for this problem because simple post request made by a script is blocked by cloudflare.

In addition, cloudflare may also detect if you are using a browser managed by a program like puppeteer (node.js) or selenium (python).

On the other hand, I dunno how cost this solution.

Nov 22 '22 20:11 MaximeMRF

Why can't we just use cloudflare ? It might do the trick

Nov 23 '22 01:11 l31-dev

I don't know, never used it. Is it compatible with the technologies we can use with the shared hosting at Hostinger ? I precise we just have PHP / MySQL / and basic nginx. No node possible.

Nov 23 '22 10:11 bdebon

It's really too easy even without scraping @MaximeMRF

Nov 23 '22 21:11 Snox-dev1

The best way is to get the voter's ip address and block him when he votes too much

Nov 23 '22 21:11 Snox-dev1

Is really captcha a good Idea ? Anyone could just extract the token from his browser and put it in any script. To be sure that can't be done, a captcha should be asked for every question but it's sooo bad for ux

Nov 24 '22 07:11 tdaron

I had an idea !

Basically on the database you have to add a timestamp of the last vote

Then at each vote look when was the last vote of the ip then if it was less than 5 minutes ago then we block.

Nov 25 '22 12:11 Snox-dev1

I sounds incredible! Easy to implement and good enough to prevent the biggest abuses! Does anybody has something agains this proposition?

Nov 25 '22 12:11 bdebon

oops no it does not work. Anyone can change it's IP for a random one. Node scripts are doing that super easily, so it's not working.

Nov 25 '22 12:11 bdebon

A solution which does not cover all cases may be the use of fingerprintjs on the front in order to prevents browser automation.

Nov 25 '22 12:11 MatteoGauthier

The only viable solution is a backend one, since the front/JS can easily be bypassed. So any JS library sounds irrelevant to me 😉

What could help is a PHP rate limiter, eg. https://symfony.com/doc/current/rate_limiter.html (or letting Cloudflare handle that, if technically possible).

Nov 25 '22 13:11 quentint

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/

Don't break internet again, it might cost you a bit

If you're looking for a cheaper/free alternative, https://www.hcaptcha.com/ is a good solution.

Nov 25 '22 13:11 quentint

Hey @quentint!! So nice to have you here!! I would love to have your avatar as a contributor of this project!! If you want to be the hero that will finally close the breach of this project, you are more than welcome and I can make anything that you need to implement this feature!

Nov 25 '22 14:11 bdebon

My brain has this issue running in the background. Will post when implementation details pop!

Nov 25 '22 14:11 quentint

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/ Don't break internet again, it might cost you a bit

If you're looking for a cheaper/free alternative, https://www.hcaptcha.com/ is a good solution.

you need to pay if you want to use hCaptcha without captcha

Nov 25 '22 14:11 kmartin91

@quentint I think there is no better person than you to fix that, just because choixdemerde.fr was first inspired by generationwhat and you know what duo was behind this one...

Nov 25 '22 14:11 bdebon

you need to pay if you want to use hCaptcha without captcha

Really? I think I've used it in the past without paying anything, and I can't confirm what you're saying when reading the docs 🤔

Nov 25 '22 14:11 quentint

you need to pay if you want to use hCaptcha without captcha

Really? I think I've used it in the past without paying anything, and I can't confirm what you're saying when reading the docs 🤔

Need a pro account to have the "no captcha mode" according to https://www.hcaptcha.com/#plans . Maybe I'm wrong, I didn't dig that more

Nov 25 '22 14:11 kmartin91

I think that means combining both solutions, at least that's what I found in the docs: https://docs.hcaptcha.com/invisible#invisible-vs-passive

Enterprise users can combine "Invisible" (no checkbox) configuration with "Passive" difficulty to avoid any user interruption.

@bdebon: Is the Cloudflare activated on Hostinger? eg. https://support.hostinger.com/en/articles/1583241-how-to-activate-and-deactivate-cloudflare

If so, there might be a way to rate limit from there. See Configure Thresholds.

Nov 25 '22 15:11 quentint

For now https://developers.cloudflare.com/turnstile/ looks like the way to go for me.

Here are the ➕:

Free
Unlimited
Works with any host/domain
Does not rely on IP or any fingerprinting
Has a front and back API to ensure a regular user workflow

Here is the only ➖ I found:

Currently in Beta, so it could break/disappear

Thoughts anyone?

Nov 25 '22 15:11 quentint

Maybe you could had a slide bar that bot can not do. When you put to much connection on Leboncoin.com, the website will ask you to fill a little puzzle with a slidebar, maybe somebody could had that type of slidebar (without the puzzle) to switch between each images without ruining the ux ?

Dec 12 '22 06:12 EliottCestSwag

What about a JWT gained with ReCaptcha, allowing user to answer one time to every question (and the captcha requirement could depend of the website utilisation, if no-one is playing, no need to captcha, but if at the same time there is 1000 concurrent connections, then captcha for everyone)

Dec 12 '22 16:12 tdaron

What about a JWT gained with ReCaptcha, allowing user to answer one time to every question (and the captcha requirement could depend of the website utilisation, if no-one is playing, no need to captcha, but if at the same time there is 1000 concurrent connections, then captcha for everyone)

Yeah but If @bdebon decide to open """officially""" the website maybe the site will detect 10.000 people at the same time and block them all or ruining the ux because of the captcha :/

Dec 14 '22 21:12 EliottCestSwag

Yeah but it's one captcha for the first connection then not anymore for every question, and in any case its possible to do difference between bot rush or people rush i guess

Dec 14 '22 21:12 tdaron

Yeah but it's one captcha for the first connection then not anymore for every question, and in any case its possible to do difference between bot rush or people rush i guess

The bot IP and people IP are really different, if a backend could add a prevent against that that could be great what do u think ? @bdebon

Dec 16 '22 06:12 EliottCestSwag