Hi All, I'm working on $subject.
*Why reCaptcha?* *"reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease." -Google[1]* *How does reCaptcha works?* First we need to register at [2] and create an API key pair for the required domain. The key pair consists of a site key and secret. The site key used when we display reCaptcha widget on a page. After verification, new parameter called 'g-recaptcha-response' will be available in the form which user submits. From the server side we can verify that reCaptcha response calling the Google API with the secret key. *Where we're going to use reCaptcha?* Basically any place which can be vulnerable to Bots attack, 1. SSO login flow 2. User recovery flows 3. User registration flow *Implementation* Conditions to enable reCaptcha is different from one scenario to another. As an example user registration may enable reCaptcha by default, but SSO login page may enable it after n failed attempts from a single user. Also reCaptcha requirements may be different from one tenant to another. So we have introduced filter called "ReCaptchaFilter" to intercept requests and pass them to a reCaptcha connector which can handle a particular scenario. Connector will provide following information to the filter, - Whether the connector can handle the request - Priority of the connector - Whether the reCapatha verification is needed for the current request - Whether that attempt is a successful or not Based on above information filter will select a connector which can handle the incoming request and will validate reCaptcha if needed. Also to keep this in a state less manner, IS will do following, - Will evaluate the need for reCaptcha at the server side - Will inform and provide necessary data to the pages if server is expecting reCaptha validation *OOTB Connectors* IS will provide two reCpatcha connectors OOTB as "SSOLoginReCaptchaConnector" and "PathBasedReCaptchaConnector", which implement "ReCaptchaConnector" interface. These connectors also implement "IdentityGovernanceConnector" to enable UI based configuration management. SSOLoginReCaptchaConnector - Can enable reCaptcha after n number of failed attempts form a single user. This connector does not depend on the user agent and will take the sum of failed attempts from any agent. PathBasedReCaptchaConnector - Can validate reCaptcha for a request path. This will always validate reCaptcha for a given request path. Appreciate your input. [1] - https://developers.google.com/recaptcha/intro [2] - https://www.google.com/recaptcha/admin Thanks, Thanuja -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
