How easy would it be to implement Cloudflare Turnstile free Captcha?

[ukclearance]

Cloudflare have released a free to implement Captcha alternative called Turnstile, which according to their blog can be implement in minutes with a just few changes of code can replace Google Captcha.

https://blog.cloudflare.com/turnstile-private-captcha-alternative/

I currently use the No Captcha reCAPTCHA Module to stop contact form spam but would much prefer a none Google alternative such as the Cloudflare one.

There is already a Prestashop module for Cloudflare Turnstile here https://github.com/Pixel-Open/prestashop-cloudflare-turnstile but it requires PS 1.7.6 or greater

If someone with more knowledge that I could look at what is involved to adapt that current module to use on 30bees or how much work would be involved to implement it with the current No captch recaptch module id be very grateful.

[wakabayashi]

Interesting! I will look into it, cause I also don't like google too much anymore. I will try to get rid off all their tools (which have direct access on my site)...

[wakabayashi]

I coded in the night and it looks promising. I believe, that I found a solution for contact form, that needs no override and no file changes at all. 

Is there any need for something else than contact form?

But I am little confused, how complex the ps-module and the nocaptcharecaptcha are working. @datakick My approach is like this:

1. Register hookActionFrontControllerSetMedia (Hint: I am missing a hook like actionFrontControllerInit)
2. Check if controller is instanceOf ContactController
3. If yes, check if Tools::isSubmit('submitMessage') is true
4. If yes, validate captcha
5. If NOT valide I just unset($_POST[$submitToCheck]);

Looks quite simple to me. Do you see any problem with it?

 

 

Edited January 14, 2023 by wakabayashi

[datakick]

That sounds like a good approach. Of course, it is tied very closely to contact controller, but that's probably ok.

I think that we could implement some new hook in core to hide this dependency a bit. Contact controller could call hook 'actionValidateContactMessage($message, $email, ...)'. Your module would only have to implement this hook, and return true on success, or array of error strings on validation error.

[wakabayashi]

On 1/15/2023 at 8:39 AM, datakick said:

That sounds like a good approach.

Great 😎

On 1/15/2023 at 8:39 AM, datakick said:

Of course, it is tied very closely to contact controller, but that's probably ok.

While it sounds like it, IMO that's not really true. I have added to the AuthController now, which took me 30 seconds and it seems to work: https://github.com/eschiendorfer/genzo_turnstile/blob/master/genzo_turnstile.php#L167-L173

In general this approach is so simple, that I am not sure, if we really need a new sepecific hook. Actually that hook would be tied very closely ☺️ 

If you have a few free minutes, maybe you can evaluate, if nocaptcharecaptcha module would work with my approach to. I personally will switch to cloudflare...

 

@ukclearance My module is open source: https://github.com/eschiendorfer/genzo_turnstile/. Only thing missing is actually the settings on which controller you want to use the captcha. The rest is working for me. Maybe you can check it out!?

 

 

[datakick]

3 hours ago, wakabayashi said:

Great 😎

While it sounds like it, IMO that's not really true. I have added to the AuthController now, which took me 30 seconds and it seems to work: https://github.com/eschiendorfer/genzo_turnstile/blob/master/genzo_turnstile.php#L167-L173

In general this approach is so simple, that I am not sure, if we really need a new sepecific hook. Actually that hook would be tied very closely ☺️ 

There is still explicit dependency. This captcha would not work unless your module knows about the front office page.

For example, imagine that somebody uses third party OPC module. This module calls all the hooks, so the captcha would be displayed correctly. However, your module will not be able to validate it, because the front controller is not the standard one. 

[wakabayashi]

Yeah, I know that. But that is with all current modules the same, isnt it?

I mean I could implement customController rules. Like https://github.com/Pixel-Open/prestashop-cloudflare-turnstile does.

I have thought now a bit about it. IMO a perfect solution would be like this:

1. We implement a new Subclass CaptchaModule (similar to PaymentModule or so).
2. The core and any third party module call a hookRegisterFormCaptcha($controllerName, $submitName). 
3. The merchants goes to AdminMetaController and selects all wished forms, that that have been registered in step 2.
4. All active forms (selected in step 3) are handled by the Captcha Module (like my module does it).

Do you like this idea? Or is it overcomplicate? IMO this would allow a merchant to install ONE captcha module and he can handle all his forms. If all captcha can work like mine, no override is involved. I see only advantages, but I might be wrong 😅

Edited January 16, 2023 by wakabayashi

[ukclearance]

On 1/16/2023 at 3:55 PM, wakabayashi said:

@ukclearance My module is open source: https://github.com/eschiendorfer/genzo_turnstile/. Only thing missing is actually the settings on which controller you want to use the captcha. The rest is working for me. Maybe you can check it out!?

Thanks for creating something so fast, I was not expecting something so quickly.
How do i install your module on my store to test it? I downloaded the files from Github and tried to upload it as a zip through the add new modules from the admin interface and also manually copied the folder to the modules directory of my 30bees install but it nothings show up in the modules list in the admin area either way. What am i doing wrong

[datakick]

7 hours ago, ukclearance said:

Thanks for creating something so fast, I was not expecting something so quickly.
How do i install your module on my store to test it? I downloaded the files from Github and tried to upload it as a zip through the add new modules from the admin interface and also manually copied the folder to the modules directory of my 30bees install but it nothings show up in the modules list in the admin area either way. What am i doing wrong

When you download 'code' from gihub as zip file, and then extract it, it creates directory named after branch. In this case, the directory is 'genzo_turnstile-master'. You need to rename this directory to 'genzo_turnstile'. Then you can either zip this directory and upload it via back office, or you can upload this directly into /modules/ using ftp.

[ukclearance]

I have installed the Turnstile module correctly now thanks to the advise of datakick , had to do a bit of troubleshooting as it was giving me a 500 error at first. But once i enabled debugging I could see i needed to install the php-curl module - which was missing from my server - after doing that i could send myself a test messages via the contact form with Turnstile enabled and the verification completed and it would refuse to send if Turnstile verification was not done.

For info I am running it on on TB 1.4.0, PHP 7.2 and Ubuntu 18.04 using the community theme.

The next step is to see how effective the Cloudflare Turnstile service is at keeping the spammers out. As at the moment after ive verified i am human even if i open my stores contact form in a incognito browser window, Turnstile doesn't challenge to prove i am human again so not sure how well it will work against keeping the spammers out compared to Googles Re-captcha  🤞

Thank you wakabayashi for your work in getting this module working so quickly 👍

[wakabayashi]

@ukclearance what is your expierence? I have now updated the module. I recommend you to use the new version. It allows a bit more settings:

Note: custom submits is a VERY basic implementation. If turnstile turns out to be effective. I can improve this module in the future.

From today I use it on my live shop too... I am bored of this shitty spam emails (even with google captcha) 🥵

[wakabayashi]

It has been a week now. No stupid spam emails since then. Will keep you updated 😏

[ukclearance]

@wakabayashi

Since implementing your module about 5 weeks ago i haven't had any spam emails via the contact form. But have had genuine customer messages come through OK. So it appears to be working well.

I will update the module to your newer version and feedback to you on it shortly

[wakabayashi]

Same here. No Spam since using this module 😎

[Rhapsody]

@wakabayashi - I just discovered this post as I recently replaced CAPTCH on my WordPress sites with Turnstile and was going to post here suggesting a module.  This is perfect!  Thanks very much for creating it. 

What is needed to make this available as a supported module with the other Thirty Bees modules? I believe this is a real benefit for the Thirty Bees community.

[wakabayashi]

8 hours ago, Rhapsody said:

What is needed to make this available as a supported module with the other Thirty Bees modules?

I don't know. I am also not sure, what this would help 🙈 As long as I am happy with turnstile/cloudflare I will support this module. 

[30knees]

I am giving the module a spin, too! Thank you, @wakabayashi. I'd like to use it in particular for "forgot password" attempts. We're getting loads.

For the custom forms you write:

Quote

Add custom forms (for example from modules), that you want to be checked before submission. For that you need to add the "submit name" of a form. Use Browser Inspection, select the submit button and search for the "name" value. (Example: submitGenzoQuestion,postReview)

I didn't find a "name" value, just an "id" value (form_forgotpassword). Are "name" and "id" interchangeable?

EDIT: I found a name value "email" now. That works. 🙂 

EDIT2: Using the value "email" seems to block Chex. When customers enter the email they get a "verifying email" message that doesn't get resolved.

Edited June 3, 2023 by 30knees

[wakabayashi]

I will be 10 days on vacation from tomorrow on. That's why I don't look deep into this now.

I am a bit surprised, how this controller is handling form submissions, but ok it really does it with the email input field. So your way of doing it, is the only possible solution right now.

I don't know what chex module (or your setup of it) is doing here, as there is already an email sending functionality in the core!?

Edited June 3, 2023 by wakabayashi

[datakick]

7 hours ago, 30knees said:

EDIT2: Using the value "email" seems to block Chex. When customers enter the email they get a "verifying email" message that doesn't get resolved.

Because you used 'email' as a custom submit, every time any form that contains 'email' field is submitted the captcha validation is performed.

Chex sends request with 'email' field during checkout. And there will be many other forms that will do the same. This is definitely not the right submit name to use.

Unfortunately there is no other field send when submitting 'forgot your password' form:

You can modify your theme password.tpl template and add 'name' attribute to button, for example name="submit_recover_password"

That way, this submit will be send to server:

and you can use it to attach your captcha validation

[30knees]

Confirming it works now. Thank you very much!

[30knees]

For when you're back from holidays, @wakabayashi. It looks like there is some deprecated code that would eventually want to be updated. I am getting these warnings:

• explode(): Passing null to parameter #2 ($string) of type string is deprecated    modules/genzo_turnstile/genzo_turnstile.php:227 
• explode(): Passing null to parameter #2 ($string) of type string is deprecated    modules/genzo_turnstile/genzo_turnstile.php:224
• explode(): Passing null to parameter #2 ($string) of type string is deprecated    modules/genzo_turnstile/genzo_turnstile.php:161

[wakabayashi]

Ok, I came back today. When do you get this warnings? Are they still showing up? I believe, they only happen, when the configuration setting was never set.

[30knees]

Hope your holidays were nice!

Those errors haven't occured again, they were just when I first installed the module so you're probably right with the configuration setting. But in the logs I see there's a new warning today. 

DEPRECATION

 

Message:

explode(): Passing null to parameter #2 ($string) of type string is deprecated

 

 

 

Location:

modules/genzo_turnstile/genzo_turnstile.php line 224

 

STACKTRACE

#0  modules/mollie/vendor/sentry/sentry/lib/Raven/Breadcrumbs/ErrorHandler.php(34)
#1  modules/mollie/vendor/sentry/sentry/lib/Raven/ErrorHandler.php(127): Raven_Breadcrumbs_ErrorHandler->handleError(8192, "explode(): Passing null to parameter #2 ($string) of type string is deprecated", string(102): "/modules/genzo_turnsti"..., 224, array(0) [])
#2  builtin: Raven_ErrorHandler->handleError(8192, "explode(): Passing null to parameter #2 ($string) of type string is deprecated", string(102): "/modules/genzo_turnsti"..., 224)
#3  modules/genzo_turnstile/genzo_turnstile.php(224): explode(",", null)
#4  modules/genzo_turnstile/genzo_turnstile.php(193): Genzo_Turnstile->checkIfControllerNeedsValidation()
#5  classes/Hook.php(769): Genzo_Turnstile->hookActionFrontControllerSetMedia(array(3))
#6  classes/Hook.php(471): HookCore::coreCallHook(Genzo_Turnstile#1, "hookactionFrontControllerSetMedia", array(3))
#7  classes/Hook.php(288): HookCore::execWithoutCache("actionFrontControllerSetMedia", array(3), null, false, true, false, null)
#8  classes/controller/FrontController.php(1104): HookCore::exec("actionFrontControllerSetMedia", array(0) [])
#9  classes/controller/Controller.php(201): FrontControllerCore->setMedia()
#10 classes/controller/FrontController.php(255): ControllerCore->run()
#11 classes/Dispatcher.php(861): FrontControllerCore->run()
#12 index.php(33): DispatcherCore->dispatch()

HTTP REQUEST

GET /45-Ecom_home_smallest/spageti.webp211w,https:/domain.com/45-Ecom_home_smaller/spageti.webp218w,https:/domain.com/45-Ecom_home/spageti.webp250w

REFERRER

https://www.domain.com/hr/?MODsid=93b3eb0bc990aaf46ba6cc5dc983876e&cPath=32

GET PARAMETERS

  [controller]: "pagenotfound"

COOKIE

  [date_add]: "2023-06-03 09:35:59"
  [id_lang]: "2"
  [id_currency]: 2

[the.rampage.rado]

Is this available for BO login aswell?

EDIT: it does not. @wakabayashi could we have this active in BO login aswell?

EDIT2: if we choose invisible and there's an issue with the validation does Cloudflare display the challenge or it simply errors out on login?

[wakabayashi]

Why would this be helpful in the backoffice? Do you have attacks there? I never had... Your url shouldn't be public anywhere, so this sounds a bit unlikely to me. 

No idea, about the second one. Tbh I coded this module in a few hours/days. It was very basic but flexible. It solved all my problems with spammers up to now. But if there is really more interest here, I can improve it ofc.