Unable to complete CAPTCHA when logging into app

[badon]

You should NOT have CAPTCHA's in your PC desktop software. This is crazy. Plus, I can't pass them. Even when everything is right, it won't let me past it. Sometimes it doesn't display correctly, and then it's a bit harder to (not) pass it. Huge waste of time.

[leafo]

Our desktop app uses our API, and our API can be attacked by attacks the same way our website can be, so sometimes you may get a captcha while attempting to log in.

Do you you have trouble completing recaptcha in general, or is there something about it in the app that prevents you from completing it?

[badon]

As you can see in the screenshot, the CAPTCHA isn't displayed properly. There were worse ones that I didn't catch in a screenshot, but you can see in the provided screenshot that the instruction for the CAPTCHA aren't visible. In one instance the "VERIFY" button was off-screen. I do a lot of bug testing, so I was able to figure out how to screw with it and get it to work, but you can't expect that kind of persistence from an ordinary user that isn't trying to break it and find bugs and/or workarounds.

[leafo]

Were you not able to scroll in the dialog that contained the captcha?

[badon]

Yes, scrolling works, but there's no scrollbars and no other hint that it's not totally broken. Once again, a bug hunter like myself will be able to find workarounds, but an ordinary user is more likely to give up before they discover them. Since you're serving CloudFlare's CAPTCHA, you have no control over what exactly they try to stuff in there. Also, I discovered recently that the CAPTCHA sometimes won't display at all if I'm not logged-in to Google. It will simply give this error message (eveonline.com, not itch.io):

It would be wise to find another way to authenticate to your API without relying on CloudFlare and Google's reCAPTCHA.

[leafo]

It's unlikely we'll be removing google's captcha. You may have to find another alternate way to anonymize your traffic if you're getting blocked logging in. Captchas only show up during log in if we're receiving suspicious traffic from your connecting network, or we need to temporarily boost global security verification due to spammers hitting out site. Sadly the same networks used by people trying to be anonymous are also used by people trying to abuse websites. That's just the reality of things right now.

Cloudflare is not used on API authentication, it's only used on our static asset domains. Their security challenge is separate, and we don't control it. (As I mentioned in the other ticket, I've lowed their protection as much as I can, but if they decide your network can't be trusted then you'll have to find an alternate way to connect)

[leafo]

Another option I'm open to exploring is letting you provide a two factor authentication code up front when logging in, and that will let you bypass any catpcha. You would need to have TFA enabled on your account of course.

[badon]

IPv4 addresses have been exhausted for almost 20 years now, if I remember correctly. Ordinary users of all kinds will encounter these problems with increasing frequency because of the increasing use of shared IP addresses. Some mobile networks ALWAYS get flagged as suspicious, and as I'm sure you already know, mobile traffic is one of the fastest growing areas of internet users.

In any case, I'm not anonymizing my traffic (per se). Since you only deal with non-anonymous users with accounts, you don't need to throw your hands up in despair if some of their networks are being used for abuse. You're already having good ideas for eliminating or reducing your need to rely on brute-force whole-network blocking, and I encourage you continue on that line of thinking. There are many straightforward solutions that could work for you.

The only reason this problem is the most common on the internet is because people put too much trust in CloudFlare and Google, so they don't bother to test them. Consequently, Google thinks nothing of sending your customers away, with no communication whatsoever. As long as you don't know, or you don't care, they can do whatever they want to you.

[ghost]

Not sure how old this is, but I get a similar issue. Captcha doesn't have any visual bugs for me but the desktop app yells with a JavaScript exception saying it can't read property "recaptchaResponse" of "null". If you need a stacktrace, I can go attempt to log in again and post it.

[badon]

A screenshot would be interesting.

[ghost]

There's a screenshot of the error. This is the full error as text:

TypeError: Cannot read property 'recaptchaResponse' of null
    at Object.<anonymous> (C:\Users\Michael\AppData\Local\itch\app-23.6.3\resources\app.asar\appsrc\reactors\login.ts:50:54)
    at Generator.next (<anonymous>)
    at fulfilled (C:\Users\Michael\AppData\Local\itch\app-23.6.3\resources\app.asar\app\reactors\login.js:4:58)
    at <anonymous>

Is there some way I can get past this? I want to test to see how itch handles downloading the current release of my game.

[badon]

Is that error after entering your CAPTCHA response? If so, then you might be able to test without triggering the CAPTCHA using a VPN, assuming your IP address is the only reason it's being imposed on you. Obviously, if we (experts) can't pass the CAPTCHA, then every normal user that gets stopped by a weird in-app CAPTCHA is not going to be able to use itch.io.

I must point out the obvious one more time:

Relying on a shoddy third-party CAPTCHA to do mission-critical authentication in the itch.io app - Which it was never designed to do! - is a very bad idea.

[ghost]

Yep, the error's after completing the CAPTCHA. I also notice that although I'm signed into Google under the same email address and don't have to fill out CAPTCHAs manually anywhere else on the Internet (I can just tick the "I'm not a robot" box and it automatically checks itself), itch always makes me do a picture or audio puzzle. Always. But I can get into the website just fine without being prompted for a CAPTCHA, I can use butler, etc.

I guess what could be causing me to be getting CAPTCHAs in the first place would be my game's itch integration. It talks with the OAuth2 server to validate the api access token stored in the game's config everytime the game boots. And I'm constantly opening and closing the game as I debug and program it. Maybe I'm being ratelimited? Seems unlikely because the game takes a lot of time to spin up and even get to the stage in the code where it starts talking with the API.

I don't know how to set up a VPN let alone can I afford one. Could probably try a Tunnelbear free trial (ohhh linus tech tips memes lol) but it probably requires a credit card. And let's face it. I'm a 16 year old hobbyist game dev who doesn't even have a bank account or have any income whatsoever, would you even think I've got a credit card? lol

[badon]

You're probably not being rate-limited per se. The real problem is CloudFlare's ability to recognize a consistently human internet user is very poor. They will continue to hammer you with CAPTCHA's, and they're not smart enough to conclude you probably aren't going to stop being human any time soon. Google's reCATPCHA is even worse. They won't even let you enter a CAPTCHA sometimes, preferring to send your business elsewhere.

I'm sure nobody tests any of those CAPTCHA systems, which is why they don't work reliably, and often break the sites using them. For people who use crappy CAPTCHA systems to block access to mission-critical functions without ever testing them, ignorance is bliss, and they have no idea what's going on until literally 1 in a billion users (only me) bothers to deliberately trigger and then circumvent the CAPTCHA to study the problem and make an attempt at reporting it. For example, in all the countless billions of highly skilled visitors to reddit.com over the years, I was the first and only person to report they had accidentally installed hidden CAPTCHA's that blocked their own content, including their most mission-critical content, their income-generating advertising. Amazing.

Incapsula is MUCH better at not annoying real, human users with incessant CAPTCHA's, but they're more expensive than the free services from CloudFlare and Google. Still, they provide no formal testing tools either, so their customers are equally unaware of how well it's working, or not working. I'm probably the world's foremost expert on this issue, solely because I'm the only one that knows about it and has ever bothered to publicize it to improve awareness with public bug reports, my mediawiki user page, and 1 YouTube video.

The people who encounter these problems the most tend to be the ones who are least likely to recognize a bug and report it. They don't have high quality IP addresses they can use. Developers and most bug testers invariably rely on very good quality internet access. In my case, I have to set up a somewhat specialized system that allows me to deliberately use a bad quality IP address, so I can trigger CAPTCHA bugs on the sites and services I use, and then report the bugs after I succeed in isolating it.

The free and ultra-low-cost VPN's will have blacklisted IP addresses too. I use IronSocket's VPN IP addresses if I need to get around an unpassable block: ironsocket.com. I use a cheap Private Internet Access (PIA) VPN as a backup, and when I want to test with a lower quality VPN IP address: privateinternetaccess.com. If you want to get one of those services, you can contact me privately and I can send you my affiliate links for them, which I would appreciate.

The Itch.io app has a problem with excessive system resource consumption that exceeds many of the games themselves (I test on a low-spec system to find problems like that). And, obviously you now know about the issues your users will have with getting past its shoddy shoe-horned CAPTCHA system that often fails to work at all. It might be wise to consider using Steam or GOG Galaxy in addition to, or instead of itch.io. I have had similar or worse problems with Ubisoft's Uplay and Electronic Arts's Origin, but Steam and Galaxy have consistently worked well, and they are fast to fix major breaking bugs that have no obvious workarounds, when I report them.

[fasterthanlime]

@TheFuzzyRiolu that particular error happens in v23 when you click "Log in" before the CAPTCHA is solved properly.

In v25 (currently in QA) this bug doesn't exist, because there's no "Log in" button in the CAPTCHA dialog - it automatically advances to the next step when it's solved.

We're aware ReCAPTCHA isn't great and are actively looking into alternatives. Leaving it wide open is not an option for us at the moment, unfortunately.

Note that logging with your username (rather than your e-mail) will trigger a CAPTCHA less often.

[ghost]

@badon See, I originally wanted to use Steam but there's the $100 first-time publishing fee. I can't afford that fee and likely won't ever be able to for a long time. I'm still in high school, and I don't have any way of getting an income. Itch doesn't have any publishing fees at all, therefore it is actually financially feasible to release free (as in speech), open-source, and free (as in no charge) software to the platform. Because of the $100 publishing fee, for someone like me, Steam is not financially feasible for that.

@fasterthanlime Good to know. How long will it take for the new version to get out of QA and become public? I'm okay with reCAPTCHA being used mostly because it's the most accessible to me given my blindness. When it works, it works well. Especially when it sees you as a human - you just have to tick a box, not fill out a picture or audio puzzle. Itch just desperately needs that patch if not anything else.

[alisonatwork]

This is also happening to me, but in a different way. reCAPTCHA is blocked in China along with many other Google services, so any site that forces a reCAPTCHA to login effectively blocks itself from the Chinese market. Of course there are workarounds, but even as a technical user it's very frustrating.

[leafo]

Recaptcha is used a security measure to protect the average account. We have a lot of people who try to run bots with stolen account credentials trying to see if they can get access to itch.io account. The captcha will only appear if our system detects something suspicious about how someone is logging in. Those heuristics can never be 100% accurate, and they are also not shared publicly.

That said, you can disable the login captcha by:

• Enable Two Factor Authentication on your account
• The app's recaptcha can be skipped if you've logged into itch.io on your browser. (check is done by comparing IP addresses)

(Also there's a new version of the app coming out soon which should alleviate some of the UI issues in the original ticket)

Thanks

[DigDeep38]

Recaptcha wasnt shown when I wanted to register to GitHub, I checked solutions which GitHub provides, but nothing helped. Then I disabled tracking protection in Firefox, after that I could see Recaptcha image, and was able to register to GitHub. Firefox says that there is nothing blocked on the site when you click on padlock, but Recaptcha is.

[badon]

• Enable Two Factor Authentication on your account

I don't own a smartphone, and there's no reason to assume everyone does. You can do two-factor authentication without requiring people to take on the burden of smartphones. Use email. Use smoke signals. Use whatever is convenient for the user. Locking people out based on technological prejudices does not make business sense.

[badon]

Recaptcha wasnt shown when I wanted to register to GitHub, I checked solutions which GitHub provides, but nothing helped. Then I disabled tracking protection in Firefox, after that I could see Recaptcha image, and was able to register to GitHub. Firefox says that there is nothing blocked on the site when you click on padlock, but Recaptcha is.

If this is an issue with GitHub, you need to raise the issue with GitHub. This page is for Itch.io.

[Jozxyqk6]

Note that 2fa does not prevent the problem on my system.

Please get out of the stone age and use 2fa verification in-app instead of relying on obsolete tech that blocks legitimate users.