[RFC] Remove Google reCaptcha v1

[PhilETaylor]

Google reCAPTCHA V1 has been shut down since March 2018.

We should remove the option to allow v1 integration from the next version of Joomla.

[mbabker]

https://github.com/joomla/joomla-cms/pull/19648#issuecomment-364953290 still stands.

[PhilETaylor]

oh well I see J4 has already removed it, and J3 has some warnings - so lets just drag dead code up to the cliff edge that is the jump to J4

[mbabker]

If you've got ideas on hiding the v1 options without messing up the code so sites configured to use it don't arbitrarily get changed to trying to use the v2 API then those are welcome. It's just one of those cases of being a bit over cautious with flat out removing it (basically the changes in the plugin from https://github.com/joomla/joomla-cms/pull/18506 minus the "move to other library" part of that PR).

[PhilETaylor]

People don't read post install messages, or check that their 3rd party services API is still valid.

People do respond to when their sites break on an update... with gusto. ;-)

[mbabker]

There's a pesky little thing called B/C that we have to deal with in distributed software 😜

[PhilETaylor]

However, its not Joomla's fault that an API is discontinued. We cannot be expected to provide B/c for an API that no longer exists.

[mbabker]

We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API. That's the important part here. If someone comes up with something that can sanely remove the v1 support without fatally breaking a site by forcing it to try to use the v2 API in a misconfigured state we can roll with it. Without that proposal though, the safest thing to do is to leave the existing (dead) code in place.

[PhilETaylor]

And also - Joomla 3.8.10 allows the selection of v1, then displays no captcha on the form, and then makes it impossible to submit the form - and therefore has broken b/c anyway :) because the API simply doesnt exist at google anymore

[PhilETaylor]

We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API.

If a site has v1 enabled - then the contact form cannot be submitted. I just checked in 3.8.10.

[brianteeman]

Yes it allows you to select it bu it also displays a big warning. YCFS

[mbabker]

The plugin's onDisplay method should be updated to address that then in a user friendly way (show an alert div saying "this site's captcha is misconfigured/unavailable, cannot submit form" or something, UX people can find a friendly way to communicate that on the frontend).

My main point is there are things we can do to gracefully handle this. I don't think flat out removing all the v1 code and forcing everything onto the v2 code as I did in my J4 PR is the right way of doing it for J3. So I'm not advocating for "do nothing", just "do whatever it is you're going to do smartly".

[mbabker]

Re-opening. At a minimum we can do something about the frontend issue. What, I don't know, but either way this isn't a 100% dead topic.

[PhilETaylor]

Also when https://www.google.com/recaptcha/api/js/recaptcha_ajax.js loads it attempts to load https://www.google.com/recaptcha/api/challenge?k=66Ldyn-YSAAAAAGs3Br16Q87JRDg9cu05rpmbKn0j&ajax=1&cachestop=0.1370436095683205&lang=en which in turn attempts to write the warning to the page - but fails in google chrome due to security

[PhilETaylor]

@mbabker something like https://github.com/joomla/joomla-cms/pull/20965 ? the light touch approach.

[mbabker]

Seems fair to me honestly.

[PhilETaylor]

or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?

At the moment #20965 leaves a form with a form field for captcha (optional) which is silly:

Im out of time - need to do the school run

[mbabker]

or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?

The plugin's the right place to deal with it. Because the Captcha class is supposed to be an abstraction layer of sorts to allow any captcha system to be plugged in, you start putting logic in there and it gets murky as all hell (how does the class know it's dealing with a Google captcha system, implementing version 1 of the API, etc. etc.).

[PhilETaylor]

I honestly could not recall the name of any other captcha system that I would ever use ;-) ;-) haha

---

Sent from my iPhone

[joomla-cms-bot]

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/20960

[Quy]

Closing per PR #20965

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20960.}