Add a local endpoint

Created on 14 October 2022, about 2 years ago
Updated 18 April 2024, 7 months ago

Problem/Motivation

This is more of a feature suggestion rather than a request. I'd be willing to contribute this new feature myself, if maintainers liked the idea.

As per https://github.com/FriendlyCaptcha/friendly-challenge/issues/153 we've had the idea to use the https://github.com/FriendlyCaptcha/friendly-lite-server as a local endpoint so that customers who never want to send data to third party servers, not even within the EU, could just use their existing Drupal site as the FriendlyCaptcha endpoint.

What we learned from the linked issue is, that this is possible but then limited to captcha challenges. But that's good enough for a lot of use cases. I've just experimented with that and adding that option to this module would be really simple.

Proposed resolution

Adding a "Local endpoint" as a fourth option to the settings form and then producing random values for the site key and api key, because no account with friendlycaptcha.com would be required any longer.

Then we would implement the routes for /api/v1/siteverify and /api/v1/puzzle, which would be served by controllers that use the PHP files from the lite server repository above. Of course, those PHP files will have to be adjusted to be working nicely inside Drupal and Symfony context, but that's not a big deal.

With such an extra feature, this module would serve as a stand-alone and privacy respecting spam protection inside Drupal. What do you think?

Feature request
Status

Fixed

Version

1.0

Component

Code

Created by

🇩🇪Germany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !16Issue #3315413: Add a local endpoint → (Merged) created by jurgenhaas
  • 🇩🇪Germany Anybody Porta Westfalica

    @granik and @sachbearbeiter would you like to review the MR once again? LGTM so far, thank you @jurgenhaas! :)

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.2.1 + Environment: PHP 8.1 & MySQL 5.7
    last update 10 months ago
    4 pass
  • 🇩🇪Germany jurgenhaas Gottmadingen

    I have just rebased the MR. Hope we can still move this forward, since it is such an important feature in my view.

  • 🇩🇪Germany Anybody Porta Westfalica

    Thanks @jurgenhaas! Really great! Didn't have the time to review it yet, but if the community gives it an RTBC, I'd be absolutely willing to merge it and have a deeper look asap.

    Could someone please also add some information about this feature to the README.md and provide a snippet for the module page?

    I think one of the key questions is: "How secure is this?" Is it only good enough for dev / testing or might it be good enough for smaller production sites?

    Thanks a lot, really really nice feature!

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.2.1 + Environment: PHP 8.1 & MySQL 5.7
    last update 10 months ago
    4 pass
  • 🇩🇪Germany jurgenhaas Gottmadingen

    Thanks @Anybody for your support on this. I've just updated the readme file, which should be sufficient to address the installation and configuration requirements there.

    As for the project page I suggest the following changes/additions:

    • In dependencies: the second item (Friendly Captcha Account) is optional, which should be mentioned.
    • In Installation: maybe adding a third sub-chapter "Configuration" may be useful here as well, with the content from the readme. I guess, most people rather find the information on the project page, not in the readme.
    • New chapter "How it works": this should briefly explain how this works and that the process requires a backend (a.k.a. endpoint) which does the verification/validation.
    • Sub chapter in "How it works" with the title "Supported endpoints": a short description for each of them and a note, that the local endpoint only supports captchas.

    Now, to whether the local endpoint is even secure. From my POV I'd say yes, I even consider that more private than any of the remote endpoints. The validation is using the exact same code, but all meta data remains under your own domain, nothing gets shared with third parties.

  • First commit to issue fork.
  • Status changed to RTBC 8 months ago
  • 🇦🇹Austria jovan1348

    Hi guys,
    We acctually tested and implamented this patch on couple our sites, and works perfect.
    Really good idea, and on our side is functioning as imagined also on prod sites.

    TNX :)

  • 🇩🇪Germany Anybody Porta Westfalica

    Thank you very much for the feedback and RTBC @jovan1348!

    @jurgenhaas I was just thinking if it would have make sense to put this into a submodule instead to encapsulate it? What do you think?

  • 🇩🇪Germany jurgenhaas Gottmadingen

    @Anybody don't think that's necessary. The new feature is lightweight and doesn't bring any overhead for installations that don't select the new option.

    I'd address the comments from @Grevil in the MR later today, so that it could be ready to go from my POV.

  • 🇩🇪Germany Anybody Porta Westfalica

    Cool :)
    I'm fine with your decision!

  • Status changed to Needs review 8 months ago
  • 🇩🇪Germany jurgenhaas Gottmadingen

    All comments from @Grevil have been fixed and the threads in the MR closed.

  • Pipeline finished with Success
    8 months ago
    Total: 147s
    #122655
  • 🇩🇪Germany Grevil

    I made some minor adjustments, otherwise, this LGTM!

    Instead of using random strings as dummy values for the "friendlycaptcha_site_key" and "friendlycaptcha_api_key", we are now using the string "ENTER VALID XXX KEY HERE". Both form elements are invisible, once the local endpoint is activated. So the "ENTER VALID XXX KEY HERE" strings are only being displayed, once the user switches to a global endpoint again, making sure he doesn't forget to change these.

    Another approach would be to have further endpoint checks in the backend, so we could leave these fields empty entirely, but that would take a bit more time.

    Final go from @Anybody concerning the final adjustments.

    BTW, I didn't finish my original review, that's why I didn't change the status of this issue, it was still on my radar, but I didn't find the time for a proper review.

  • 🇩🇪Germany Anybody Porta Westfalica

    Let's wait for @jurgenhaas's feedback on the changes to be discussed finally.

    Once everyone is happy, we can set this RTBC.

  • 🇩🇪Germany jurgenhaas Gottmadingen

    I'm totally fine with the commits from @Grevil, let me do a final field test, if it still works as expected.

  • Status changed to RTBC 8 months ago
  • 🇩🇪Germany jurgenhaas Gottmadingen

    All is working as expected, thanks everyone for your help on this.

  • 🇩🇪Germany Anybody Porta Westfalica

    Thank you all! 🎉
    Let's merge this :) 🚀

  • Pipeline finished with Skipped
    8 months ago
    #123401
  • Status changed to Fixed 8 months ago
  • 🇩🇪Germany Anybody Porta Westfalica

    Great great great work @jurgenhaas!

    @Grevil will you tag a new release?

  • 🇩🇪Germany Grevil

    Great stuff!
    Yes, I'd say, this calls for a new minor release!

  • 🇩🇪Germany sachbearbeiter

    THANKS A LOT!

  • Automatically closed - issue fixed for 2 weeks with no activity.

  • 🇩🇪Germany Anybody Porta Westfalica
Production build 0.71.5 2024