New PSR for standartizing CAPTCHA (CaptchaInterface) #1330
Conversation
|
I do not really see why we need a psr for this. An interface can always be used by any developer in any application. The problem of recaptcha is a very specific implementation to validate humans interacting with your website. While there are other solutions. Can you explain why you think this should be a standard? |
So, for example, I have a Google ReCaptcha on my website, lets say I installed it via composer from corresponding repository. Let's omit frontend integration and look at the backend, we have smth like this: class FormSubmitService
{
private $recaptcha;
public function __construct(\ReCaptcha\ReCaptcha $recaptcha)
{
$this->recaptcha = $recaptcha;
}
public function submitForm(CustomRequest $request): CustomResponse
{
$token = $request->get('g-recaptcha-response');
$response = $this->recaptcha->verify($token);
if (!$response->isSuccess()) {
return new CustomResponse('Recaptcha failed!');
}
// ... continue to submit fom
}
}
//...
$recaptcha = new \ReCaptcha\ReCaptcha('my_secret_token');
$formSubmitService = new FormSubmitService($recaptcha);
$formSubmitService->submitForm($incomeCustomRequest);So, what happens if we at some moment switch to another Captcha vendor (another SDK)? We immediately lose the public function __construct(CaptchaInterface $captcha)
{
$this->captcha= $captcha;
}because in this scenario we can pass: $recaptcha = new \ReCaptcha\ReCaptcha('my_secret_token');
$hcaptcha = new \HCaptcha\HCaptcha('my_secret_token');
$mcaptcha= new \MCaptcha\MCaptcha('my_secret_token');
$cloudflareTurnstile= new \Cloudflare\Turnstile('my_secret_token');
$smartCaptcha= new \Yandex\SmartCaptcha('my_secret_token');
$formSubmitService = new FormSubmitService($recaptcha);
$formSubmitService2 = new FormSubmitService($hcaptcha);
$formSubmitService3 = new FormSubmitService($mcaptcha);
$formSubmitService4 = new FormSubmitService($cloudflareTurnstile);
$formSubmitService5 = new FormSubmitService($smartCaptcha);Yes, we will need an additional configuration when constructing the Captcha object itself, but inside the form handler there will be no changes, 'cause all of the above will be able to say true/false |
|
I'm still on the fence about whether this deserves a PSR or not, I think that's going to depend on what kind of buy-in we can get from the projects that we'd expect to benefit from this. There are some additional things that come with the request that captcha services typically either require or optionally allow like the visitors IP address. It'd be better in my opinion to depend on PSR-7 and pass the entire RequestInterface implementation to the verify method so that the implementation can decide what to gather. |
|
Whoops, fat fingered the close button. |
|
@KorvinSzanto since all of the most popular Captchas (and, I guess, all of the external Captchas) requires secret token to connect to their validation routes, I guess it would benefit to add |
|
Have you already gathered some consensus between the developers of the major captcha libraries in PHP? |
The exceptions would be used for exceptional cases that represent neither pass nor fail, for example:
Without defined exceptions, all of these cases would throw implementation-specific exceptions like a guzzle exception or a recaptcha sdk exception and would require the consumer to know the implementation to properly catch exceptions. So an implementation would do something like: try {
$response = $guzzle->send($validationRequest);
$isValid = $this->validateResponse($response);
} catch (GuzzleException $e) {
throw new ImplementationSpecificValidationRequestErrorException('Failed to send validation request', $e);
} catch (ValidationResponseException $e) {
throw new ImplementationSpecificValidationRequestErrorException('Invalid validation response', $e);
}and a consumer can avoid knowing that guzzle is in use at all and do: try {
$isValid = $captcha->validate($whatever);
} catch (\Psr\Captcha\ValidationRequestErrorException) {
// Show user "We're having trouble validating your request, please try again in a few minutes"
} catch (\Psr\Captcha\InvalidArgumentException) {
// Show user "Invalid request, please try again"
}
if (!$isValid) {
// Show user "Invalid captcha, please try again"
} |
@mbeccati @KorvinSzanto |
|
Sadly, the Google recaptcha PHP repo is dead. |
captcha.md
Outdated
| * SHOULD contain actual user's SCORING | ||
| * MAY contain additional information (e.g., gathered from it's captcha-vendor service's verification endpoint) (i.e. message, errors, etc.) | ||
| */ | ||
| interface CaptchaResponseInterface |
There was a problem hiding this comment.
Why is it an interface and not a bool?
There was a problem hiding this comment.
You mean, why CaptchaInterface::verify() returns that instead of a bool? If yes, then answer is - 'cause you might want to implement additional methods to specific CaptchaResponse classes, like getScore(), getHost() (for instance, those fields implemented by Google ReCaptcha, hCaptcha, SmartCaptcha) or similar - to extend response data
There was a problem hiding this comment.
Should be mentioned in meta-document.
captcha.md
Outdated
| * SHOULD contain method to configure SCORING threshold (if applicable by PROVIDER) | ||
| * SHOULD throw a CaptchaException as soon as possible if appears any non-user related error that prevents correct Captcha solving (e.g. network problems, incorrect secret token, e.g.) | ||
| */ | ||
| interface CaptchaInterface |
There was a problem hiding this comment.
I think there might be a need for challenge(string $token): string method which, given a token, generates the challenge for the user to solve.
There was a problem hiding this comment.
Idk what did you mean by this, probably CaptchaInterface needs to be renamed to CaptchaVerifierInterface, 'cause that is its purpose - to verify that passed token is valid. But idk what else can be retrieved from $token, especially in string. Do you mean challenge is frontend rendered I am not a robot checkbox with traffic lights? If so, i'm not sure that service should interact with it - it's just a verifier
There was a problem hiding this comment.
Well, for example, given a token that is 24, challenge might be 20+4 or something like that.
There was a problem hiding this comment.
Well, that interface is not quite for that purpose, but rather to verify already solved captcha task by its token using some external (or even internal, it doesnt actually matter) captcha service. Roughly, it's an interface to build SDK on
|
Here's Yii2 implementation: https://github.com/yiisoft/yii2/tree/master/framework/captcha |
|
Here is Shopware 6 implementation https://github.com/shopware/shopware/tree/e4c3f565857f8e6c53d3c8e35f6b00dfd0eb3f73/src/Storefront/Framework/Captcha and Shopware 5 implementation https://github.com/shopware5/shopware/tree/8779bb0fc2cff04bb92dbba8ea5522263a71ab48/engine/Shopware/Components/Captcha |
Do you believe that Shopware could use and achieve profit from implementation of this interfaces by recieving more information from responses? |
Here's a proposal of new PSR for standartizing CAPTCHAs to one interface
Continuation of this thread: https://discord.com/channels/788815898948665366/788816084383694848/1379332512886689812
TTL:
Recently we've faced with a problem that government forbids to gather data abroad and we urgently need to switch Google ReCaptcha to other solutions, but the thing is that since those solutions doesn't have common interface yet, the codebase needs to be refactored, which isn't good - the task in a nutshell is just "switch vendors"