ReCAPTCHA for TorrentDay not working

[nghtyhndsm]

I changed my password on my TorrentDay account so had to reauthenicate in Sickbeard, however the ReCAPTCHA function is no longer working. Attached is a screen grab of the error

[nghtyhndsm]

@VeNoMouS After looking at my history you solved the initial problem when TorrentDay added Captcha authentication. Hopefully you can help out here?

[VeNoMouS]

Actually are you using @junalmeida or my build, @junalmeida no longer maintains this, and i have alot more updates than he does on my build..

https://github.com/VeNoMouS/Sick-Beard

[VeNoMouS]

@nghtyhndsm aaah yea i just checked my code, and yes i get that error as well, i will investigate and see if i can come up with a work around.

[VeNoMouS]

my IRC convo with them atm.... which isn't going that well..

11:24 -!- Irssi: Join to #help was synced in 1 secs
11:24 -!- Guest40843 [4ca7b00e@B4B0C9AC.75DA31E7.C2C82FBB.IP] has quit [Quit: https://torrentday.com WebIRC Client Exit]
11:24 < VeNoMouSNZ> any admins awake?
11:24 <&feelthepain> nope
11:24 <&feelthepain> all asleep
11:24 < VeNoMouSNZ> sick
11:24 < VeNoMouSNZ> errr shit
11:25 <&feelthepain> whats up girl
11:25 < VeNoMouSNZ> im a dev for sickbeard torrent edition
11:25 < VeNoMouSNZ> recently google changed their recaptcha to exclude localhost bind, which  effects how we do recaptcha to torrentday
11:26 < VeNoMouSNZ> was wondering if admins could allow localhost / 127.0.0.1 into their admin panel for recaptcha
11:26 < VeNoMouSNZ> https://developers.google.com/recaptcha/docs/faq#localhost_support
11:26 < VeNoMouSNZ> we currently cannot do backlog searches
11:26 < VeNoMouSNZ> because we cant auth to the site
11:27 <&feelthepain> aawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
11:27 <&feelthepain> sad :P
11:27 < VeNoMouSNZ> lol, not feeling the love :P
11:28 <&feelthepain> we give so little fucks about sickbeard its not funny
11:28 <&feelthepain> :P
11:28 <&feelthepain> but i can ask.
11:29 <&feelthepain> wouldnt allowing localhost,127.0.0.1 open it up for bot attacks or so?
11:29 < VeNoMouSNZ> don't see how, you still need to do the captcha
11:29 <&feelthepain> i guess i dont understand how it messes with sickbeard
11:30 < VeNoMouSNZ> sickbeard still authenicates to the site, but with the captca we could bind to localhost and redirect the captcha back inwards, which meant we could complete the recaptcha legit, and get the token from it
11:31 < VeNoMouSNZ> since google has changed that, we cant do the recaptha atm
11:31 < VeNoMouSNZ> you need to allow it in the admin panel under the capthca settings
11:31 <&feelthepain> theres no other work around?
11:31 <&feelthepain> like cookies or so
11:32 < VeNoMouSNZ> well short of getting users to auth, and manually extracting the token from their cookies
11:32 < VeNoMouSNZ> and injecting that back in
11:32 <&feelthepain> sounds like a better idea to me :P
11:32 < VeNoMouSNZ> lol, how is that better? unlike alot of other torrent sites, torrentday  does not have an api
11:33 <&feelthepain> we dont care though :P
11:33 <&feelthepain> also most other sites have thsoe API's built into the code just fyi
11:34 < VeNoMouSNZ> I know, but i also know most of the admins from other sites, and they work with us when ever we have issues, was hoping for the same level of mutual respect
11:36 <&feelthepain> do you have usage figures on how many people use TD with sickbeard torrent edition?
11:37 < VeNoMouSNZ> no, we dont track our users.
11:37 <&feelthepain> well i wanted info on how many people would actually use it to warrent how useful it is for us to have better support for it
11:37 <&feelthepain> no point if its like 100 people.
11:38 < VeNoMouSNZ> i know sickrage will be in the same boat as that uses my code
11:39 <&feelthepain> i can only ask
11:39 <&feelthepain> no promises...
11:39 < VeNoMouSNZ> thank you, thats all i'm asking
11:40 <&feelthepain> :)

getting zero fucks given from them atm.

[VeNoMouS]

I might have another way of doing it... Will have to have a play, i might be able to iframe cookie steal, i will need to see how googles recaptcha handles iframes...

[VeNoMouS]

hrm thats not goign to work... they have set X-Frame-Options: SAMEORIGIN

[junalmeida]

Maybe this should be done by server side code

[VeNoMouS]

lol @junalmeida read the irc convo, ant gonna get ANY help from them

[VeNoMouS]

The problem is, even if i hijack like I WAS with a mitm style redirect, ReCaptcha now by default, does not allow localhost as an approved host in their list... so short of doing a dns hack... that isnt going to work.

[VeNoMouS]

The only way I can really make this work, is if i force the user to extract their cookies and have them put that into SB, this is how SickRage does it.

[VeNoMouS]

12:50 -!- VeNoMouSNZ was kicked from #help by feelthepain [feelthepain]

[junalmeida]

I was thinking about some server side rewriting. Something like the browser sends requests to sb (in the iframe you thought), the sb makes the requests and change the origin. Is it possible with current libs?

[VeNoMouS]

Then you run into the problem of the recaptcha reading the host your currently on, which is sb address

[junalmeida]

You cannot change the host on the server side call? I mean to intercept the first captcha html response, change any js or form to post to sb itself, and sb itself makes the http post changing host. just like a scraper .

[VeNoMouS]

No, as it reads the dom window location via the js , this is googles reCaptcha, that passes a site key as well

[VeNoMouS]

So I've worked out a way lol... not the most beautiful of solutions... but it works with recaptcha v2 ... and frankly.... they're being dicks by not supporting allowing 3rd party apps.

[VeNoMouS]

I'm just not sure how teh community will 'feel' about this... so what i ended up doing was using 3rd party anti captcha - https://anti-captcha.com/ .. from my testing.. it costs 0.0022 cents per recaptcha ... but this would only need to be executed if you restarted sickbeard or you were offline long enough that your session on TD timed out... you have to throw in $10 USD in order to activate the features.. but by my math that's 4545 recaptcha attempt's.. tbh, your lucky if you use 3-5 attempts a year imho if you have SB running on all the time. depending if their site goes offline or something..

The only other thing I can do without rewriting a de-recaptcha engine myself is allow users extract the cookies from your browser and use those... but you will need to manually do it again if your session was to expire etc..

I personally would rather have it automated... and $10 to me isn't anything... that said, this would also come in useful if any other website was to start using recaptcha v2

That said... I could introduce both methods with a selector in the torrent menu.

thoughts?

[VeNoMouS]

I would just use my own anti-captcha.com account for everyone to use, but I know that it'll get abused by someone..

[VeNoMouS]

This has also been pointed out https://github.com/VeNoMouS/Sick-Beard/issues/17

so we currently have three points of attack

1) Bypass reCAPTCHA all together via 3rd party, complete automation and never worry about auth again. 2) Login to website, manually extract cookies from browser and put them into SB running session. 3) Automate an email password request, have user manually copy auth code from the email response back into SB current running session and then authenticate.

As i've pointed out tho, 2 & 3 are only valid as long as the TD session is valid for... what that period is... i don't know.

[VeNoMouS]

I have committed this on my repo, getting users to test, feel free to have a play.

[junalmeida]

No PR?

[VeNoMouS]

Need people to test and play... i can PR it if you wish, as i said i've tested it, it looks good, but i dunno

[VeNoMouS]

@junalmeida close as todays PR merge fixes this.