How to become a ReCaptcha v3 expert

Transcript

1. How to become a ReCaptcha v3 expert

2. Why do we need to use ReCaptcha?

3. None

4. How it works 1. Loading a ReCaptcha script to your

   page using your public key. 2. The script collects a user’s action 3. Before making bot-sensitive request generating a token and send the token to a backend with a payload 4. Verifying the token using your private key by sending POST request to Google

5. V2 vs V3 • Visible, a user clicks to prove

   they’re not bots and if their actions are suspicious you have to complete a quiz • It gives a categorical response whether a user is a bot or a human being • Provides an ability to customize the theme of the checkbox(dark, light, etc.) • Invisible, a user doesn’t need to do anything • It provides a score from 0.0 to 1 which represents the probability of being a real person. 0.0 - a bot, 1.0 - a person. So, it becomes your responsibility to decide whether to block this user or not. • It’s possible to separate your verification requests by actions

6. The complexity of upgrading to v3 • There is no

   way to reproduce your prod ENV under spamming • Algorithms of calculating a score is known only by Google • Your task is done when spam has ended • We love reinventing wheels

7. Our business case • A contact inquiry form • Low

   load, about 3-5 real users at once • We had already got v2 but it didn’t cope • About 100 spam-submissions per day • There is a gem but at that moment it didn’t support v3

8. Potential bottlenecks • Passing bots if choose too low score

   • Blocking real users if choose too high score • Losing clients -> losing money -> I’m updating LinkedIn

9. People recommends • Set 0.7 as an optimal score •

   Use v2 as a fallback if v3 responds with too low score. But wait a sec, we just updated to v3 because v2 didn’t work! WTF?

10. Our plan • Replace v2 with v3 during single deployment

    ✅ • Put all failures into our backtracking systems not to lose real customers • Manual observing ✅ • If we understand that score is too low or too high we will commit a new one and redeploy ✅

11. My fuck ups and rules how not to repeat my

    mistakes

12. My solution • Add token to a form as an

    attribute of the model • Add a non-persisted attribute to a model • Write a custom validator and enable it with validate_with

13. JS and Form

14. Validator v1

15. Rule #1. Read documentation

16. None

17. Validator v2

18. Rule #2. Know tools you use

19. We noticed a weird behavior After our deployments there were

    two scenarios: 1. All spam was being passed with the same high score (0.7 or 0.9) 2. All requests were being blocked with the same low score (0.1 or 0.3), even real people including our QA :)
20. None
21. None

22. Validator v3

23. Rule #3. Don’t skip lines reading documentation

24. Timeouts. Recaptcha tokens expire

25. Solution summary • Our optimal score was 0.7 ✅ •

    No fallbacks using v2 ✅ • Tokens are generated by using setInterval ❌ • Tokens are validated using validate_with ❌ • No more spam ✅

26. Get back to 2021

27. None

28. A bit more challenging task • Customers are complaining about

    spam • There is no way to monitor errors if we put all suspicious submissions to Honeybadger • There is no way to do deployments in work time by CST

29. Our old plan seems to be useless • Replace v2

    with v3 during single deployment ❌ • Put all failures into our backtracking systems not to lose real customers ❌ • Manual observing ❌ • If we understand that score is too low or too high we will commit a new one and redeploy ❌
30. None

31. Feature toggles or feature flags Feature toggles is an approach

    that allows you to switch parts of executing code without redeployments. Basically, you keep a boolean value with a stringified alias in any persistable storage, for instance, relational databases(PostgreSQL, MySQL), files or in-memory storages that are able to back up data(Redis).

32. How it looks like in code

33. What problems does it help to solve? • A/B testing

    • It allows you to split big features into small PRs that can me merged in master and deployed to the production • Gradually release, you can enable a new functionality by a particular condition. If anything goes wrong your QA, BA or anybody else can disable/enable the feature • Safe experiments on production • Make releases for microservices independent
34. None

35. What about disadvantages? • More ifs in your codebase •

    More cases to test for developers and QA • Harder to write new logic. You have to support old and new behavior at once • Harder to maintain. After you’ve released a feature for all customers and it’s stable you have to clear your code from both an old implementation and a feature toggle

36. Production-ready solutions

37. LaunchDarkly

38. Flipper

39. Flipper Cloud

40. Rollout

41. Don’t worry if nothings fits. Take it. Feel confident to

    write your own.

42. Our choice - Flipper • Supports a lot of adapters

    (in memory, ActiveRecord, Redis, Memcache, HTTP) • Provides its own UI from the box • Maintainable • There is a cloud version where we can probably move

43. Flipper adapters from the box

44. Flipper UI index

45. Flipper UI feature toggle page

46. Our plan for introducing V3 • Create feature toggles which

    allow us to enable v3 for a particular website • Implement support of v3 with v2 backward compatibility and switching with ease ✅ • Start from a low score not to lose real users. About 0.5 ✅ • Add ability to switch score on the fly. We store it in our in-memory DB ✅ • Deploy to the production, enable for test websites ✅ • Enable for trusted customers ✅ • Enable for all ✅ • Remove the feature toggle usage ❌

47. Some examples of code in prod

48. Feature toggle implementation

49. Verification implementation

50. Tips regarding feature toggles • Create a separate class to

    handle feature toggle logic • Include feature toggles in your tests • Automate everything you can. Create tasks to enable a default set of feature toggles • Keep your codebase clean. Remove feature toggles

51. A separate class for a feature toggle

52. None

53. Tips regarding ReCaptcha v3 • Connect ReCaptha v3 scripts, render

    inputs, generate tokens, verify tokens on the backend by yourselves. There is a gem but it seems a typical rails way, magical helpers in controllers and views • Generate tokens for all spam-vulnerable forms and put the verification to the middleware layer

54. Useful links • https://launchdarkly.com/ • https://www.flippercloud.io/ • https://github.com/jnunemaker/flipper • https://github.com/fetlife/rollout

    • https://www.youtube.com/watch?v=_1sF-fKyAJc&ab_channel=RubyRussiaclu b • https://github.com/woarewe/how-to-become-recaptcha-v3-expert-talk • https://github.com/ambethia/recaptcha

55. Thanks!

56. Before asking your questions, please prove that