Possibly, and its something we've (a couple of module developers) have been working on/experimenting with for the last year...but, its probably a 3 to 6 month investment (schedule time, not calendar) and not being able to know what exactly Miva 10 will bring probably means nothing released till after 10.

Providing Miva 10 and all the stars align just, would such a module permit even novices like myself to create a simple module, or one would still need Miva script knowledge? Just curious.

It will still require mivascript, and more importantly, a decent level of understanding of the entire Miva system and API so, no. But, the main idea is to make simply modules EASIER for developers to build and distribute instead of having to try to write and explain complex SMT code.

For example, the last go round of showing products in that belong to sub-categories of a category. That would be a relatively simple modulette.

That being said, from a performance perspective, I'd use something like that tool to just assign the products to the top level category and then have that tool run daily or something.

I have another question (since this just came up) - will this work on the popup Password Lookup: modal? There is one on the LOGN screen, so would I put LOGN in the Watched Action List?

Miva Support has told the store owner to add reCaptcha to all the "forms" on her store. I'm thinking if this is the case, should Miva be providing some how-to's for this?

Hi lesliekirk - yep it should work fine, correct you would put LOGN in the watched list. Adding Google's ReCaptcha code (html, javascript etc) to the popup is done separately. I haven't tested it for LOGN but I expect it would work fine - let me know if you hit a snag though. My own plan is to eventually add it throughout sites I work on as well.

About how-to's, at first I was confused by ReCaptcha v3 but after working through it I do understand it better, so I think Google's help pages are ok as far as that goes. But it did take me a couple of reads for whatever reason

Since there's no built-in way to validate a recaptcha token on a Miva-handled action (like ICST), a how-to from Miva would be a problem. They could explain everything as far as adding the javascript etc, but once it gets to the point of validating the token, we're stuck. The how-to would have to do one (or more) of these:

• tell users to write a Miva module
• tell users to contact a 3rd party developer to write the module for them
• tell users to contact Miva's Professional Services dept (to write the module for them)

Or I suppose you could tell them to use my free module lol

Thanks Mike521w I'm stuck at in the instructions for your module.

lesliekirk Google's docs for this suggest a few ways to verify the token, one of which is to place the token in a form field. From there it will be passed to the backend system when the form is submitted. Their documentation (https://developers.google.com/recaptcha/docs/verify) suggests naming the field "g-recaptcha-response".

So when you submit the form, the backend system (in our case, the Miva module) look for that field by name. But for some reason I had a problem with that when writing the module. I think it was the dashes if I remember right - having a field name with dashes was a problem. So the module is coded to look for a field named "GoogleReCaptchaResponse" instead.

So the front end code might look something like this:

(the system wouldn't let me post the script tags like normal so I changed then to [script])

Now when the page loads, google creates a token, and sets that token as the value for the "GoogleReCaptchaResponse" field. That gets passed to Miva when the form is submitted, and the module reads it and sends it to Google for validation / score retrieval.

Hope that makes sense, let me know

Following up on this - I had to disable the module because when someone was trying to log into their account they were greeted with a blank screen. I obviously had it misconfigured. Before I even had a chance to disable the module the store owner had opened a support ticket (understandably so). In the email conversation with support I was asked why I was trying to implement reCaptcha on these submit forms and was given this recommendation:

Has anyone tried this?

Hi lesliekirk sorry for the slow response,

I just tested the Recaptcha module on the LOGN page of one of the sites I manage and it worked with no problem. Can you show some code and/or screenshots of your setup? Just be sure to block out the site key and secret key if you screenshot the admin setup.

For me the setup was:

1. add google's script:
   (asdfasdf = my ReCaptcha v3 site key)
   
   Code:

   script src="https://www.google.com/recaptcha/api.js?render=asdfasdf" /script
   	script type="text/javascript">
   	        grecaptcha.ready(function() {
   	           grecaptcha.execute( "asdfasdf", {action: 'AccountLogin'}).then(function(token) {
   	             jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
   	          });
   	       });
   	       /script

2. add the form field to the form with id LoginForm:
   
   HTML Code:

   <input type="hidden" name="GoogleReCaptchaResponse" value="">

3. In the module admin, my new settings were:
   Watched Action List: ICST,LOGN
   Tolerance Levels: 0.3,0.3

Since the watched action list and tolerance levels are comma separated, basically this means that I'm watching ICST and I want a value of 0.3, and I'm watching LOGN and I also want a value of 0.3.

I was able to log in before and after adding ReCaptcha. For argument's sake I then changed the Tolerance Level setting to 0.3,5 - which means for LOGN I want Google's score to be 5, and that basically makes it impossible to validate since Google only returns a value between 0 - 1. As expected, on my next login attempt I got a 403 error.

This was the first time I tested it with multiple actions being watched, so it looks good to me. Anyway let me know what your setup was and I'll see if anything stands out to me

About the CSRF token, I think Miva support mentioned the same thing to me when I was discussing ReCaptcha with them on the ticket I opened when I was trying to stop the fake account creation. I don't know much about CSRF, but the response from ILoveHostasaurus on this thread doesn't seem to indicate that it has much to do with validating human vs bot. In my situation it did nothing to stop the fake accounts from being created on the site I was working on at the time. To be honest, I thought at the time that the Miva support reps were just kind of hoping that the CSRF token would do something that (from what I can tell) it's not intended to do

Just want to thank Mike521w for sharing his module code and answering all the questions. I haven't installed the module but I did appreciate reading the code and learning from it.

CSRF tokens are an extra bit of validation that prevents cross site scripts from forging first party cookies. Yet, a sophisticated bot can penetrate CSRF. GoogleReCaptcha works but as you know needs to be validated on the server. Your module is the only and best solution.

I know that you have invested a lot of time in this thread and it is sometimes a thankless job -- but THANK YOU!

alphabet no problem, I'm glad it's helpful so far! : )

Just an additional thought for the thread. Cloudflare, even the $20/mo plan, allows you to create custom web application firewall rules and apply them to specific URI's. A very useful first step for sites that are being attacked with credential testing is the ability to place a javascript challenge in front of the customer login page alone; legit customers who click on it will see a 'testing your browser' screen for a few seconds then the login page will appear like normal. Most bots cannot make it past that because they don't behave like real browsers, and then real shoppers don't have to deal with the captcha hassle. You can also dial up captcha as an option, without code changes on the site side.

Also have the shadow theme and discovered 100's of weird customer accounts tonight. The name looks like parts of encryption. No address. Is the new miva 10 able to do something about this?

It would be possible to add a recaptcha to that screen; this is not a built-in feature of the account login screen, so would require adding some code to the page rather than a checkbox. Personally I'm not a big fan of that option because it could inconvenience some shoppers. The cloudflare option where you could apply the few second javascript-based browser check to your account registration URL would be preferable because there's no click here to confirm you're a human, or check which boxes contain traffic lights.

Where are we at with this? We're getting slammed with fake registrations. Is there some convenient, effective solution to stop this?