Google reCAPTCHA V1 has been shut down since March 2018.
We should remove the option to allow v1 integration from the next version of Joomla.
Labels |
Added:
?
|
Title |
|
Labels |
Added:
?
|
Status | New | ⇒ | Discussion |
Category | ⇒ | Authentication com_login |
oh well I see J4 has already removed it, and J3 has some warnings - so lets just drag dead code up to the cliff edge that is the jump to J4
Status | Discussion | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-07-03 14:45:09 |
Closed_By | ⇒ | PhilETaylor |
If you've got ideas on hiding the v1 options without messing up the code so sites configured to use it don't arbitrarily get changed to trying to use the v2 API then those are welcome. It's just one of those cases of being a bit over cautious with flat out removing it (basically the changes in the plugin from #18506 minus the "move to other library" part of that PR).
People don't read post install messages, or check that their 3rd party services API is still valid.
People do respond to when their sites break on an update... with gusto. ;-)
There's a pesky little thing called B/C that we have to deal with in distributed software
However, its not Joomla's fault that an API is discontinued. We cannot be expected to provide B/c for an API that no longer exists.
We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API. That's the important part here. If someone comes up with something that can sanely remove the v1 support without fatally breaking a site by forcing it to try to use the v2 API in a misconfigured state we can roll with it. Without that proposal though, the safest thing to do is to leave the existing (dead) code in place.
And also - Joomla 3.8.10 allows the selection of v1, then displays no captcha on the form, and then makes it impossible to submit the form - and therefore has broken b/c anyway :) because the API simply doesnt exist at google anymore
We can handle things in a way where sites don't fatal over because we removed the code for the discontinued API.
If a site has v1 enabled - then the contact form cannot be submitted. I just checked in 3.8.10.
Yes it allows you to select it bu it also displays a big warning. YCFS
The plugin's onDisplay
method should be updated to address that then in a user friendly way (show an alert div saying "this site's captcha is misconfigured/unavailable, cannot submit form" or something, UX people can find a friendly way to communicate that on the frontend).
My main point is there are things we can do to gracefully handle this. I don't think flat out removing all the v1 code and forcing everything onto the v2 code as I did in my J4 PR is the right way of doing it for J3. So I'm not advocating for "do nothing", just "do whatever it is you're going to do smartly".
Status | Closed | ⇒ | New |
Closed_Date | 2018-07-03 14:45:09 | ⇒ | |
Closed_By | PhilETaylor | ⇒ |
Re-opening. At a minimum we can do something about the frontend issue. What, I don't know, but either way this isn't a 100% dead topic.
Also when https://www.google.com/recaptcha/api/js/recaptcha_ajax.js
loads it attempts to load https://www.google.com/recaptcha/api/challenge?k=66Ldyn-YSAAAAAGs3Br16Q87JRDg9cu05rpmbKn0j&ajax=1&cachestop=0.1370436095683205&lang=en which in turn attempts to write the warning to the page - but fails in google chrome due to security
Seems fair to me honestly.
or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?
At the moment #20965 leaves a form with a form field for captcha (optional) which is silly:
Im out of time - need to do the school run
or maybe something more generic in libraries/src/Captcha/Captcha.php that just flat out refuses to load the captcha if the params version is v1.0?
The plugin's the right place to deal with it. Because the Captcha
class is supposed to be an abstraction layer of sorts to allow any captcha system to be plugged in, you start putting logic in there and it gets murky as all hell (how does the class know it's dealing with a Google captcha system, implementing version 1 of the API, etc. etc.).
I honestly could not recall the name of any other captcha system that I would ever use ;-) ;-) haha
Sent from my iPhone
Status | New | ⇒ | Discussion |
Closed_Date | 2018-12-15 21:58:51 | ⇒ | 2018-12-15 21:58:52 |
Closed_By | Quy | ⇒ | joomla-cms-bot |
Status | Discussion | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-12-15 21:58:51 |
Closed_By | ⇒ | Quy |
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/20960
Closing per PR #20965
#19648 (comment) still stands.