SUMMARY
At present, sitekey can be abused by installing it on a third-party
site as verifying the access token returned from CAPTCHA validation
doesn't require any authentication.
This fix uses account secret authentication to verify access tokens
credits: by @gusted
SUMMARY
The test suite was spinning up way too many database connections that what's
strictly needed and so the test suite was failing with[0]:
code: "53300", message: "sorry, too many clients already"
EXPERIMENTS
Tried sharing database connection pool across all tests with
async_once[0] but faced:
- IO errors
The connections were probably getting dropped in between tests
- actix Actor errors
The actor was probably not getting initialized before a
a reference to the async_once initialized app
context(crate::data::Data) is retrieved and used
FIX
crate::tests was spinning up an App context
instance(crate::data::Data) for most utility functions, which was
unnecessarily excessive.
Each test now creates an instance of the application context at the
beginning and shared a reference with all test utility functions. So
number of database connections/app context instance = number of unit
tests.
[0]: permanently fixes#22
[1]: https://docs.rs/async_once/latest/async_once/
When user tries to visit this view without an easy configuration
available, i.e, user had created the CAPTCHA using advance view and no
TrafficPattern is available in database, the user will be automatically
redirected to the advance edit page.
But the default edit link everywhere is to the easy edit view.
broke_my_site_traffic
The above metrics are sourced from the user and are stored in the
database to reuse at a later point in time when the mCaptcha instance's
admin changes suggested configuration.
I'm not sure if I want to recompute configuration every time the admin
updates suggested configurations or give the user an option to recompute
based on latest trends. If we recompute on every update, then should the
admin choose very high difficulty_factors then it would hold back the
user's visitors, which is not nice. But there should also be an option
to rerun estimates when older configuration no longer works properly.
release:
Routes 404'd when scope contained trailing slash like so:
let scope = "/api/v1/pow/";
web::scope(scope)//
So had to rm trailing slash in scope
