[18.0][ADD] website_altcha

[etobella]

This module allows to use a Captcha System completly handled by Odoo.

It relies on Altcha, an OpenSource captcha alternative.

Currently, Odoo provides 2 options:

• Google Recaptcha relies on tracking of the user. It implies cookies
• Cloudfare Turnstile relies on signals of the browser so it is less
  RGDP problematic. However, it relies on a third party infrastructure.
  The decision is made from a probabilistic perspective (likely a human)

With this new module, everything relies on our own system with no
cookies, no tracking and no network calls.

The way to solve it is to add a deterministic puzzle to solve. Bots need
to spend more CPU, making it costly at scale.

[luisDIXMIT]

I am testing on runboat, system params are setted but I don't understand why it gives me "Verification failed. Try again later." error. I am doing it from "contact us" page on website.

[etobella]

The problem is that it requires https to work. If you change to https it should work (tested in runboat). In local there is not such a limitation when using localhost (only on localhost)

[luisDIXMIT]

The problem is that it requires https to work. If you change to https it should work (tested in runboat). In local there is not such a limitation when using localhost (only on localhost)

It works, thanks!

[luisDIXMIT]

Code review and tested on runboat, LGTM!

[etobella]

I made a major change, allowing to configure this for each website (much simpler to handle)

[hbrunn]

funny, I just came here to propose this for version 16, but as yours has seniority, I'll backport this instead when done.

Do you think the module could have an init hook that enables it for all websites? Seems a bit nonsensical for users to have to do this manually, as they'll install the module because they want to have it, right?

[hbrunn]

those two aren't included in the JS file, so I don't see how those choices can work (and expectedly selecting scrypt doesn't work on runbot). I think it's fine to remove them for version 1

[hbrunn]

Suggested change

	access_altcha_key,access_altcha_key,website_altcha.model_altcha_key,base.group_user,1,0,0,0
	access_altcha_key,access_altcha_key,website_altcha.model_altcha_key,base.group_system,1,0,0,0

as all access to this is sudo'd, no need for users to have access, right?

[hbrunn]

Suggested change

	It relies on Altcha, an OpenSource captcha alternative.
	It relies on Altcha (https://altcha.org), an OpenSource captcha alternative.

[hbrunn]

this can go to CONTEXT.md I think

[hbrunn]

see above

[hbrunn]

Suggested change

	"name": "Website Friendly Captcha",
	"name": "Privacy Friendly Captcha",

the point is that this is privacy friendly and self hosted, not friendly as in nice i think

[hbrunn]

Suggested change

	"summary": """Use Friendly Captcha for verifying users""",
	"summary": """Use self hosted privacy friendly captcha for verifying website users are not bots""",

[hbrunn]

this should start with: Go to Configuration/Website, check "Enable Altcha" under "Privacy"

[hbrunn]

ah, and they style their name ALTCHA, so I suggest to s/Altcha/ALTCHA in all user visible texts

[etobella]

@hbrunn All comments attended.

[hbrunn]

thanks, what do you think about activating this on installation though?

and I just tried to test password reset and signup on runbot, here the widget shows an error even though it works fine for the contact form. any idea what's going on there?

[hbrunn]

can you point me to where this function is used?

[etobella]

I think it comes from the first implementation. I will remove it.

[hbrunn]

@etobella this seems to be the problem, why not render here website_altcha.AltchaWidget?

[hbrunn]

btw in my version I named the controller /website_altcha/challenge to scope stuff with the module name

[hbrunn]

Suggested change

	if (this._altcha._publicKey && !this.$el.find(".altcha-widget").length) {
	if (this._altcha._publicKey && !this.$el.find(".o_altcha-widget").length) {

[etobella]

I am not confident about the pre_init change.

It might happend that your customer is already using a recaptcha system, so forcing it mitght be a problem.

[hbrunn]

fair enough, then we leave it like that. do you need this to be three commits or can it be just one?

[OCA-git-bot]

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

[etobella]

2 because there is 2 different authors 😉

[hbrunn]

thanks

/ocabot merge nobump

[OCA-git-bot]

Hey, thanks for contributing! Proceeding to merge this for you.
Prepared branch 18.0-ocabot-merge-pr-1175-by-hbrunn-bump-nobump, awaiting test results.

[OCA-git-bot]

@hbrunn The merge process could not be finalized, because command twine upload --disable-progress-bar --non-interactive --repository-url https://upload.pypi.org/legacy/ -u __token__ odoo_addon_website_altcha-18.0.1.0.0.3-py3-none-any.whl failed with output:

Uploading distributions to https://upload.pypi.org/legacy/
Uploading odoo_addon_website_altcha-18.0.1.0.0.3-py3-none-any.whl
�[33mWARNING �[0m Error during upload. Retry with the --verbose option for more details. 
�[31mERROR   �[0m HTTPError: 429 Too Many Requests from https://upload.pypi.org/legacy/  
         Too Many Requests                                                      

[etobella]

I will try tomorrow... the problem with pypi...

[tarteo]

Great, tested it locally! Only nitpicking so code LGTM!

[tarteo]

tokenName is never used.

[tarteo]

Do you mean GDPR?

[tarteo]

What is TODO here? I think it can be removed.

[hbrunn]

as you have to touch this anyways again for the typo, I added a few UI things I came across when backporting this to v16

[hbrunn]

Suggested change

placeholder="00000000-0000-0000-0000-000000000000"

[hbrunn]

Suggested change

	string="Tracking ID"
	string="HMAC secret"

[hbrunn]

Suggested change

	string="Private Key"
	string="HMAC key secret"