User Registration BUG

-- HikaShop version -- : 4.7.0
-- Joomla version -- : 3.10.11
-- PHP version -- : 7.4.33
-- Browser(s) name and version -- : Chrome

Hi guys,
I'm having back unwanted Registered Users that, maybe, they are using the HikaShop Registration door. Let me recap with some considerations:
A - This "Registration" type happened the first time on 25 August 2022 (then in December and in February again)
B - Why I am sure Registrant are using a "door" ? Because on this site I added a small custom JS (through Helix Ultimate 2.0.11 template > Custom Code > Custom Javascript) to copy the Email into the Username and I hided the Username field. So, normal Users are sing the Email (as username) while all these Registered Users are using a "Username".
C - Why I'm speaking about "unwanted users" ? Because on 25th August 2022 I had just 4 registrations of this type (username is not an email), in February 2023 just 1, but in December I had a massive several Registrations, something like 300 Users in few hours. So, we can say malicious intentions.
D - Why I'm thinking they are using an HikaShop door ? Because I'm using AcyMailing 7.x and I creating the Subscribers during the Registration AcyMailing is saving the "#_acym_user > source". All those Users, only those have "hikashop" as source.
E - On that site I'm still not using HikaShop, I have no any Product page, any Checkout process etc.
F - AcyMailing > Configuration > Subscription > HikaShop integration > Display a subscribe option on HikaShop checkout: enableb
and on AcyMailing 7.9.3 - 8th August changelog I can read: [HikaShop] Fixed a case where the user wasn't created on AcyMailing side when he was subscribing by the HikaShop checkout
G - HikaShop - on last releases changelogs I can read several changes about Registration, like: "...We've added a patch to postpone the user synchronization during the HikaShop registration so that it is done by the registration process, and not the user synchronization plugin, and thus includes the custom user field data when triggering the onAfterUserCreate event..."

Now, on that site I'm finalizing the moving to last Joomla 4.2.8 and some bug fixings to last PHP 8.1.x

Meanwhile, before to going on, I want be sure I'm not forgiving any HikaSHop configuration. I want to press Users to Register (through standard Joomla Registration) and to Login, in first of all, before to add something to the Cart. So:

1 - HikaShop > System > Configuration > Checkout > Checkout Workflow: I have to the delete all the Login views, Right ?

2 - HikaShop > System > Configuration > Checkout > Login & Registration: I add an image for you - What are the right settings ? Am I forgiving anything else ?

3 - HikaShop > System > Configuration > Checkout > Login & Registration: Registration - (Maybe there is something not good in the description and I'm not sure I understood) What is it exactly ? Is it affecting ?

Hi Nicolas,
- HikaShop > System > Configuration > Checkout > Checkout Workflow: no Login view
- HikaShop > System > Configuration > Checkout > Login & Registration: Registration: Guest
Anyway, if I manually go to the URL …/index.php?option=com_hikashop&ctrl=user&task=form Registration Form page is still available and I can access it, there should be a way to deactivate/shutdown the HikaShop Registration Form. Please, Do you have an HikaShop internal setting for it ?

Meanwhile, still on PHP 7.4.33 & Joomla 3.10.11, began another massive Registration process, 1 new User Registration each few minutes. So, I did some tests:

1 - I disabled HikaShop component and all its plugins, modules.
After approximately 1 hour the massive registration started again and the “acym table > source column” changed from “hikashop” to “joomla”.

2 - User Manage > Options > User Options > CAPTCHA: from Invisible to reCAPTCHA.
After a few minutes of hesitation (15/30) the process continued.

3 - I manually hacked the file …/components/com_users/models/forms/registration.xml line 23 with Username field type="email". Does not matter, as above, after a few minutes of hesitation the process was able to continue, to "avoid" xml file setting configuration.

Notes:
- It was able to activate and enable one User that never logged in.
- All IPs seem to be from PJSC MegaFon, Moscow, Russia
cleantalk.org/whois/31.173.81.5
cleantalk.org/whois/178.176.72.103

4 - User Manage > Options > User Options > Allow User Registration: Yes > No
The massive Registration process stopped (after 154 User Registrations and 31 hours…)

Please, Do you have any suggestions ? Is there anything I can do to identify the origin of this process ?
Is there any tool I can use to catch it ?

Hi Nicolas,
I'm back here after tests with PHP 7.4.33 + Joomla 4.3.4 + HikaShop 4.7.5.

I don't want to be added as a Guest and I don't want to use the HikaShop Registration form. I just want to push users to register through our standard Joomla Registration page (that is a must have on Joomla) and to Login with the standard Joomla Login page/module to permit them to buy in HikaShop. Just it.

So,
- HikaShop > System > Configuration > Checkout > Checkout Workflow: no Login view
- HikaShop > System > Configuration > Checkout > Login & Registration - Login: No
- HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Registration

Now, the HikaShop Registration form menu item is disabled and if I click on the HikaShop User Control Panel menu item in the frontend I'm redirected to the Joomla Login page, perfect.

But, If I manually attach to the Shopping URL …/index.php?option=com_hikashop&ctrl=user&task=form OR ?option=com_hikashop&ctrl=user&task=form the HikaShop Registration Form page is shown.
Not only, attaching the …/?option=com_hikashop&ctrl=user&task=form to each site URL pages the form is shown !!! While adding …/index.php?option=com_hikashop&ctrl=user&task=form a 404 Error page is shown.
This is really a bad thing. As a temporally solution I can use Admin Tools > Redirection from …?option=com_hikashop&ctrl=user&task=form to the Joomla Registration menu item page.

In my opinion a simple
- HikaShop > System > Configuration > Checkout > Login & Registration - Registration: Joomla Registration menu item option (to select the created Joomla standard Registration menu item where to run the redirections) is a missing here.

Do you agree?

Hi Nicolas,
Why are you doing this ?

A - If you're doing this because you want your normal users to go through the normal joomla registration form:

"...your users will use that page, even if they can potentially access the HikaShop registration page…" = Maybe we have 2 different Users experience, here in HikaShop your users at least are people that "build" sites, our users are "normal" people, "normal" internet users and, believe me, if they can do something on the contrary / in a reverse way they will do it, they don't know how, but sure they will do it.

B - If you're doing this because you want to prevent spam bots from registering through HikaShop's registration:

3 - We are agree. This is why I asked you a way to shut down totally the HikaShop Registration form (and in my case to use just the Joomla one). There should be a way to do it. It is not a good thing that to exclude it I have to activate the Guest mode (that I don't want).

5 - Yes, thank you to your suggestion we applied the Captcha-less-form-guard by Aimy (the best one in our opinion). But, be careful, while I can apply it to the Joomla standard Registration page, I'm not able to show/apply it to the HikaShop Registration form. Please, What am I missing?

PS - About the Spam issue I described in this topic, we deeply studied it and:
I made a detailed feature request to Aimy for an AcyChecker integration that should be implemented on next releases
I made an enhanced Joomla Registration workflow suggestion to some developers that work on security issues (I'm waiting their reply), I will move it directly to the Joomla team…

Hi Nicolas,
Thank you very much for your suggestions.

A - As far as I understand the best/simple way is to add an htaccess rule. (Admin Tools Redirects cannot be used because it cannot run with "all the URLs that contain..."). To cover both, the index.php / not index.php, cases and thinking that my Joomla registration page where to redirect is mysite.com/registracion , the rule should be something like:

RewriteCond %{REQUEST_URI}  ?option=com_hikashop&ctrl=user&task=form
RewriteRule .* registracion

Hi Nicolas,

A - Thank you

3 - I'm really too happy to read it because:
- The settings will be simpler, just the Register / Guest option
- Less Developer maintaining energies
- The Captcha will be "automatically integrated"
- Also the "HikaShop user synchronization plugin", being a "System" plugin, could be "deprecated" and it's features added to the new User plugin
- We'll can offer a simpler Registration / Profile experience to our users, as asked by the GDPR EU rules
- We'll can manage the HikaShop fields order on those pages by using the standard Joomla reordering feature
- As detailed here I hope you will include in the first release the HikaShop Addresses view (at leas as an initially "view mode")
- I hope you can wrap up the HikaMarket team to do the same User plugin for the Vendor page

I'm going to send you a test site example and I remain available

nicolas wrote: 3. That's a good proposition, yes. Redirecting to the Joomla registration form and integrating with Joomla to inject the HikaShop custom user fields and custom address fields would be great. That's something we can put on our todo list for a future improvement.