Help Wanted - Create MyGovBC CAPTCHA Microservice

[sachmacd]

Paid Opportunity

We are offering a fixed price of $7,500, to complete the work described in this issue, according to the
terms of the BC Developers’ Exchange’s experimental procurement model, Code-with-us.

Here is how payment works

Background

Provide a reusable, secure and reliable CAPTCHA microservice for service providers to use within online digital services as part of the MyGovBC digital experience.

User Story

As a service provider, I want to include a CAPTCHA widget in my online digital form to protect my digital service from bots. I want to reuse a microservice that encapsulates open source CAPTCHA code so that I don't need to understand the implementation details and can interact with the service through API calls.

Acceptance Criteria

Acceptance

The criteria below must be met in order for you to get paid.

Definitions

Client = MyGovBC Service Provider instance, e.g., MyGovBC-ServiceName
Service = MyGovBC Service Provider CAPTCHA Service instance, e.g., MyGovBC-ServiceName-CAPTCHA
Widget = MyGovBC Service Provider CAPTCHA client side code
Resource API = MyGovBC Service Provider resource API

Scope

This Help Wanted request is for the "Service" as defined above and its use described below.

System Use Case

1. Client loads widget and a resource identifier (like a nonce)
2. Widget executes and displays CAPTCHA challenge to user
3. User responds to challenge
4. Widget sends user response to Service
5. Service verifies response
6. Service returns signed JWT including the nonce
7. Widget notifies Client of success/failure
8. Client includes JWT in Resource API call
9. Resource API confirms validity of the signed JWT
10. Resource API match resource identifier in the path, query or request body, with resource identifier in the signed JWT
11. Resource API allows/denies access to resource

Service Provider Use Case

1. Install Widget to my client, e.g. npm install mygovbc-captcha-widget --save-dev
2. Fork source and deploy Service in OpenShift
3. Configure Service and Resource API with the same key using OpenShift Deployment Environment Variable, e.g., SECRET=

Additional Criteria

1. Since the same party owns/manages both services, a secret with HMAC is acceptable only means for digital signing
2. The time that it takes to generate or validate the CAPTCHA must not exceed 1 second.
3. Collaborate with MyGovBC team within 2 business days of award to determine which open source CAPTCHA code to leverage (must adhere to MyGovBC requirements including privacy and security):

• https://github.com/contra/captchagen
• https://github.com/DoubleSpout/ccap
• https://libraries.io/npm/svg-captcha

4. Written in Javascript for NodeJS version 4.x following npm install and npm start conventions
5. Automated unit tests verifying its core functionality
6. Logs to console any errors

How to Contribute (How to Apply)

To apply for this work, please email a proposal to karen.smith@gov.bc.ca by 5:00 PM PDT on Monday, February 6, 2017. Please reference the issue name "Help Wanted - Create MyGovBC CAPTCHA Microservice in your email".

What to Include in your Proposal (Evaluation Criteria)

We will score your proposal by the following criteria:

1. Your confirmation of being able to commit the time to meet all of the Acceptance Criteria by February 28, 2017.

2. The date you can commit to delivering your first working version for preliminary integration testing (15 points).

3. A brief overview of which open source CAPTCHA code you rate most highly and why (25 points).

4. References to your relevant experience and demonstrated ability to do the work (50 points). For example, a link to your GitHub projects.

5. Any added value you can provide within the fixed price (10 points).

6. With your proposal, you must attach a copy of the Code-with-Us Terms, with the required information asked for in the “Acceptance” section of the Terms inserted into the document (Mandatory).

If we are satisfied with the proposals, we will assign the work to the person with the highest scoring proposal by the end of the working day on Wednesday, February 8, 2017.

Here’s more detail about how assignment works

Questions, Comments, Suggestions?

Please post your questions in the comment section below.

[marklise]

Under "Additional Criteria", are we limited to those choices identified by point #3?

[GregTurner]

@marklise Not limited to but not unlimited. The three suggested libraries met the following criteria, which any library would need to meet:

1. Permissive open source license, e.g., MIT, Apache 2.0, etc.
2. NodeJS 4.x and if using native libs must run on RedHat OpenShift 3.3 stock NodeJS image
3. Not SaaS, e.g., Google reCaptcha

[sachmacd]

The proposal period is now closed. Thanks to those who considered the opportunity and in particular to the 2 individuals who submitted proposals. We are in the process of evaluating the proposals received and if we are satisfied with the proposals, we will assign the work to the person with the highest scoring proposal by the end of the working day on Wednesday, February 8, 2017.

[sachmacd]

We have scored the proposals and are assigning this work to @marklise.

[GregTurner]

Code complete and integrated, @sachmacd this issue can be closed.

[marklise]

Thanks @GregTurner @sachmacd !

[sachmacd]

Thank you @marklise. You have satisfied the acceptance criteria. We now have it integrated and working as specified in one of our web applications. We really appreciate all your great work on this!