>So
>the idea so far is to have a flask script which can act as a kinda
>proxy,
>but the issue is how can we secure this against abuse?
>
>Superflys suggestion was for the FTW to contact the server and get a
>shared
>key. Then when the exception form wants to submit to the proxy app,
>OpenLP
>generates an OTP (One Time Pin) and sends that as one of the headers.
>Kind
>of like time based two factor authentication.
>
>My suggestion was for a capacha, but as superfly correctly stated its
>not
>very user friendly. Its also another thing to get in the way of a user
>submitting a bug report.
>
>Do you guys have any alternative suggestions, or comments on the two
>above?
The question is against what kind of spam you want to defend against.
If it is against targeted, sophisticated attacks we might need something like
otps. I agree with superfly on not using captchas. They are annoying for real
users, which you don't want. Ideally you don't want any interaction with them.
If you want to defend against the casual spam, you don't need to put that much
effort into it. Have an additional field that has to be empty for the request
to be accepted. All robots usually fill every field they find, that way all
robots can be sorted. If you want more protection you could even require a csrf
token.
Now that I think of it, any attack that is so targeted, that the attacker looks
at the source code of OpenLP can easily generate valid otps themselves... So I
recommend what I wrote above.
The script could do smarter sanity checks, making sure there is a valid trace
attached or what not...
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
openlp-dev mailing list
[email protected]
https://lists.openlp.io/mailman/listinfo/openlp-dev
