Skip to content

Instantly share code, notes, and snippets.

@brylie

brylie/gist:812255abb49176fd8ffc7a125ad158b3

Created November 5, 2023 16:52
Show Gist options
  • Save brylie/812255abb49176fd8ffc7a125ad158b3 to your computer and use it in GitHub Desktop.
Save brylie/812255abb49176fd8ffc7a125ad158b3 to your computer and use it in GitHub Desktop.
Download ZIP
CodeWithBrylie-e34
Raw
gistfile1.txt
(...) Hello and welcome to another live code hangout.(...) We'll be working on the Western Friend website today. You can check out the source code on github.com slash Western Friend.
(...)
So we've been working on a multi-step user registration flow where a person will register with the site, receive an email and click a link in that email to validate or verify that their email is accessible to them.
(...)
That works, that's been shipped and is now deployed on the site.
(...)
Today I'd like to work on a follow-up issue to protect the user registration reform with ReCAPTCHA.
(...)
So let's see.
(...)
It's basically this issue.
(...)
I'm co-assigned with GTCoder on this issue.
(...)
They've looked at the contact form and have added ReCAPTCHA to the contact form.
(...)
So that seems to work. I think the first step I can do today is just merge their work.
(...)
And that's mine from yesterday, two-step registration.
(...)
So let's go ahead and review.
(...)
And this has been resolved. If we look at the code,(...) we can see they're using Wagtail, CAPTCHA and the Django CAPTCHA plugin.
(...)
Let me double check here.
(...)
There's a CAPTCHA plugin that's maintained by Torchbox. Torchbox are the people behind Wagtail. They're managing the development process for Wagtail.
(...)
And they're the new maintainers of the Django ReCAPTCHA plugin.
(...)
So I'd like to use this. It looks as if we are.
(...)
So that's a good step.
(...)
And it may be that they have a Wagtail ReCAPTCHA so that we don't have to use an outdated plugin.
(...)
So we'll look here.
(...)
Changes to our requirements dev. We have Tomly coming in now,(...) I guess from black. Now I'm thinking about switching over to rough for this project.
(...)
And using the new rough format. It'll be another issue.
(...)
That will just be a few, like one or a few less development requirements. But here's what I'm interested in, the requirements.
(...)
So it looks like we don't have any changes to the requirements text for the Django and Wagtail CAPTCHA plugin. So I'm not sure I have a bespoke command to generate the requirements text.
(...)
So to pull this across the line,(...) I'll go here and check out the pull request.
(...)
Here the history.
(...)
And just start the, so here's my custom and develop.py.
(...)
Start the development database.
(...)
And compile depths.
(...)
It's essentially using pip and pip tools, just with a few friendly aliases. I may not have documented correctly, but there's compiled depths. It's essentially pip freeze, but using pip tools. So we get a nice annotated pip requirements, text requirements, dev.txt.
(...)
And we'll see. Django recapture 3,(...) which is the latest good Wagtail Django recapture 1.0,(...) which was released in 2018, I think. Where was it?
(...)
So it's older than this project.
(...)
But it is a 1.0 release. I don't know if that's significant.
(...)
But it's kind of abandoned.
(...)
But Wagtail is now at version 5, I think.
(...)
And 5.2 LTS was just released. So this is showing its age, right? They're only considering version 2. So it might be worth forking at some point or getting this under a torchbox. I think torchbox would be good candidates for new maintainers. Nonetheless, it seems to be working. So we've added it to our main requirements and the dev requirements. So the dev requirements are all of the main requirements plus some additional dependencies.
(...)
I should keep these sorted. There's a keep sorted plugin.
(...)
Let's commit these changes.
(...)
And I'll synchronize these changes here on the pull request.(...) What I'm just trying to do is carry the pull request over the line. So it'll be complete, emerged, and then I can base my work on it today, which is again focusing on the registration form using Django ReCAPTCHA.(...) The key point I wanted to clarify was, is this pull request using the latest version of Django ReCAPTCHA? If so, then we're good to go.
(...)
Seems to be the case. So now we'll just run it basically. And this noCAPTCHA true is an interesting one. So oh, right.
(...)
Then we'll install this.
(...)
It's my own bespoke poetry. It's not even that. It's just such a minimal thing of a few command aliases. Oh really at all, but I just don't remember my own command aliases. It's nothing complicated though.(...) Small Python file.
(...)
But I just got so frustrated with the overhead of poetry and py and or pip and all these things. I just want to use pip and ideally just pip.
(...)
Pip tools though was nice.
(...)
It's still having a whole additional package management layer or like poetry having to have it installed system wide and bump into weird situations with system conflicts or having tools to install the poetry.
(...)
Pip packs or it's just a mess. I would rather just not.
(...)
So that was my solution. So we've got everything installed.
(...)
Take a quick break and we'll fix this environment variable. I'll grab some tea.
(...)
Two. One.
(...)
stuffy. Very cool.
(...)
Alright, so yeah, I need these environment variables.
(...)
And I might need some additional configuration, but let's add these environment variables. I'll do this. Let's thank you for a second. Yeah,(...) I should have set these off stream once again.
(...)
I think about this.
(...)
Yeah, so I'll just set up a recapture key for development.
(...)
I would like to just use version 2, but it only gives me a V3 admin console.
(...)
So localhost.
(...)
And I'll set this off stream just because it's still, I'll delete it after this stream anyway, but alright.
(...)
My environment.
(...)
That should allow us to run the server.
(...)
And I've set it up for localhost, so I need to actually use localhost.
(...)
8000 and now we're going to go to the contact form.
(...)
Dang it.
(...)
Why did that... what happened there?
(...)
From address.
(...)
From address.
(...)
I don't see the changes in the model file. That's the...(...) oh...
(...)
That's coming from here. Wagtail capture email form. Okay, okay.
(...)
Well, that's a good design. From address and to address. I don't want people to send arbitrary email from our contact form.
(...)
I don't understand the design of that. That's really strange.
(...)
Okay, so we will revert that change.
(...)
I'm not even sure what the use case would be for that.
(...)
Could be totally mistaken.
(...)
So what we're going to do is open our forms_models.py. I just wanted to add the field to our existing form. So let's see.
(...)
Interesting. Okay.
(...)
Probably just the abstract form.
(...)
But I get it. So the to_email_address is something we configure internally.
(...)
And the subject is internally. We can configure that internally.(...) And the from_email_address.
(...)
Yeah, it's adding these to the page model, not the form itself. Okay.
(...)
Interesting.
(...)
We don't have email notifications yet for the contact form.
(...)
It could be a feature we will add.
(...)
Especially if there's a low volume, low spam volume, that would make sense.
(...)
I think that would imply additional work. I'm not sure if this will by default.
(...)
It's just going to inherit from average extract email form, which is coming from...
(...)
Email form. So it looks like it's already implemented. Okay.
(...)
Huh.
(...)
I see. All right. This might be actually good.
(...)
Yeah, and it's using Django send mail.
(...)
All right. So I'll leave it alone.
(...)
Okay.
(...)
We can always remove this.
(...)
I was mistaken in removing the migration previously in this pull request, thinking that those fields would be added to the form that the user would fill it in. But now I get the use case.
(...)
That's another good thing about being able to view the source and go and traverse the dependencies and getting all the way into Wagtail and then Django.(...) This will inherit from perhaps or emulate to Django.
(...)
Anyway, I pushed that back up. Now I run server.
(...)
We should have something to see. I'll go to local host in the contact form and we'll get to I'm not a robot.
(...)
Very cool.
(...)
V2. I think this is always going to return success, but I'm just seeing if I'm a robot today.
(...)
Apparently not.
(...)
All right. Now when I edit the page, we can see those fields.
(...)
Maybe not.
(...)
So yeah, but there are the submissions.
(...)
Form fields, thank you, text.(...) Ah, so that's the only other thing.
(...)
Good. I checked.
(...)
Since we have our form,(...) we now need to add those content panels.
(...)
Huh.
(...)
What is this?
(...)
Oh, yeah, nice. Submissions. Very cool.
(...)
That's what GeneraTeko counts for.
(...)
One submission.
(...)
And it doesn't include anything because there's no fields.
(...)
That's how to field group.
(...)
With from address to address and subject. Wow.
(...)
Wait.
(...)
Wigetail Contrib.
(...)
All right. I've got the thing wrong.
(...)
Field group panel.
(...)
All right.
(...)
Let me just search our code.
(...)
No, it's the only place.
(...)
Multi-field panel.
(...)
I don't like this import star business.
(...)
I get it, but it makes it hard to trace.
(...)
Multi-field panel. But it comes from Wag2Admin panels. Yeah. Multi-field panel. And then, sort. Multi-field panel.
(...)
It's easy enough to remember.
(...)
And the heading here, it's email settings. It's already there.
(...)
Okay. Multi-field panel.
(...)
It's easy enough to remember.
(...)
And the heading here,(...) it's email settings. It's already there.
(...)
So I have an intro.
(...)
Thank you text.(...) And email configuration fields.
(...)
Nice. Okay. So I'm going to go ahead and do that. Okay. Okay. Nice.
(...)
So adding the email settings.
(...)
I think it's the final step. And then we can improve this pull request.
(...)
Not sure what the no capture true.
(...)
Where that originates.
(...)
Okay, what is no CAPTCHA? On websites using this new API, a significant number of users will be able to securely and easily verify that they're human without actually having to solve a CAPTCHA.(...) That's cool. So they click the checkbox and it might just allow them to pass through if they've already solved it. I like that. So as a compromise, we have really been careful about adding these CAPTCHA to our website
(...)
with the primary reason that it enables tracking, it enables a form of surveillance.
(...)
Now we're only using it on particular pages of the website, but nonetheless, every time you view a solve a CAPTCHA, firstly, Google gets some information about where you've been. But secondly,(...) those CAPTCHAs are used for other reasons than just protecting websites. Google has incentives like training machine learning models, things like that. So it's like outsourcing labor and maybe non-consensually in a way, because you can't act, you can't, I mean, you have to consent to solving it, but it's an impediment to accessing another website to an unrelated way.
(...)
You're forced into doing a bit of labor for Google's machine learning development. So those are some of the ethical reasons that we've avoided adding CAPTCHA to the site. We are getting a lot of bot submissions though, and so we're trying to find a middle ground here. So there's no CAPTCHA, it could be a middle ground. First we minimize the amount of times that Google knows that you're visiting the Western Friend website by only using it on two pages, essentially, the contact form and the registration form.
(...)
Maybe a couple of other forms in the future, but it's pretty minimal.
(...)
And then adding the no CAPTCHA might mean, well, you can just check a box.
(...)
So I don't know, it's not perfect,(...) but it's something we just need to move forward with a form of protection on these.(...) And I've done research and couldn't find a compelling alternative.
(...)
In Drupal, we have a math challenge plugin that just displays a simple arithmetic equation. And if you solve it correctly, you can pass through. That's a fairly non-invasive form of CAPTCHA. And it has the benefit of not enabling surveillance or training AI models.
(...)
But I couldn't find a clear equivalent or alternative to reCAPTCHA in Django that has
(...)
fairly good maintenance and other aspects that we would want when introducing a new(...) dependency into our project.
(...)
So that's a brief aside on the nuances of choosing CAPTCHA on the Western Friend website. And we might revisit this discussion later.(...) But in the meantime, we really want to curtail spam bot registrations and form submissions(...) so that the editor is not inundated with these because they're actually pretty meaningful
(...)
in our community.
(...)
All right.
(...)
I think this is ready to merge. What do you think?
(...)
So we'll go and merge.
(...)
Very cool.
(...)
All right. There are some conflicts.
(...)
I'm going to resolve these.
(...)
For example,(...) we use all of these.
(...)
So that's an easy one.
(...)
How many did I say? Just one? Or one conflict? All right.
(...)
The mark is resolved.
(...)
Now the dependencies,(...) we are using those.
(...)
And I think this is the key sorted.
(...)
We're using all of these.
(...)
Yep. Resolve. Now what do I do?
(...)
Once I resolve and commit merge. Now why wasn't that invisible on the...
(...)
Look at this. Way off the side. GitHub GUI leaves something to be desired in a lot of cases.
(...)
I suppose it needs sufficiently complicated or complex software like Jira or GitHub.
(...)
It's going to leave something to be desired.
(...)
This trade offs in accretion of features and conflicts of those features.
(...)
The thoughts.
(...)
All right. We will merge.
(...)
Now this test is going to fail. I think the next thing I'm going to do is a small thing.
(...)
Is remove our migration code. I'm a bit hesitant here. We just migrated the site we just launched. And in the back of my mind, you don't get worried that something didn't come over correctly or I mean, we've vetted it and we've looked and audited content and found omissions.
(...)
This is basically a side project so it's fairly easy to overlook something significant.
(...)
But I do have this site to remove the migration scripts and code.
(...)
An issue here. And I think if I just do it, I can undo it. I'll have the pull request and the git revision history.
(...)
So I can always go back and revert the change and restore the migration scripts and code.
(...)
I think I'll do it today to make our code base smaller, much smaller and increase our test coverage because there was I think 60 or 80% test coverage in the migration scripts due to the nature of those being temporary and fairly complicated.(...) I didn't invest a whole lot of time in writing test coverage but I did try to get like a minimal amount of automated test coverage. So maybe we'll come back, I'll take a short break, come back and do this in the following pull request and work on the user registration recapture support.
(...)
So we'll go ahead and merge this now.
(...)
And whoops, what did it do?
(...)
That for GT.
(...)
They did code in security, security related code.
(...)
Very cool. Now we use all contributors here to help and recognize many forms of contribution, including code which is the primary means of contribution that gets recognized most typically in software projects. But we know that there's a lot of ways people contribute including marketing, documentation, outreach, bug reports, community development. Just a ton of ways that people can come to a project and contribute their skills in time. And we want to make sure that those are visible as well.
(...)
So that's what this all contributors does is it helps us maintain a list of the people that have contributed in various ways. Now this was a security code contribution but there are a ton of others that we've tried to acknowledge. So I'll just approve this.
(...)
Merge this.
(...)
Check out the main branch.
(...)
So I have it fresh when I start working while it's fresh in my mind. And we'll just take a quick look at our all contributors section and I'll sign off.
(...)
So these are the people who have contributed to the project so far in various ways. A lot of code contributors but also some help with testing,(...) security, bug reports, documentation.
(...)
Those are the primary ways that people have been able to contribute so far to Western Friend.
(...)
I should add that the Mary Klein the editor of Western Friend has actually contributed in a number of ways as well but she's not listed here. I should have been, I should fix that.
(...)
So yeah if you'd like to help contribute to the project as well we've got a lot of open issues that are labeled as good first issue. We've got about 45 of those. These are lightweight issues that can probably be done typically in 10 or 15 minutes.
(...)
They might even just be seeing if we've missed some doc strings or fixing lines that are too long.(...) So you can stop by github.com Western Friend WF website and we'll be sure to include and acknowledge your contribution in our all contributors section of the read me.
(...)
It'll also show on your github and potentially other places like your CV or LinkedIn you could say you've made contributions to this project.(...) Okay well that's been another live code hangout. I hope you're doing well and have a great day.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment