? ?
avatar PhilETaylor
PhilETaylor
3 Jul 2018

Google reCAPTCHA V1 has been shut down since March 2018.

We should remove the option to allow v1 integration from the next version of Joomla.

avatar PhilETaylor PhilETaylor - open - 3 Jul 2018
avatar joomla-cms-bot joomla-cms-bot - change - 3 Jul 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 3 Jul 2018
avatar PhilETaylor PhilETaylor - change - 3 Jul 2018
Title
Remove Google reCaptcha v1
[RFC] Remove Google reCaptcha v1
avatar PhilETaylor PhilETaylor - edited - 3 Jul 2018
avatar joomla-cms-bot joomla-cms-bot - change - 3 Jul 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 3 Jul 2018
avatar franz-wohlkoenig franz-wohlkoenig - change - 3 Jul 2018
Status New Discussion
avatar franz-wohlkoenig franz-wohlkoenig - change - 3 Jul 2018
Category Authentication com_login
avatar mbabker
mbabker - comment - 3 Jul 2018

#19648 (comment) still stands.

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

oh well I see J4 has already removed it, and J3 has some warnings - so lets just drag dead code up to the cliff edge that is the jump to J4

avatar PhilETaylor PhilETaylor - close - 3 Jul 2018
avatar PhilETaylor PhilETaylor - change - 3 Jul 2018
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2018-07-03 14:45:09
Closed_By PhilETaylor
avatar mbabker
mbabker - comment - 3 Jul 2018

If you've got ideas on hiding the v1 options without messing up the code so sites configured to use it don't arbitrarily get changed to trying to use the v2 API then those are welcome. It's just one of those cases of being a bit over cautious with flat out removing it (basically the changes in the plugin from #18506 minus the "move to other library" part of that PR).

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

People don't read post install messages, or check that their 3rd party services API is still valid.

People do respond to when their sites break on an update... with gusto. ;-)

avatar mbabker
mbabker - comment - 3 Jul 2018

There's a pesky little thing called B/C that we have to deal with in distributed software ?

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

However, its not Joomla's fault that an API is discontinued. We cannot be expected to provide B/c for an API that no longer exists.

avatar mbabker
mbabker - comment - 3 Jul 2018

We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API. That's the important part here. If someone comes up with something that can sanely remove the v1 support without fatally breaking a site by forcing it to try to use the v2 API in a misconfigured state we can roll with it. Without that proposal though, the safest thing to do is to leave the existing (dead) code in place.

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

And also - Joomla 3.8.10 allows the selection of v1, then displays no captcha on the form, and then makes it impossible to submit the form - and therefore has broken b/c anyway :) because the API simply doesnt exist at google anymore

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API.

If a site has v1 enabled - then the contact form cannot be submitted. I just checked in 3.8.10.

avatar brianteeman
brianteeman - comment - 3 Jul 2018

Yes it allows you to select it bu it also displays a big warning. YCFS

avatar mbabker
mbabker - comment - 3 Jul 2018

The plugin's onDisplay method should be updated to address that then in a user friendly way (show an alert div saying "this site's captcha is misconfigured/unavailable, cannot submit form" or something, UX people can find a friendly way to communicate that on the frontend).

My main point is there are things we can do to gracefully handle this. I don't think flat out removing all the v1 code and forcing everything onto the v2 code as I did in my J4 PR is the right way of doing it for J3. So I'm not advocating for "do nothing", just "do whatever it is you're going to do smartly".

avatar mbabker mbabker - change - 3 Jul 2018
Status Closed New
Closed_Date 2018-07-03 14:45:09
Closed_By PhilETaylor
avatar mbabker mbabker - reopen - 3 Jul 2018
avatar mbabker
mbabker - comment - 3 Jul 2018

Re-opening. At a minimum we can do something about the frontend issue. What, I don't know, but either way this isn't a 100% dead topic.

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

Also when https://www.google.com/recaptcha/api/js/recaptcha_ajax.js loads it attempts to load https://www.google.com/recaptcha/api/challenge?k=66Ldyn-YSAAAAAGs3Br16Q87JRDg9cu05rpmbKn0j&ajax=1&cachestop=0.1370436095683205&lang=en which in turn attempts to write the warning to the page - but fails in google chrome due to security

screen shot 2018-07-03 at 16 11 06

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

@mbabker something like #20965 ? the light touch approach.

avatar mbabker
mbabker - comment - 3 Jul 2018

Seems fair to me honestly.

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?

At the moment #20965 leaves a form with a form field for captcha (optional) which is silly:

screen shot 2018-07-03 at 16 35 27

Im out of time - need to do the school run

avatar mbabker
mbabker - comment - 3 Jul 2018

or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?

The plugin's the right place to deal with it. Because the Captcha class is supposed to be an abstraction layer of sorts to allow any captcha system to be plugged in, you start putting logic in there and it gets murky as all hell (how does the class know it's dealing with a Google captcha system, implementing version 1 of the API, etc. etc.).

avatar PhilETaylor
PhilETaylor - comment - 3 Jul 2018

I honestly could not recall the name of any other captcha system that I would ever use ;-) ;-) haha


Sent from my iPhone

avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Jul 2018
Status New Discussion
avatar joomla-cms-bot joomla-cms-bot - change - 15 Dec 2018
Closed_Date 2018-12-15 21:58:51 2018-12-15 21:58:52
Closed_By Quy joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 15 Dec 2018
avatar Quy Quy - change - 15 Dec 2018
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2018-12-15 21:58:51
Closed_By Quy
avatar joomla-cms-bot
joomla-cms-bot - comment - 15 Dec 2018

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/20960

avatar Quy
Quy - comment - 15 Dec 2018

Closing per PR #20965


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20960.

Add a Comment

Login with GitHub to post a comment