search

adsabs / adsws

ADS web services
Other
2 stars 14 forks source link

add recaptcha verification to the login #142

Open romanchyla opened 6 years ago

romanchyla commented 6 years ago

bbb contacts api/accounts/user

https://github.com/adsabs/adsws/blob/master/adsws/accounts/views.py#L377

it sends user and password + csrf token; for an unknown reason, we never put in the recaptcha - which is present in the registration; we should add it, that requires changes in the class referenced above + change in bbb

https://github.com/adsabs/adsws/blob/master/adsws/accounts/views.py#L499

and corresponding change in bbb, probably here:

https://github.com/adsabs/bumblebee/blob/master/src/js/widgets/authentication/widget.js

marblestation commented 6 years ago

Are we sure about this? It is not common to have captchas to login and it is very annoying when for some non-obvious reason (e.g., you are behind a proxy and there are too many requests) suddenly you have to find cars on an image (or similar tests), wouldn't the current rate limit be enough?

romanchyla commented 6 years ago

i find the "i'm not a robot" captcha (so called 'no captcha recaptcha) to be very simple, it only requires a click - i don't know how google decides to present a challenge, but i think it is not as simple as just too many reqs; and when i tried to script the login i was consistently being failed on a captcha - as a user, i get to see it very rarely

but i searched what internet thinks and i might be indeed over-zealous: https://security.stackexchange.com/questions/93912/is-it-helpful-to-have-a-captcha-on-a-login-screen

On Fri, Mar 16, 2018 at 7:45 PM, Sergi Blanco-Cuaresma < notifications@github.com> wrote:

Are we sure about this? It is not common to have captchas to login and it is very annoying when for some non-obvious reason (e.g., you are behind a proxy and there are too many requests) suddenly you have to find cars on an image (or similar tests), wouldn't the current rate limit be enough?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/adsabs/adsws/issues/142#issuecomment-373873642, or mute the thread https://github.com/notifications/unsubscribe-auth/AAZIklJLdJ7l2jv5dlDxaya8c9hcv_hoks5tfE6wgaJpZM4Ssk9S .