[Bug 39435] New: Add plugin based bot challenge
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Bug ID: 39435 Summary: Add plugin based bot challenge Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: m.de.rooy@rijksmuseum.nl QA Contact: testopia@bugs.koha-community.org -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |m.de.rooy@rijksmuseum.nl |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39109 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #1 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179750 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179750&action=edit Bug 39435: Introduce Koha::BotChallenger Test plan: [1] Run t/Koha/BotChallenger.t [2] Clear the pref BotChallengePlugin. Verify that OPAC response time in your browser is not affected, comparing response times before this patch under the same circumstances. [3] Use one of the plugin examples or create one ;) See BZ. Fill the pref. Hit opac-bot-challenge.pl. Post the form. Check for the cookie BotChallenge in browser dev tools. Verify that with that cookie, hitting opac pages does not really affect response times. (The check should cost only 2 or 3ms.) Obviously, only compare the same pages with/without this patch. Delete the cookie. Verify that you get the challenge form again, but do not post a response. Add your IP address to env var BTCH_ALLOW_IP (via e.g. SetEnv in an Apache config file, via Docker env, etc.) Delete the cookie and verify that you are not redirected now to the challenge form when hitting another OPAC page. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179751 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179751&action=edit Bug 39435: Implement BotChallenger module in C4::Auth and opac-export -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Still POC. Needs tidying, dbrev etc. Still to come. And some simplified examples of a plugin. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- When adding js, we should add an Alias to /var/lib/koha/plugins/js or so ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #4)
When adding js, we should add an Alias to /var/lib/koha/plugins/js or so ?
/var/lib/koha/INSTANCE_NAME/plugins/js -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Also note that there is some small plugin cheating in this patch set since I do not want to hit the database to check if a plugin is enabled etc. All for speed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39466 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #5)
(In reply to Marcel de Rooy from comment #4)
When adding js, we should add an Alias to /var/lib/koha/plugins/js or so ?
/var/lib/koha/INSTANCE_NAME/plugins/js
See bug 39466. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179798 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179798&action=edit Bug 39435: Adjustments for master Rename to cud-process, add csrf_token. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #8)
Created attachment 179798 [details] [review] Bug 39435: Adjustments for master
Rename to cud-process, add csrf_token.
Adds about 3-4 ms :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- This looks interesting. Personally, I do my bot checks after the "use" statements and before any logic controller specific logic is processed, and I only do them for specific OPAC pages (e.g. opac-detail.pl, opac-export.pl, opac-search.pl, etc). I don't do bot challenges where it's clear it's an authenticated session, so I've had to add in slim/light auth checks, since Koha's existing auth checks are too heavy weight. I've got some pressing matters to attend to, but I'll come back here... Btw when I mentioned a plugin based idea, I was thinking more so Perl plugins rather than Koha plugins per se - just because of the slowness of Koha plugins, but something to explore... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to David Cook from comment #10)
I don't do bot challenges where it's clear it's an authenticated session, so I've had to add in slim/light auth checks, since Koha's existing auth checks are too heavy weight.
If you want to check the passed session id, you will have to check the db..
Btw when I mentioned a plugin based idea, I was thinking more so Perl plugins rather than Koha plugins per se - just because of the slowness of Koha plugins, but something to explore...
See comment6. This plugin is not called via Plugins->call, does not hit the db. So it is always 'enabled' ;) All for speed indeed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #12 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179825 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179825&action=edit Bug 39435: [DO NOT PUSH] Simple examples to illustrate The examples should only be used for testing the concept! Use them as a starting point for creating your own. The idea is to quickly generate an answer in the plugin module, and make it harder to get the answer from javascript. Include some heavy calculation there, obscure the code, etc. So you could add templates, css etc. in the module but just keep in mind that your response should be fast! Dont use expensive Koha calls, db hits etc. The Dumb module does not use a separate js file. The Simple module moves more or less some logic into a js file. The Text module shows the idea of a text challenge, just as an example. Test plan: Copy the three modules to your INSTANCE/plugins folder. Make sure that you can hit scripts in INSTANCE/plugins/js (see bug 39466), or put them somewhere under koha-tmpl/opac-tmpl/bootstrap/js and change the location in Simple.pm or Text.pm accordingly. Fill the Local use pref BotChallengePlugin with BotChallenge::Dumb or Simple or Text. Restart Plack and memcache. Hit some OPAC pages. Test another plugin. Restart etc. Now test your own? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179895 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179895&action=edit Bug 39435: Fix encoding of referer in BotChallenger -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #14 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Need to fix the unit test for the CSFR change here. Working on it -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179750|0 |1 is obsolete| | --- Comment #15 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179974 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179974&action=edit Bug 39435: Introduce Koha::BotChallenger Test plan: [1] Run t/Koha/BotChallenger.t [2] Clear the pref BotChallengePlugin. Verify that OPAC response time in your browser is not affected, comparing response times before this patch under the same circumstances. [3] Use one of the plugin examples or create one ;) See BZ. Fill the pref. Hit opac-bot-challenge.pl. Post the form. Check for the cookie BotChallenge in browser dev tools. Verify that with that cookie, hitting opac pages does not really affect response times. (The check should cost only 2 or 3ms.) Obviously, only compare the same pages with/without this patch. Delete the cookie. Verify that you get the challenge form again, but do not post a response. Add your IP address to env var BTCH_ALLOW_IP (via e.g. SetEnv in an Apache config file, via Docker env, etc.) Delete the cookie and verify that you are not redirected now to the challenge form when hitting another OPAC page. [EDIT] Adjusted for master: CSRF changes. Fixed referer encoding. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179751|0 |1 is obsolete| | --- Comment #16 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179975 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179975&action=edit Bug 39435: Implement BotChallenger module in C4::Auth and opac-export -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179825|0 |1 is obsolete| | --- Comment #17 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179976 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179976&action=edit Bug 39435: [DO NOT PUSH] Simple examples to illustrate The examples should only be used for testing the concept! Use them as a starting point for creating your own. The idea is to quickly generate an answer in the plugin module, and make it harder to get the answer from javascript. Include some heavy calculation there, obscure the code, etc. So you could add templates, css etc. in the module but just keep in mind that your response should be fast! Dont use expensive Koha calls, db hits etc. The Dumb module does not use a separate js file. The Simple module moves more or less some logic into a js file. The Text module shows the idea of a text challenge, just as an example. Test plan: Copy the three modules to your INSTANCE/plugins folder. Make sure that you can hit scripts in INSTANCE/plugins/js (see bug 39466), or put them somewhere under koha-tmpl/opac-tmpl/bootstrap/js and change the location in Simple.pm or Text.pm accordingly. Fill the Local use pref BotChallengePlugin with BotChallenge::Dumb or Simple or Text. Restart Plack and memcache. Hit some OPAC pages. Test another plugin. Restart etc. Now test your own? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179895|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179798|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #18 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179988 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179988&action=edit Bug 39435: Database revision for new preference Test plan: Run install or upgrade. Check pref. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179974|0 |1 is obsolete| | --- Comment #19 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179989 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179989&action=edit Bug 39435: Introduce Koha::BotChallenger Test plan: [1] Run t/Koha/BotChallenger.t [2] Clear the pref BotChallengePlugin. Verify that OPAC response time in your browser is not affected, comparing response times before this patch under the same circumstances. [3] Use one of the plugin examples or create one ;) See BZ. Fill the pref. Hit opac-bot-challenge.pl. Post the form. Check for the cookie BotChallenge in browser dev tools. Verify that with that cookie, hitting opac pages does not really affect response times. (The check should cost only 2 or 3ms.) Obviously, only compare the same pages with/without this patch. Delete the cookie. Verify that you get the challenge form again, but do not post a response. Add your IP address to env var BTCH_ALLOW_IP (via e.g. SetEnv in an Apache config file, via Docker env, etc.) Delete the cookie and verify that you are not redirected now to the challenge form when hitting another OPAC page. [EDIT] Adjusted for master: CSRF changes. Fixed referer encoding. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179975|0 |1 is obsolete| | --- Comment #20 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179990 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179990&action=edit Bug 39435: Implement BotChallenger module in C4::Auth and opac-export Test plan: See previous patch. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179976|0 |1 is obsolete| | --- Comment #21 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 179991 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179991&action=edit Bug 39435: [DO NOT PUSH] Simple examples to illustrate The examples should only be used for testing the concept! Use them as a starting point for creating your own. The idea is to quickly generate an answer in the plugin module, and make it harder to get the answer from javascript. Include some heavy calculation there, obscure the code, etc. So you could add templates, css etc. in the module but just keep in mind that your response should be fast! Dont use expensive Koha calls, db hits etc. The Dumb module does not use a separate js file. The Simple module moves more or less some logic into a js file. The Text module shows the idea of a text challenge, just as an example. Test plan: Copy the three modules to your INSTANCE/plugins folder. Make sure that you can hit scripts in INSTANCE/plugins/js (see bug 39466), or put them somewhere under koha-tmpl/opac-tmpl/bootstrap/js and change the location in Simple.pm or Text.pm accordingly. Fill the Local use pref BotChallengePlugin with BotChallenge::Dumb or Simple or Text. Restart Plack and memcache. Hit some OPAC pages. Test another plugin. Restart etc. Now test your own? Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #22 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Note for QA: Fourth patch should not be pushed. Is not tidy :) If you see: Constant subroutine Koha::BotChallenger::CHALLENGE_SCRIPT redefined Constant subroutine Koha::BotChallenger::CONFIRMED_EXPIRY redefined Constant subroutine Koha::BotChallenger::MEMCACHE_PREFIX redefined Constant subroutine Koha::BotChallenger::TOKEN_LENGTH redefined Constant subroutine Koha::BotChallenger::UNCONFIRMED_EXPIRY redefined Please ignore. Occurs more often. Cyclic stuff in Koha ;) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #23 from David Cook <dcook@prosentient.com.au> --- (In reply to Marcel de Rooy from comment #11)
(In reply to David Cook from comment #10)
I don't do bot challenges where it's clear it's an authenticated session, so I've had to add in slim/light auth checks, since Koha's existing auth checks are too heavy weight.
If you want to check the passed session id, you will have to check the db..
Bots won't be passing a CGISESSID cookie, so there won't be a DB hit for the bots. If there is a cookie with a value, then the DB hit will be minor and likely for a real request, so it's quite efficient in the end. (Just not using Koha's current code which is not efficient hehe.)
Btw when I mentioned a plugin based idea, I was thinking more so Perl plugins rather than Koha plugins per se - just because of the slowness of Koha plugins, but something to explore...
See comment6. This plugin is not called via Plugins->call, does not hit the db. So it is always 'enabled' ;) All for speed indeed.
Yeah I saw the comment but haven't dug into the code yet to confirm it. I probably won't have time until May at the earliest I suspect... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #24 from David Cook <dcook@prosentient.com.au> --- Thanks for tidying things up. It makes it easier to read for sure. Some feedback: 1. I like the DB revision. That is clever. 2. I'll want to review Koha::BotChallenger and opac/opac-bot-challenge.pl in more depth at a later date... 3. Why add BotChallenger to C4::Auth and opac-export? 4. The circular redefinition stuff is because you're using it in C4::Auth. Since you're using Koha::BotChallenger->new anyway, you could move those from being constants to being variables in new(). I don't think that would have any real negative implications. -- Some more ideas: 1. What about implementing this as a Plack middleware like in bug 39109? I haven't done that with my local version, but I've been thinking about rewriting it to be a Plack middleware. (I suppose the problem with that is that it won't work for people not using Plack, which we've noticed with the anti-CSRF stuff, but I think we mandate Plack anyway... so not really a problem.) 2. When I suggested the plugin idea, I was actually meaning more so for the business logic of identifying bots and presenting them with a more standard page. Locally, I've created an "opac-challenge.tt" which is part of Koha and is thus translatable. That said, it is using C4::Template to have the best UX. In terms of performance, I haven't let the bots hit it yet, so I can't make any guarantees on server impact. However, I have an idea for that too. I think we should consider creating a static page built using C4::Template so that it has a good human UX while still being low/no impact. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #25 from David Cook <dcook@prosentient.com.au> --- Locally, for my challenge, I have a POST form without a CSRF token, so that if the bot submits the form, it'll always fail. I also have it pointed at a non-existent honeypot endpoint, which can be grepped in the logs. After a successful challenge, I actually create a link for the human user to click, so there's no automatic navigation. The link they click is real but also contains additional information that can be grepped in the logs. I suppose with the plugin approach... I can still keep doing it my local way. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #26 from David Cook <dcook@prosentient.com.au> --- I suppose the only problem with the plugin approach currently is the need to add it to the particular existing Koha code (e.g. C4::Auth and opac-export). That's where a Plack Middleware could be handy. But then if we let a web UI syspref point to a module which can interfere at the Plack Middleware level... that has security implications. We should probably validate the syspref value to something like "Koha::Plugin::BotChallenge::"... although I suppose all Koha plugins have security problems when they're added by end users. At this point, maybe we should look at a Plack middleware and a koha-conf.xml entry? Or even just a Plack middleware? It would require a sysadmin configuring things, but I don't think that's a bad thing. And maybe after we start proving some of these experimental things in production... we could then provide web users with a dropdown list of options? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #27 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #24)
That said, it is using C4::Template to have the best UX. In terms of performance, I haven't let the bots hit it yet, so I can't make any guarantees on server impact.
Actually... for bug 39109 I used C4::Template for a "opac-throttled.tt" human UX friendly page, and it worked very well even with a high volume of requests. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #28 from David Cook <dcook@prosentient.com.au> --- When I was thinking about plugins for this feature, I was also thinking about using Module::Pluggable a bit more directly. That way we don't even need a system preference. We just have the requirement of the class being "Koha::Plugin::BotChallenge::*" That module could still be provided by a Koha Plugin since the plugin installation affects the @INC. (Personally, I disable Koha plugin upload for web users, so I personally am not worried about the security of it, but I do think about Koha instances with web upload allowed... but they're inherently insecure anyway...) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |ASSIGNED --- Comment #29 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Changing status for revisting Middleware idea. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179988|0 |1 is obsolete| | --- Comment #30 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 180479 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=180479&action=edit Bug 39435: Database revision for new preference Test plan: Run install or upgrade. Check pref. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179989|0 |1 is obsolete| | --- Comment #31 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 180480 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=180480&action=edit Bug 39435: Introduce Koha::BotChallenger [EDIT1] Adjusted for master: CSRF changes. Fixed referer encoding. [EDIT2] Combined with use of Plack middleware class (next patch). Test plan: Very rudimentary for this patch only. The main test is in the middleware patch. [1] Run t/Koha/BotChallenger.t [2] Clear pref BotChallengePlugin. Hit opac-bot-challenge.pl. This should result directly in a bad request. Same for filling the pref with This::Does::Not::Exist Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #32 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 180481 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=180481&action=edit Bug 39435: Add bot challenge middleware class This new class will call Koha::BotChallenger->check from Plack middleware. NOTE: We need to pass a defined value to check_csrf from the CSRF middleware. Koha::Token should only return immediately on undefined session_id. Actually, this makes the second check in check_csrf unneeded. This adds a unit test, primarily testing the control flow within ->call. The BotChallenger->check is tested already in the former patch. Test plan: [1] Run t/Koha/Middleware/BotChallenge.t and t/Token.t [2] Copy the plack.psgi change into your /etc/koha/plack.pgsi. Restart all. Clear browser cache (*). [3] Clear pref BotChallengePlugin. Verify that OPAC response time is just like before (given same circumstances etc.) [4] Apply the examples patch. cp -r botchallenge/plugins/BotChallenge /var/lib/koha/INSTANCE/plugins/ cp -r botchallenge/plugins/js /var/lib/koha/INSTANCE/plugins/ Restart all. Clear browser cache (*). [5] Set pref to BotChallenge::Dumb. This does not use js. [6] Verify that the first OPAC hit triggers opac-bot-challenge. Wait a few seconds and submit. Check cookie BotChallenge in browser dev tools. Navigate thru OPAC. Normal response, no challenge? [7] Remove the cookie. Hit another OPAC page. Challenge comes back? Bonus tests [8] See also bug 39466, add alias for plugins/js to apache-shared-opac. Restart all [9] Set pref to BotChallenge::Simple or BotChallenge::Text. Remove cookie. Navigate thru OPAC again. (*) During testing I had some issues with browser cache redirecting pages to opac-bot-challenge. A refresh on opac-bot-challenge should resolve that too. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179991|0 |1 is obsolete| | --- Comment #33 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 180482 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=180482&action=edit Bug 39435: [DO NOT PUSH] Simple examples to illustrate The examples should only be used for testing the concept! Use them as a starting point for creating your own. The idea is to quickly generate an answer in the plugin module, and make it harder to get the answer from javascript. Include some heavy calculation there, obscure the code, etc. So you could add templates, css etc. in the module but just keep in mind that your response should be fast! Dont use expensive Koha calls, db hits etc. The Dumb module does not use a separate js file. The Simple module moves more or less some logic into a js file. The Text module shows the idea of a text challenge, just as an example. Test plan: Copy the three modules to your INSTANCE/plugins folder. Make sure that you can hit scripts in INSTANCE/plugins/js (see bug 39466), or put them somewhere under koha-tmpl/opac-tmpl/bootstrap/js and change the location in Simple.pm or Text.pm accordingly. Fill the Local use pref BotChallengePlugin with BotChallenge::Dumb or Simple or Text. Restart Plack and memcache. Hit some OPAC pages. Test another plugin. Restart etc. Now test your own? Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179990|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com --- Comment #34 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Implemented the middleware approach now. Had some struggles with Koha::Token and the CSRF middleware class. Instead of passing an undefined session (scalar on no cookie), I am passing the default session id used in Koha::Token. When removing the returns on a false but defined session, this should effectively remove the need for the second check in a row in check_csrf added on 36102. This explains the small changes in Koha::Token and Middleware::CSRF. While testing, the browser cache sometimes got in the way. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 --- Comment #35 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Will open a new report for Koha::Token. The check, check_csrf and _chk_csrf are a bit confusing too. Seem not entirely consistent. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39435 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39542 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org