Skip to content
This repository was archived by the owner on Nov 28, 2020. It is now read-only.

Captcha v2 #13

Merged
merged 8 commits into from
Feb 17, 2020
Merged

Captcha v2 #13

merged 8 commits into from
Feb 17, 2020

Conversation

rahularya50
Copy link
Collaborator

@rahularya50 rahularya50 commented Feb 16, 2020
edited
Loading

General behavior:

  • When a user opens the CATS site, the cookie user will be stored with a random 32-character string, that represents that user's user_id. The user_id is used to avoid one user occupying multiple slots on the leaderboard.
  • When a user completes a match and qualifies for the leaderboard with a wpm (claimed_wpm) greater than MAX_UNVERIFIED_WPM = 90, they have to complete a Captcha in a timed manner.
  • They must complete the Captcha with a wpm of not less than CAPTCHA_SLOWDOWN_FACTOR = 0.7 times their claimed wpm, to qualify for the leaderboard. Their accuracy must be at least CAPTCHA_ACCURACY_THRESHOLD = 70 to pass the Captcha.
  • Upon success, the cookie token will be stored authenticating that (user_id, claimed_wpm) tuple, so future attempts will not require confirmation. However, they will never qualify for the leaderboard unless they beat their previous time, so this cookie isn't really necessary.

Risks:

  • A user could skip the game entirely and just try getting higher speeds using the Captchas, but hopefully the wpm and accuracy thresholds are set so that this isn't any easier.
  • A user could reset their user cookie to obtain multiple spots on the leaderboard. However, this would require them to complete the Captcha challenge multiple times, since the token stores their user_id. There's no easy way to avoid this short of using OKPy authentication, which I don't want to do since it can't be used for the SIGCSE version (and is annoying to implement).
  • Users can still trivially cheat on multiplayer matches, though it won't affect the leaderboard. I don't see any way to avoid this, hopefully this isn't as tempting a target as attacking the leaderboard.

Future improvements:

  • Just do OKPy authentication, and disable it for speedtyper.org
  • Verify that the user is in fact typing the paragraph, rather than skipping to the Captcha. A partial implementation is at Leaderboard protection #10 . The issue is that this basically circumvents the project code since the server has to recompute everything, which is sorta missing the point of the project.
  • Use CSS to make it even harder to naively cheat by copying + pasting. However, users can always inspect the network requests themselves, which shouldn't be obfuscated since they pass through gui.py and are handled by student code.

@rahularya50
Copy link
Collaborator Author

rahularya50 commented Feb 16, 2020
edited by 18praveenb
Loading

TODO:

  • Test local version
  • Use threading solution from CAPTCHA #5 to pregenerate captchas

@rahularya50 rahularya50 force-pushed the captcha-v2 branch 4 times, most recently from 27d5a1b to 7e86eb2 Compare February 16, 2020 11:36
@rahularya50 rahularya50 requested review from 18praveenb and kavigupta and removed request for 18praveenb February 16, 2020 14:43
@rahularya50 rahularya50 merged commit 0bdb6c1 into master Feb 17, 2020
@rahularya50 rahularya50 deleted the captcha-v2 branch February 17, 2020 02:51
rahularya50 added a commit that referenced this pull request Feb 17, 2020
@rahularya50
Merge remote-tracking branch 'origin/master'
2158793 
* origin/master:
  Captcha v2 (#13)

# Conflicts:
#	package.json
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kavigupta kavigupta Awaiting requested review from kavigupta

@nicholasngai nicholasngai Awaiting requested review from nicholasngai

@catherinecang catherinecang Awaiting requested review from catherinecang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rahularya50 @nicholasngai