Implement reCAPTCHA for abuse prevention #311
Conversation
|
Alright, squashed all the commits and removed the remaining bits that were changing orthogonal plumbing vs. actually adding the feature in scope. Was c1294cc. |
|
Testing with Heroku templating ... |
|
|
|
|
|
|
|
Ready for review, @rauchg! |
|
Test here if you like (will leave up temporarily): |
|
@whit537 thanks a lot! One last thing before we merge this: do you think it's a good idea to enforce Google reCAPTCHA on every single installation, rather than making it optional? |
|
I think it should be hard to deploy SlackIn insecurely ("secure by default"). If reCAPTCHA is optional then it should be an explicit opt-out with a clear warning about SlackOut. |
|
... and I guess I would see that as out-of-scope for this PR. Right now SlackIn exposes its users to a non-trivial vulnerability. Reducing that exposure is important. Adding a footgun back into SlackIn can be done later. |
|
Ready to merge, @rauchg? |
This reverts commit 1dedb2e
|
Was this made to also work with the badge version? Because I'm trying to upgrade (for Node security updates) but can't seem to get this to work, and I can't see how it did?
When you try to send an invite you get:
It works fine if you go to it directly:
|
|
I don't recall seeing anything about the badge version when I was cleaning up the PR. I suggest making a new ticket/PR. |
Sorry about that. :-/ |
|
It happens! 😊 |
This reverts commit 1dedb2e.
|
Can you please publish this update to npm? slackin on npm is still 0.13.0 |
|
FYI, this PR broke the Azure deployment: #355. Need to update the environment variables here: https://github.com/rauchg/slackin/blob/master/azuredeploy.json#L99 |
|
These setting for Azure deployment are fixed in #333 |
Redux of #234. Initial rebase here drops some README changes in favor of
HEAD, but otherwise should match 8330ac6.