User Registration BUG

  • Posts: 461
  • Thank you received: 36
1 year 9 months ago #349344

-- HikaShop version -- : 4.7.0
-- Joomla version -- : 3.10.11
-- PHP version -- : 7.4.33
-- Browser(s) name and version -- : Chrome

Hi guys,
I'm having back unwanted Registered Users that, maybe, they are using the HikaShop Registration door. Let me recap with some considerations:
A - This "Registration" type happened the first time on 25 August 2022 (then in December and in February again)
B - Why I am sure Registrant are using a "door" ? Because on this site I added a small custom JS (through Helix Ultimate 2.0.11 template > Custom Code > Custom Javascript) to copy the Email into the Username and I hided the Username field. So, normal Users are sing the Email (as username) while all these Registered Users are using a "Username".
C - Why I'm speaking about "unwanted users" ? Because on 25th August 2022 I had just 4 registrations of this type (username is not an email), in February 2023 just 1, but in December I had a massive several Registrations, something like 300 Users in few hours. So, we can say malicious intentions.
D - Why I'm thinking they are using an HikaShop door ? Because I'm using AcyMailing 7.x and I creating the Subscribers during the Registration AcyMailing is saving the "#_acym_user > source". All those Users, only those have "hikashop" as source.
E - On that site I'm still not using HikaShop, I have no any Product page, any Checkout process etc.
F - AcyMailing > Configuration > Subscription > HikaShop integration > Display a subscribe option on HikaShop checkout: enableb
and on AcyMailing 7.9.3 - 8th August changelog I can read: [HikaShop] Fixed a case where the user wasn't created on AcyMailing side when he was subscribing by the HikaShop checkout
G - HikaShop - on last releases changelogs I can read several changes about Registration, like: "...We've added a patch to postpone the user synchronization during the HikaShop registration so that it is done by the registration process, and not the user synchronization plugin, and thus includes the custom user field data when triggering the onAfterUserCreate event..."

Now, on that site I'm finalizing the moving to last Joomla 4.2.8 and some bug fixings to last PHP 8.1.x

Meanwhile, before to going on, I want be sure I'm not forgiving any HikaSHop configuration. I want to press Users to Register (through standard Joomla Registration) and to Login, in first of all, before to add something to the Cart. So:

1 - HikaShop > System > Configuration > Checkout > Checkout Workflow: I have to the delete all the Login views, Right ?

2 - HikaShop > System > Configuration > Checkout > Login & Registration: I add an image for you - What are the right settings ? Am I forgiving anything else ?

3 - HikaShop > System > Configuration > Checkout > Login & Registration: Registration - (Maybe there is something not good in the description and I'm not sure I understood) What is it exactly ? Is it affecting ?

Attachments:
Last edit: 1 year 9 months ago by joomleb.

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
1 year 9 months ago #349347

Hi,

It's not a "door". They are just using the normal HikaShop registration form page. You can access it with this URL if you're not logged on your website : index.php?option=com_hikashop&ctrl=user&task=form

HikaShop has 2 registration forms:
- one on the checkout, displayed by the "login" view. If you remove the "login" view from the checkout workflow, it will indeed prevent the registrations from the checkout.
- one on the HikaShop registration form page. This page is accessible regardless of what you do. There is no option to deactivate it. What you can do is set the "registration" setting of HikaShop to "guest". That way, the registration form page won't allow registration, only guest mode.
Without the registration form of the checkout, and with the registration form page set to "guest", it will prevent registrations from HikaShop.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
1 year 8 months ago #349579

Hi Nicolas,
- HikaShop > System > Configuration > Checkout > Checkout Workflow: no Login view
- HikaShop > System > Configuration > Checkout > Login & Registration: Registration: Guest
Anyway, if I manually go to the URL …/index.php?option=com_hikashop&ctrl=user&task=form Registration Form page is still available and I can access it, there should be a way to deactivate/shutdown the HikaShop Registration Form. Please, Do you have an HikaShop internal setting for it ?

Meanwhile, still on PHP 7.4.33 & Joomla 3.10.11, began another massive Registration process, 1 new User Registration each few minutes. So, I did some tests:

1 - I disabled HikaShop component and all its plugins, modules.
After approximately 1 hour the massive registration started again and the “acym table > source column” changed from “hikashop” to “joomla”.

2 - User Manage > Options > User Options > CAPTCHA: from Invisible to reCAPTCHA.
After a few minutes of hesitation (15/30) the process continued.

3 - I manually hacked the file …/components/com_users/models/forms/registration.xml line 23 with Username field type="email". Does not matter, as above, after a few minutes of hesitation the process was able to continue, to "avoid" xml file setting configuration.

Notes:
- It was able to activate and enable one User that never logged in.
- All IPs seem to be from PJSC MegaFon, Moscow, Russia
cleantalk.org/whois/31.173.81.5
cleantalk.org/whois/178.176.72.103

4 - User Manage > Options > User Options > Allow User Registration: Yes > No
The massive Registration process stopped (after 154 User Registrations and 31 hours…)

Please, Do you have any suggestions ? Is there anything I can do to identify the origin of this process ?
Is there any tool I can use to catch it ?

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
1 year 8 months ago #349584

Hi,

0.

if I manually go to the URL …/index.php?option=com_hikashop&ctrl=user&task=form Registration Form page is still available and I can access it
I don't see how that's possible. It is normal that the page will still display. However, you should only see the "email" field and address fields on that page, and if you try to use the form, it will add you as a guest, and won't create a Joomla user account. So it is not anymore a registration form but a guest form.

1. This seems to indicate that the problem is not with HikaShop but just that AcyMailing wrongly interpret the registration as coming from HikaShop when HikaShop is enabled. Otherwise, if the problem was with HikaShop's registration, turning off HikaShop would stop these unwanted registrations.

2. Captcha can be easily circumvented by bots nowadays.

3. Having access to the form or not doesn't guarantee anything. The bots can directly submit the registration request without having to access the form as long as the registration is allowed.

4. This is the main swtich of Joomla to allow or disallow registrations on the whole website ( and HikaShop also abids to it), so it's normal this works.

5. I would rather recommend using other registration spam protection systems like:
www.aimy-extensions.com/joomla/captcha-less-form-guard.html
www.vi-solutions.de/en/joomla-plugin-plgspambotcheck
These use blacklist providers and honeypots to prevent registrations without changing anything for normal users.

Alternatively, or in combination, if all your spam comes from Russia and you don't have normal users in this country (because you don't ship there for example), you can use the geolocation plugin in HikaShop Business to block access to the whole website for Russia IP addresses.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
1 year 2 months ago #354702

Hi Nicolas,
I'm back here after tests with PHP 7.4.33 + Joomla 4.3.4 + HikaShop 4.7.5.

I don't want to be added as a Guest and I don't want to use the HikaShop Registration form. I just want to push users to register through our standard Joomla Registration page (that is a must have on Joomla) and to Login with the standard Joomla Login page/module to permit them to buy in HikaShop. Just it.

So,
- HikaShop > System > Configuration > Checkout > Checkout Workflow: no Login view
- HikaShop > System > Configuration > Checkout > Login & Registration - Login: No
- HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Registration

Now, the HikaShop Registration form menu item is disabled and if I click on the HikaShop User Control Panel menu item in the frontend I'm redirected to the Joomla Login page, perfect.

But, If I manually attach to the Shopping URL …/index.php?option=com_hikashop&ctrl=user&task=form OR ?option=com_hikashop&ctrl=user&task=form the HikaShop Registration Form page is shown.
Not only, attaching the …/?option=com_hikashop&ctrl=user&task=form to each site URL pages the form is shown !!! While adding …/index.php?option=com_hikashop&ctrl=user&task=form a 404 Error page is shown.
This is really a bad thing. As a temporally solution I can use Admin Tools > Redirection from …?option=com_hikashop&ctrl=user&task=form to the Joomla Registration menu item page.

In my opinion a simple
- HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Joomla Registration menu item option (to select the created Joomla standard Registration menu item where to run the redirections) is a missing here.

Do you agree?

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
1 year 2 months ago #354707

Hi,

I understand where you're coming from, but I don't agree that we need to add an option for this.

Why are you doing this ?
If you're doing this because you want your normal users to go through the normal joomla registration form, this option is not necessary. If you only have a registration link to the joomla registration page, your users will use that page, even if they can potentially access the HikaShop registration page if they know the URL trick to access it.
If you're doing this because you want to prevent spam bots from registering through HikaShop's registration, this won't help either.
What you're doing is redirecting the registration form display. But a bot can still send the registration HTTP request to the controller even if the form page itself can't be displayed. So what you did won't change anything for spam registration, supposing your spam registrations come from the fact the registration form of HikaShop is available. That's what I was saying in my point 3 of the previous message, and that's why I recommended point 5.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
1 year 2 months ago #354727

Hi Nicolas,
Why are you doing this ?

A - If you're doing this because you want your normal users to go through the normal joomla registration form:

"...your users will use that page, even if they can potentially access the HikaShop registration page…" = Maybe we have 2 different Users experience, here in HikaShop your users at least are people that "build" sites, our users are "normal" people, "normal" internet users and, believe me, if they can do something on the contrary / in a reverse way they will do it, they don't know how, but sure they will do it.

B - If you're doing this because you want to prevent spam bots from registering through HikaShop's registration:

3 - We are agree. This is why I asked you a way to shut down totally the HikaShop Registration form (and in my case to use just the Joomla one). There should be a way to do it. It is not a good thing that to exclude it I have to activate the Guest mode (that I don't want).

5 - Yes, thank you to your suggestion we applied the Captcha-less-form-guard by Aimy (the best one in our opinion). But, be careful, while I can apply it to the Joomla standard Registration page, I'm not able to show/apply it to the HikaShop Registration form. Please, What am I missing?

PS - About the Spam issue I described in this topic, we deeply studied it and:
I made a detailed feature request to Aimy for an AcyChecker integration that should be implemented on next releases
I made an enhanced Joomla Registration workflow suggestion to some developers that work on security issues (I'm waiting their reply), I will move it directly to the Joomla team…

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
1 year 2 months ago #354731

Hi,

A. If you don't have any links to the HikaShop registration page, your users won't be able to access it.
And if you don't want them to access it, there are already two ways to do it:
- you can add a redirection in htaccess or with AdminTools
- you can add a

<?php return; ?>
at the beginning of the view file user / form to prevent the display of the registration form. Or you can add a
<?php JFactory::getApplication()->redirect('xxx'); ?>
where xxx is the URL of your Joomla registration form to redirect there.

3. If you set the "registration" setting to "guest" then already, bots won't be able to register through HikaShop.
As I said, I understand what you're saying, but the vast majority of merchants using HikaShop do want their users to be able to register through HikaShop. And there are many settings already in HikaShop. Adding yet another setting for something almost no one wants to do, while it's actually quite easy to do with the guest mode and a redirect or small view override, doesn't seem justified to me.

5. I read more information on their page and they say

Aimy Captcha-Less Form Guard implements the Joomla! Captcha interface. Therefore all extensions that support to make use of Joomla! captcha plugins can be protected by this plugin

We didn't implement the Joomla! Captcha interface in HikaShop. So that extension won't work with the HikaShop registration form.
The other extension I had recommended however uses the users events of Joomla and this will work with HikaShop's registration form. I thought it would actually be the case for other plugins too. I didn't thought that Aimy's plugin would rely on something else.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
1 year 2 months ago #354750

Hi Nicolas,
Thank you very much for your suggestions.

A - As far as I understand the best/simple way is to add an htaccess rule. (Admin Tools Redirects cannot be used because it cannot run with "all the URLs that contain..."). To cover both, the index.php / not index.php, cases and thinking that my Joomla registration page where to redirect is mysite.com/registracion , the rule should be something like:

RewriteCond %{REQUEST_URI}  ?option=com_hikashop&ctrl=user&task=form
RewriteRule .* registracion
Am I right ?

B - So,
- HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Guest

3 - "...Adding yet another setting for something almost no one wants to do, while it's actually quite easy to do with the guest mode and a redirect or small view override, doesn't seem justified to me..." = I'm totally agree with you, but this for me is one of the typical examples where the "old habits" with the "old code" (J2 and J3) drags on the "new way of doing" (J4). From my point of view what I'm underlying is a way "to simplify" HikaShop.
A smoother integration with J4 could be to rethink (for next releases) on how you managed the things till today.
The - HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Registration (just one option) should point to the standard Joomla Registration page and all the customisations needs of your customers should be managed through an HikaShop Joomla User custom plugin .

5 - "...Aimy Captcha-Less Form Guard implements the Joomla! Captcha interface...." = Yes, the perfect Joomla integration is the principal reason why we choose Aimy Captcha

Last edit: 1 year 2 months ago by joomleb.

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
1 year 2 months ago #354760

Hi,

A. I'm not familiar with htaccess rules. I looks ok to me but it might be wrong.

3. That's a good proposition, yes. Redirecting to the Joomla registration form and integrating with Joomla to inject the HikaShop custom user fields and custom address fields would be great. That's something we can put on our todo list for a future improvement.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
1 year 2 months ago #354803

Hi Nicolas,

A - Thank you

3 - I'm really too happy to read it because:
- The settings will be simpler, just the Register / Guest option
- Less Developer maintaining energies
- The Captcha will be "automatically integrated"
- Also the "HikaShop user synchronization plugin", being a "System" plugin, could be "deprecated" and it's features added to the new User plugin
- We'll can offer a simpler Registration / Profile experience to our users, as asked by the GDPR EU rules
- We'll can manage the HikaShop fields order on those pages by using the standard Joomla reordering feature
- As detailed here I hope you will include in the first release the HikaShop Addresses view (at leas as an initially "view mode")
- I hope you can wrap up the HikaMarket team to do the same User plugin for the Vendor page

I'm going to send you a test site example and I remain available

This message contains confidential information

Last edit: 1 year 2 months ago by joomleb.
The following user(s) said Thank You: nicolas

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
11 months 3 weeks ago #357097

nicolas wrote: 3. That's a good proposition, yes. Redirecting to the Joomla registration form and integrating with Joomla to inject the HikaShop custom user fields and custom address fields would be great. That's something we can put on our todo list for a future improvement.


Hi Nicolas,
(to organize our internal work) Please, Can you give us some more information on when (more or less) it can be added?

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
11 months 3 weeks ago #357099

Hi,

We didn't start work on this yet and it's not a priority on our end so that's something for the long term.

Please Log in or Create an account to join the conversation.

  • Posts: 461
  • Thank you received: 36
2 months 2 weeks ago #363055

Hi Nicolás,
Please, Do you have any news about this improvement feature roadmap ?
When can it be expected to be released?

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
2 months 1 week ago #363069

Hi,

First, I want to go back to what you said before:

This is why I asked you a way to shut down totally the HikaShop Registration form (and in my case to use just the Joomla one). There should be a way to do it. It is not a good thing that to exclude it I have to activate the Guest mode (that I don't want).

Note that HikaShop already has an option "Override registration" under the "Login" view of the checkout workflow so that you can point the user to another registration form page during the checkout.
That way, you can activate the guest mode, so that registration won't be possible via the registration form of HikaShop, if a bot tries, and redirect your users to the normal registration form page you're using.

The User synchronization plugin of HikaShop also has an option to be able to display the custom user fields on the profile edit form, if necessary.

Now, I looked into adding the custom user and address fields of HikaShop to the registration form page of Joomla 3 months ago. I spent 2 whole days trying to do it. However, I couldn't find a way to do it, so I was not able to do it.
Since I don't have a way to do it as far as I know, it is on hold for now.

Please Log in or Create an account to join the conversation.

Time to create page: 0.065 seconds
Powered by Kunena Forum