ReCaptcha is useless - Githubissues

kevinfaveri / solana-candy-factory

Solana blockchain candy machine app boilerplate on top of Metaplex Candy Machine. NextJS, Tailwind, Anchor, SolanaLabs.React, dev/mainnet automation scripts.

MIT License

286 stars 934 forks source link

ReCaptcha is useless #54

Closed JakeRobinson456 closed 3 years ago

JakeRobinson456 commented 3 years ago

That ReCaptcha is useless because it is only being checked on the client side.

Anybody can bypass the captcha with just a little skill in programming.

Or am I missing something?

kevinfaveri commented 3 years ago

it is not. Please read the README.md instructions, but TLDR is https://github.com/kevinfaveri/solana-candy-factory/blob/main/src/pages/api/validate-captcha.ts validates the captcha server side. This is a partial anti bot solution, because the best thing would be to have something on chain for this purpose.

JakeRobinson456 commented 3 years ago

I think you misunderstood me. You call the ReCaptcha api to verify the captcha on the client side. It is useless this way.

If you don't check the captcha on chain than it is literally useless. An attacker could just call the candy machine program without solving a captcha.

kevinfaveri commented 3 years ago

No, I think you misunderstood me. ReCaptcha here is to prevent crawler bots, not on-chain bots. The ReCaptcha IS working as it should. What you propose is another feature. As I said, a on chain solution. This might be one https://github.com/kevinfaveri/solana-candy-factory/pull/47 but still too early