I filed a report at https://hackerone.com/reports/856316 and got told to contact support who then told me to post here since these matters are not covered by support.
The issue: Blog comments can be spammed for fun and profit from anywhere able to produce an HTTP POST request (Postman, terminal, console, other websites, servers, etc). It is too easy for a bot to do the same. Simply POST to blog_article_url/comments from wherever you please with the correct form data (which can be scraped).
My problem: I am trying to implement ReCaptchaV3 (the more modern and invisible one, not the "I'm not a robot checkbox", https://developers.google.com/recaptcha/docs/v3) to minimise spam on blog posts. At the moment it is pointless since it can be bypassed by posting to the comment form URL directly.
I am aware of Disqus and that it has been the common support response through the years in regards to blog commenting issues on the Shopify forums. Am hoping to find a better and more lean solution.
Is there any way I can lock down the commenting endpoint a bit? Or do I have to write an app that fully removes and substitutes the commenting form and posts via the API? Are there any options that I am missing?
Thank you in advance and best regards,
I have partially solved the above problem by developing an app and figured why not publish it. If you have the same problems as me please try it out and feel free to give me any feedback and/or improvement suggestions: https://apps.shopify.com/recaptcha-spambuster
The problem is solved by:
1. Seamlessly installing reCAPTCHA v3 on the blog article comment form
2. Regularly marking any comments that were not posted through the comment form as spam
The app then allows a comment moderation workflow where you simply approve the comments marked for pending approval and ignore the comments marked as spam. You can add a filter to only show comments that are pending approval making the moderation process much faster, specially if your site is being targeted a lot by spam.