Matthew Wilkes• Zope / Plone core developer.• Performance and Security work at the Code Distillery• WSGI/Whisky snob.• Developed large applications using WSGI.• Co-author of the Zope’s WSGI support.
WSGI apps Just an API for handling HTTP requests. Used by:• Pyramid• Zope• CherryPy• Web2Py• … most people
Python speciﬁc• “Middlewares are easier to write than normal libraries”• Cannot assume that you won’t want to use it on a PHP app in future• Proxies allow heterogenous applications to be composed• Being language agnostic doesn’t mean you will have to write Perl code (it helps you avoid it)
A waste of time• Simple modiﬁcations work best as middlewares• But, simple modiﬁcations are easy in your framework• “I should just ﬁx it in place”• “This wouldn’t be useful to other people, so I’ll leave it in the customer project”• You’ll likely make another website sometime soon
Great libraries• WebOb makes requests easy to deal with.• The wsgiref WSGI web server is in the Standard Library• Lots of other server frontends to select for production• Paste’s Transparent Proxy lets you test the middleware on any website• lxml makes managing HTML easy• PasteDeploy provides .ini app composition
CAPTCHAs• Many ways to do them in Plone• Archetypes, formlib, z3c.form, custom view, plone.app.discussion, PloneFormGen, …• Some code reuse• Not enough• So, middleware?
CAPTCHAs• If we’re building a new application we have the most ﬂexibility.• We want a boolean, isHuman.• Simplest CAPTCHA possible is a checkbox. (Hey! No lying, Spambots!)• So, add that with your favourite form library.
CAPTCHAs• Not a very effective CAPTCHA.• But, many historical CAPTCHAs are now unusable…• As the enemy is getting better, too.• Need to decouple the logic of ‘test for human’ and the method.• Use a WSGI Middleware to rewrite the form.
The code• The middleware extracts the checkboxes from the application as requests are served.• CAPTCHAs are generated and the image inserted.• The valid responses are stored in memory.• Inbound requests check the input and emulate selecting the checkbox.
CAPTCHAs• A small Python class will now work on any web-app backend.• If you happen to have another application that also outputs the checkboxes, this will slot right in front• But… you don’t really want to be adding checkboxes to the legacy apps.• So, middleware?
The code• The middleware detects <form>s as requests are served.• The checkbox is inserted• Inbound requests check if the checkbox is selected• If not, redirect back with form data in GET• Otherwise, remove the checkbox value and POST on.
Maybe.• Performance damage is very low.• Decide on the what will save you the most development time in the long-term.• Need more initial effort for the middleware• But all your deployments that use it can do so without the ‘upgrade the customer site to the latest trunk’ tax that stops you right now.• And it can be open sourced, so others will help you add features.