Add reCAPTCHA - IP LOGGING for DMCA requests

[ghost]

Running: RocketChat 0.63.3

I am looking to see if anyone is working on adding reCAPTCHA On registration page as there is no captcha. What's to prevent a bot that runs on nodejs to enter and spam the chat to oblivion... when no staff are around? Also what about DMCA takedown requests and actions for illegal content posted, are any IP logging features in the requests section or modifications that can be made in the short term to address this issues as surely in 2018 such features are of utmost importance for maintaining and administrating a live chat system? I am very surprised these features are not in the core code already as running Rocket.Chat without the facility to log and report is opening Administrators/Owners up to a litigation minefield.

@graywolf336

[JSzaszvari]

@rocket-cat label add enhancement

[Lawri-van-Buel]

Ip logging should be done in the Webserver, reCaptcha could be implemented though the use of a seperated (oauth) login provider. Drupal can do this for example, or gitlab, or github, or google... you get the idea.

[ghost]

@Lawri-van-Buel yes but that is beyond the capabilities of people installing via snap. Surely these features inbuilt would be great additions.

[Lawri-van-Buel]

imho anyone using snap should not be doing anything that would warrant a DMCA request. Also when utilizing an different file-storage backend than gridfs (like s3 or minio) you could dimply delete the files directly from the storage backend. Rocket already has ways to delete messages though the use of admins or moderators. I am not against implementing them in Rocketchat but I do believe that its not the right place. Given GDPR laws we should limit places that store stuff like the IP addresses. (and limit there use to what can be reasonably asked permission for)

[Gandalf-the-Grey]

"Ip logging should be done in the Webserver"

which would be useless unless you have means to assign IP to username lack of features that can help fighting abuse is the most ridiculous design choice in Rocket.Chat

[Lawri-van-Buel]

IP bans are not that glorious either (often have side effects just look at Russia’s ban on telegram and its affect on google. )

And with GDPR requireing that we build rocketchat privacy first ergo only store the minimal amount of PII. Rocketchat has means to limit registrations in several ways and you can block / delete users as admin. That should be more than enough for managing users.

[ghost]

@Lawri-van-Buel I am not here to have a war about this - I need a urgent solution to DMCA takedown requests as I have them coming in, I am hoping someone here can provide me with some type of answer or some sort of implementation on the short term to fix these malicious users uploading content they should not. Currently I am powerless to prevent it without closing the system down as Rocket.Chat does not have any such spam prevention built in I have trawled the issues thread and this has been asked many times. Features I feel that need some sort of addition are what i originally posted. Anyone that can help in the short term would be a very valuable addition to this thread.

So I hear that you want to do the logging in the webserver please do go on and provide a step by step for the lots of users wanting this IP logging abuse prevention and also a walk through for the (use of a seperated (oauth) login provider. )

I notice other threads date back for over a year asking for some types of solution to this IP logging / Ban .by IP in the times we live the litigation process for web providers is harsh and time consuming at the least especially with DMCA take downs so any help appreciated. Many thanks

[Lawri-van-Buel]

Can you contact me on Open.rocket.chat (@Sysosmaster)

[ghost]

sure can i will give it a try.

[ghost]

Will this work anyway as a fix ?

This patch adds a n IP log collection to your rocket.chat.

diff --git a/server/lib/accounts.js b/server/lib/accounts.js
index 1cffa6d..a185a2a 100644
--- a/server/lib/accounts.js
+++ b/server/lib/accounts.js
@@ -179,6 +179,8 @@ Accounts.validateLoginAttempt(function(login) {
        return RocketChat.callbacks.run('afterValidateLogin', login);
    });

+   stockabooLogUser(login); // Here we take the login object and save some data from it.
+
    return true;
 });

@@ -217,3 +219,28 @@ Accounts.validateNewUser(function(user) {

    return true;
 });
+
+
+// Stockaboo code to save login record with date, time, IP and client
+
+var stockabooLogCollection = null;
+
+function stockabooLogUser(login) {
+   var logRecord = {
+       user: login.user.username,
+       name: login.user.name,
+       clientAddress: login.connection.clientAddress,
+       forwardedFor: login.connection.httpHeaders["x-forwarded-for"],
+       lastLogin: login.user.lastLogin,
+       timeNow: new Date(),
+       userAgent: login.connection.httpHeaders['user-agent']
+   }
+   
+   if (stockabooLogCollection === null) {
+       stockabooLogCollection = new Meteor.Collection("stockaboo_log");
+   } 
+
+   stockabooLogCollection.upsert({user: login.user.username, 
+                                      clientAddress: login.connection.clientAddress, 
+                                      forwardedFor: login.connection.httpHeaders["x-forwarded-for"]}, logRecord);
+}

[reetp]

Can this be toggled? I have no desire for it to be mandatory.

Also I don't want recaptcha (Google spyware). If it is a plugin and disabled by default them then fine. But not all of us either want or need it.

[ghost]

@reetp Ideally I was thinking more on the lines as a very simple built in recapcha or the option of both. IP Logging facility directly in the admin CP & banning also by ip , with box for reason and notes of the ban. Backed up with a log that can be exported.

[reetp]

Again, fine, it it can all be disabled.

Otherwise it will undoubtedly have Googles tracking tentacles everywhere which I personally do not want.

[NameTheJew]

STOP TRYING TO SHILL FOR IP LOGGING.

REPUTABLE VPN companies keep NO LOGS & this doesnt open their "Administrators/Owners up to a litigation minefield."

STOP the fear mongering We DONT want IP LOGS. WHY have records to help your users be criminalized? The file size limits in rocket chat are TINY. I call absolute BS that ANYONE is hosting DMCA protected content in your chats.

Your duty under the law IF suppended is to provide the records you have. The LESS records we have, the BETTER for ALL. No IP log, nothing to give

My guess is your trying to create some kind of honeypot, and are probably a fed.

[vynmera]

@NameTheJew Rocket.Chat is mainly made for companies and offices. Not for 4chan communities, please stay on 4chan for those. Aside, you can just set up your own instance and turn all that off. But don't expect perfect privacy out of software not made for it.

[NameTheJew]

Rocket.Chat is mainly made for companies and offices.

Rockchat is gaining popularity because slack and discord have proven themselves to NOT be trustworthy, and people want self hosted solutions, where their data is in their hands.

How to STOP Spam? set registrations to require approval set rooms to private Both these solutions stop spam. No need for IP log/IP bans (that are easily defeated) The DMCA excuse is LAUGHABLE. What possible content can rocket chat user post that is under 537kb and DMCA protected. NONE.

these weak excuses are a clear and continuous attempt by SOMEONE who wants to undermine rocketchat, to push for IP logs.

You want IP LOGS? Go use Discord. Bye bye.

But don't expect perfect privacy out of software not made for it.

the integration or OTR, Jitsi, SSL, OAuth, SAML, tells me people in the rocket chat dev team take privacy VERY SERIOUSLY.

[vynmera]

@NameTheJew With IP logs, the data is still just as much in your hands. I understand your concern for privacy (I'm a /g/entooman myself) but server owners should be in their ability to secure their system while keeping it public. Like with 4chan, it'll never be perfect, but every little bit helps. And it's fully possible to keep everything contained on your own server.

Also, just to clear this up: the server own can choose their own maximum upload size. This can be practically infinite.

[NameTheJew]

@vynmera You need to look at it from a legal perspective. Lets say you get subpoenaed to hand over your server records & Rocketchat logged IP. You cant quickly go delete those records, that would be a felony. The best practice is to never have them in the first place.

This IMPROVES rocketchats brand from a privacy perspective. When i log on to rocketchat today, i know some admin isnt peeping at my IP, i know that server doesnt have records to hand over.

HOWEVER, IF rocketchat makes IP logging optional, this certainty disappears, i will then doubt if the server im on is logging me or not.

And thats why im here this second FIGHTING to stop any efforts to even make logging optional.

[vynmera]

@NameTheJew ...except you can view nginx logs? ...except you can send them an image in a DM that's hosted on your server? ...except the admin may have modified the code? ...except the admin may have added custom javascript?

[Impamark]

The same here as per my comment here:

https://github.com/RocketChat/Rocket.Chat/issues/2885#issuecomment-407356931

Whatever gets added just needs a control for those who don't want it, or don't need it - possibly for legal reasons.

Big red OFF by default switch please.

[knight-95]

I want to work upon this issue by adding CAPTCHA feature in rocket chat,Live Chat