Open dcramer opened 3 years ago
@dcramer which team is owning this initiative?
@BYK right now I am
I spent some time on this today and itll be more tricky than I hoped given the changes that have occurred in the cloud service codebase.
New plan:
Once the above is done, it can be merged/released. Then changes can be staged in getsentry:
It's possible it might be simpler to pull in Google's core recaptcha support so we have one library that is shared between react and non-react pages, and just implement a tiny layer for the react page. I dont think it needs to do much (hook a submit event, bind some data), so it's likely not much code.
After a good nights rest I've had the realization that our bot issue is likely due to the fact that CSRF protections were removed from the signup endpoint. Will be exploring how to get that resolved as a first step pre-captcha. The new session auth will enforce it, but that means the page needs to ensure a CSRF cookie is present first.
Had to revert the CSRF change as the upstream signup page is not clearing auth classes (wrong code comment) and the signup page def breaks due to CSRF
Another item identified is we should probably require CORS (e.g. SENTRY_ALLOWED_DOMAINS
) on session-based API views. That's a little tricky of a change today (likely) as it requires passing an object to request.auth
, which in many scenarios we assume the lack of object = session auth. Also might mean we could just hijack it and enforce that meaning in the core endpoint class.
To prevent bots from abusing certain endpoints (specifically things like registration) we want to enable reCAPTCHA on various endpoints.
At minimum this will be the signup endpoint, but there is value in ensuring this can be used now or in the future for several other endpoints, including login and password recovery.
Implementation likely includes: