Skip to content
Permalink
Browse files

Removes origin method. #1

  • Loading branch information...
andrelopez committed Sep 14, 2018
1 parent 66f0a39 commit a6b2c99906b427d36b80e1d15ab4c6df93f76f34
Showing with 0 additions and 90 deletions.
  1. +0 −11 README.md
  2. +0 −62 services/SproutInvisibleCaptcha_OriginMethodService.php
  3. +0 −17 templates/_cp/settings.html
@@ -26,17 +26,6 @@ By default, if a submission is caught, it will be redirected to your 'redirect'

## Invisible Captcha Methods Available

**Require web-based form submissions** (Origin Method)

_Explanation_: The Origin spam protection method ensures that your form is submitted from your website and not from a third-party website or a headless browser. This method implements behavior similar to CSRF tokens.

_Note: This method should not have any chance for a regular user to get denied from submitting your form._

_How do I test this method?_<br>
It may not be easy to test this method for the average user. To do so, you will need to write a script that programatically submits your form with a user agent string or domain that does not match the information for those settings provided by your website. Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

<hr>

**Prevent duplicate submissions if a user hits submit more than once** (Duplicate Submission Method)

_Explanation_<br>
@@ -6,30 +6,7 @@ class SproutInvisibleCaptcha_OriginMethodService extends BaseApplicationComponen
public function verifySubmission()
{
$uahash = craft()->request->getPost('__UAHASH');
$uahome = craft()->request->getPost('__UAHOME');
// Run a user agent check
if ( ! $uahash || $uahash != $this->getUaHash() )
{
SproutInvisibleCaptchaPlugin::log("A form submission failed because the the user agent did not match.", LogLevel::Info, true);
craft()->sproutInvisibleCaptcha->originMethodFailed = 1;
return false;
}
// Run originating domain check
if ( ! $uahome || $uahome != $this->getDomainHash() )
{
SproutInvisibleCaptchaPlugin::log("A form submission failed because the domain did not match.", LogLevel::Info, true);
craft()->sproutInvisibleCaptcha->originMethodFailed = 1;
return false;
}
// Passed
return true;
}
public function getProtection()
@@ -40,46 +17,7 @@ public function getProtection()
public function getField()
{
$output = '';
$domain = craft()->request->getHostInfo();
$output .= sprintf('
<input type="hidden" id="__UAHOME" name="__UAHOME" value="%s" />', $this->getDomainHash() );
$output .= sprintf('
<input type="hidden" id="__UAHASH" name="__UAHASH" value="%s"/>', $this->getUaHash() );
return $output;
}
protected function getDomainHash()
{
$domain = craft()->request->getHostInfo();
return $this->getHash( $domain );
}
/*
* getUaHash()
*
* Grab the user agent string and return a hashed version of it
*
* @return string The hashed value of the user agent string
*/
protected function getUaHash()
{
return $this->getHash( craft()->request->getUserAgent() );
}
/**
* getHash()
*
* Simple string hashing to encode data (Do not use for encryption)
*
* @param string $str The string to encode
* @return string The hashed value of $str (32 Chars)
*/
protected function getHash($str)
{
return md5( sha1($str) );
}
}
@@ -13,23 +13,6 @@

<div class="field first">
<div class="checkbox-select">
<div class="method-origin">

<label>
<input type="checkbox" value="origin" name="captchaMethod[]" {% if plugin.isMethodSet('origin') %}checked{% endif %}>
<strong>Require web-based form submissions</strong> (Origin)
</label>
<span class="more-info">?</span>
<div class="note">

<p>The <b>Origin</b> spam protection method ensures that your form is submitted from your website and not from a third-party website or a headless browser. This method implements behavior similar to CSRF tokens.</p>

<p><em><b>Note:</b> This method should not have any chance for a regular user to get denied from submitting your form.</em></p>

<p><strong>How do I test this method?</strong> It may not be easy to test this method for the average user. To do so, you will need to write a script that programatically submits your form with a user agent string or domain that does not match the information for those settings provided by your website. Blocked submissions will be logged in the database and can also be seen in the <a href="{{ cpUrl('utils/logs/sproutinvisiblecaptcha.log') }}">Invisible Captcha logs</a>.</p>
</div>

</div>
<div class="method-duplicate">

<label>

0 comments on commit a6b2c99

Please sign in to comment.
You can’t perform that action at this time.