Do something against malicious edits

[tpetricek]

Looks like we are now getting some malicious edits for the first time: http://fssnip.net/P

We need to do something against this - probably keep history of metadata #37 and add a way to revert changes (perhaps based on Captcha-protected voting, or something like that).

[kunjee17]

@tpetricek this seems like bot. What are the options we have?

Social Auth/Check box based silent checking/ Captcha/ Math Captcha (kinda align with fssnip)?

[tpetricek]

I think the two things we should do are:

• [ ] Basic captcha or silent checking for edits sounds like a great starting point!
• [ ] Changing the site so that we keep a full history (solving in #37) would be good

The first one should probably be sufficient for now. The second will let us revert changes more easily (without having to go to a separate backup)

[leppie]

Something I did for eval.ironscheme.net is to only allow syntactically correct code.

[tpetricek]

@leppie That sounds like a neat solution :) I think we probably want to allow code that does not type check (because it misses some external dependency) but requiring the parser to pass makes sense!

I'm not sure if we can easily get this info from the compiler service though... :-/

[Rickasaurus]

It seems like this might work as an initial pass? http://fsharp.github.io/FSharp.Compiler.Service/untypedtree.html

[swlaschin]

What about a combo of hidden field (to trap spam-bots -- link) and a trivial question that only F# people know (what are the two missing letters in "List.fo--"?) which can be hard-coded. Super easy to implement and should stop almost all spam.

[kunjee17]

I am trying to incorporate PuzzleCaptcha. Looks good?

[tpetricek]

I would prefer something non-intrusive with not too crazy UI.

reCAPTCHA seems to be quite common, so that would be my first choice. With PuzzleCaptcha, it seems to be taking too much space.

A hidden Textarea with value set from JS sounds good too. Though I guess a spambot that can run JS will be able to break it?

[kunjee17]

@tpetricek Yes. Old trick is not viable anymore. It was good 4 years back. But you know how internet grows.

There is other option like Social Authentication. But it would be little more work. I need to check nuget if there is any project available.

Recaptcha is good. But I don't know I never feel better about using google thing. I have no idea why.

Let me know what you think?

Update1 UserApp this is there. But also prices is attached. It is basically used to out source authentication part completely.

[tpetricek]

I think Recaptcha is an ideal initial choice (looks simple & I believe it works and is not too obtrusive). We can always come up with better things later.

[kunjee17]

@tpetricek cool. reCaptcha is asking for login. So, if you can provide me the code will try to add it over here.

PS: I will be traveling for a week so it will take little more time than needed. Hope that is ok.

[tpetricek]

Thanks lot for looking into this!

I just registered. The client side bits are:

<script src='https://www.google.com/recaptcha/api.js'></script>
<div class="g-recaptcha" data-sitekey="6LcKMBkTAAAAAEraOh3NMw3IlvtMQO4quQOf3rCN"></div>

I'll DM you the Secret server-side key for testing. In the code, assume it will be in some environment variable (like the Azure connection string).

[tpetricek]

I added the reCAPTCHA for a start... but happy if someone comes up with a better solution :).

Also, it would be nice to address #37

[tpetricek]

That said, there is still room for improvement :-). My code just shows an error page, but it would be nice if we left the user at insert/edit page with the values and just displayed a message....

[kunjee17]

@tpetricek sorry I left from city after that. And on my way back. Was at hometown so little or no Internet. I'll have a look at code once I reach. Sorry you have to pick up thing.