Changes

Page history
docs: Adding a writeup distinguishing between, and describing, both CAPTCHA systems authored by stephen's avatar stephen 
An earlier meeting with TPA revealed that some additional writing about the differences between the two CAPTCHA systems might not be a bad idea - it's not immediately clear that we are using two, and they each serve a slightly different purpose. This commit addresses this by adding a subsection to the Authentication portion of the donate service documents regarding CAPTCHAs.
Show whitespace changes
Inline Side-by-side
service/donate.md
View page @ 0e9dc3db
...@@ -613,6 +613,39 @@ to the CRM server ...@@ -613,6 +613,39 @@ to the CRM server
Both servers have firewalled SSH servers (rules defined in Puppet, Both servers have firewalled SSH servers (rules defined in Puppet,
`profile::civicrm`). To get access to the port, [ask TPA][File]. `profile::civicrm`). To get access to the port, [ask TPA][File].
### CAPTCHAs
There are two separate CAPTCHA systems in place on the donation form:
- [django-simple-captcha](https://pypi.org/project/django-simple-captcha/), a four-character text CAPTCHA which sits in
the form just above the Stripe or Paypal interface and submit button.
It integrates with Django's forms natively and failing to fill it out
properly will invalidate the form submission even if all other fields
are correct. It has an `<audio>` player just below the image and text
field, to assist those who might have trouble reading the characters.
CAPTCHA images and audio are generated on the fly and stored in the
Django database (and they are the only things used by `donate-neo`
which are so stored).
- [altcha](https://github.com/altcha-org/altcha), a challenge-based CAPTCHA in the style of Google reCAPTCHA
or Cloudflare Turnstile. When a user interacts with the donation form,
the ALTCHA widget makes a request to `/challenge/` and receives a
proof-of-work challenge (detailed [here, in the ALTCHA documentation](https://altcha.org/docs/proof-of-work/)).
Once done, it passes its result to `/verifychallenge/`, and the server
confirms that the challenge is correct (and that its embedded timestamp
isn't too old). If correct, the widget calls the Stripe SDK function which
embeds the credit card payment form. We re-validate the proof-of-work
challenge when the user attempts to submit the donation form as well; it is
not sufficient to simply brute force one's way past the ALTCHA via
malicious Javascript, as passing that re-validation is necessary for the
`donate-neo` backend to return the donation-specific client secret, which
itself is necessary for the Stripe transaction to be made.
`django-simple-captcha` works well to prevent automated form submission regardless
of payment processor, whereas `altcha`'s role is more specifically to prevent
automated card testing using the open Stripe form; their roles overlap but
including only one or the other would not be sufficient protection against
everything that was being thrown at the old donate site.
### review apps ### review apps
The donate-review *runner* uses token authentication to pick up jobs from The donate-review *runner* uses token authentication to pick up jobs from
... ...
......