search

walmat / nebula-old

Deployment download link will be hosted here:
http://nebula-deployment.herokuapp.com
3 stars 0 forks source link

Bot Protection Updates [2019] #452

Closed walmat closed 5 years ago

walmat commented 5 years ago

Is your feature request related to a problem? Please describe. During high population releases, Shopify Engineering activates certain bot protection measures to counteract any bots ability to automatically checkout via their API. This proves hard for most bots, and due to this, none have successfully been able to checkout in a few months.

Describe the solution you'd like I've been digging and collecting network request logs for awhile now and finally found the missing piece of the puzzle. During the 3 checkout steps, a random number of hashes get generated and stuck in the body of the request. Here's an example found in the body of the contact_information step:

<div class="visually-hidden" id="fs_132ad5af79e81200d230bc12c275c704" >
  <input type="hidden" name="field_start" id="field_start" value="hidden" />
    <textarea name="b380e1f8fcde44455df829c2e6ee7eef" id="b380e1f8fcde44455df829c2e6ee7eef">
</textarea>
    <textarea name="8b88c0d75b8a903f07f6cefe627cae6c" id="8b88c0d75b8a903f07f6cefe627cae6c">
</textarea>
  <input type="hidden" name="field_end" id="field_end" value="hidden" />
</div>

For this example: it would be whatever the body is and

5a12df4edfc1094d5deb8fdc0844102c: 
796e598400ee7a54b49dabd0234e44d4-count:2

Like I said, these are unique to the checkout session and unique to the step they are found on. These will need to be parsed and included in the request body fields in order to not receive a 429 error on payment.

Describe alternatives you've considered Zero alternatives in this situation. API endpoints are pretty much impossible while bot protection is up and active.

Additional context None right now. But I will add any as I stumble on it.