My current task: restrict bot activity on a website.
Solution: integrate invisible reCaptcha and fire it on page load. If a user passes the humanity test, website continuous loading, if not user will be challenged.
Can someone help we with advice how to integrate it that way?
I recently posted an answer detailing how to programmatically render and trigger invisible recaptcha for ajax forms. You can read the full answer here. But in short, use api method:
grecaptcha.render() api to render the invisible recaptcha by passing size="invisible"
grecaptcha.getResponse() to check if user has passed the test. It returns a token. If token is empty string, it means user is not verified human yet.
grecaptcha.execute() to programmatically show a challenge to user. You can pass a callback function in options to render() api method which gets called back when user has passed the test.
Related
We are using BotFramework Composer to create bots. These bots are supposed to get information from a backend REST service, where we need to know, which user is submitting the request for data. We are currently using {turn.activity.from.id} to get the Teams user's id, and sending it in a special http header in the "Send an HTTP request" action. We then perform a mapping of this id to our internal users.
We are, of course, aware, that this is not secure at all, since anyone who knows this, could get the user's id and send it to our service. We are currently thinking along the lines of generating a short-lived jwt token in the Bot to send to our application. However, we see no direct way of implementing this token generation in the Bot Framework Composer itself.
Also, we don't want to use OAuth, because we don't want the user to have to log in via the bot.
Is there a way to implement custom token generation using C# or js and assigning it to a dialog variable to be used in a "Send an HTTP request" action?
This document discusses how to implement an HTTP request in Composer. The first half is focused on creating a login for OAuth, which I know is not your focus, so look at the second half. If you set up a simple server that can generate a token for you, then you can make a request to it from Composer using the method described.
As links can break and docs can change (and Composer is still in Preview), I would recommend saving the doc somewhere and checking back every so often for any updates.
I've used HTTP requests from within Composer, myself, so I know this will work for you.
Hope of help!
You can create a custom Action or a package component and create any c# methods there for JWT generation. This will keep it all local to the bot.
https://learn.microsoft.com/en-us/composer/how-to-create-custom-actions
I'm migrating from Google reCAPTCHA v2 to v3. As they are quite different, I have a question.
I used to place my reCAPTCHA v2 only inside web pages where a form exists, to make users click and avoid bots. That's understood, ok, but with reCAPTCHA v3 there is NOT a checkbox where to click on (reCAPTCHA v3 analyzes the user behaviour and clicks).
So... should I place the reCAPTCHA v3 just in forms pages or should I place it in all and every pages I have (to make recaptcha observe how the user interacts with the web)?
I would disagree with Galzor’s answer. The documentation says that
The score is based on interactions with your site and enables you to take an appropriate action for your site.
It’s “site” and not page. It goes on to say
reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
To me that last sentence means “every page with analytics on my site” — i.e. every page, whether it has a form on it or not. Which then gives rise to all sorts of privacy concerns, see also here.
Now my question is: what does the “reCAPTCHA verification” refer to? Including the api.js script or executing something or… 🤔
Unfortunately, the docs don’t spell this out clearly.
Addendum
(Feb 2023)
I switched to hCaptcha and their docs are also somewhat unclear. However, their customer service responded with
You should add the script and the DOM container with hCaptcha widget only on the contact form page and then call our /siteverify endpoint to validate the user.
and
Same scenario for second case, add it only on the sign up page and if validated within our side the user should be able to log in.
Based on that response I added the CAPTCHA only to the Contact page of my website and to the Sign Up page of the webapp.
Not sure this would also apply to Google’s CAPTCHA, though.
I dont think it should go into every page. mostly the users will find it too intrusive on all pages. in my opinion use it on page with form only.
Placement on your website
reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting
conversion. reCAPTCHA works best when it has the most context about
interactions with your site, which comes from seeing both legitimate
and abusive behavior. For this reason, we recommend including
reCAPTCHA verification on forms or actions as well as in the
background of pages for analytics.
Source: https://developers.google.com/recaptcha/docs/v3
The above document says we need to integrate ReCAPTCHA V3 on multiple pages. So question is, do we really need to generate and verify token for each page or just generating token is enough?
like
grecaptcha.execute(reCaptchaPublicKey, {action: 'cartpage'}).then(function(token) {
//skip verification
});
Note:
On the form for which I want to block the bot, I am generating a token and passing it to the server with the user's form data. Now on the server-side, I am validating token using API and getting a score in response to take further action. like, block the user action if the score is low.
No, Calling grecaptcha.execute with the appropriate action (use 'homepage' for traffic on your homepage) is enough to make the reCAPTCHA service count and process the visit.
The token that is provided to your callback is requested from the reCAPTCHA service by the reCAPCHA client script. Sending it to your server to then send it back to the reCAPTCHA service to get the score makes no sense if you don't use the score.
Okay, I want to use Google's reCAPTCHA but I don't want the user to click on anything, Just verify that they're not a robot when the page loads. If the visitor is a bot I want to redirect it to a blocking page.
Is it possible? and how can I do it?
I have comments on the footer of each of my wallpaper pages:
http://www.socwall.com/desktop-wallpaper/30688/422-by-unknown-artist/
I'd like comments to post to my Facebook Page's wall:
http://www.facebook.com/SocWall
Is this possible?
Yes, but it will require some coding. Here are the basic steps:
Include the Javascript SDK on your site and subscribe to the comment.create Javascript event that is fired whenever someone posts a comment.
Auth your users for your site and app (again using the JS SDK) and ensure you request the publish_stream, user_likes and publish_actions permissions.
When you get those permissions from the user, perform an FB.api call to /USERID/likes and check whether your Page ID is included in those list of likes.
If it is there, then once the event in step 1 is triggered you can then do a POST on the API to PAGEID/feed with message parameter included. This will post the comment to your Page's feed.
A couple of other things to bear in mind:
If the user is not a fan of your page, you won't be able to do step 4.
You must make it clear to the users that posting a comment will also post to your Page. If you do not tell them, this will put your app in violation of Facebook Platform Policies but more importantly, it'll break user trust and they might report your app.