Feature Proposal: Protect User Creation with Captcha #731
Comments
Morpheus0x
changed the title
|
I thought of something like this recently but my use case was for storing contact form submissions in a collection. After the users refactoring in #376, both use cases could be covered by adding a captcha option to the create/update of each collection rule. I remember hCaptcha api to be compatible with reCaptcha2 so I think we'll be able also to abstract the implementation. I'll have to think a little more on this after v0.8 and eventually I'll add it to the roadmap. |
|
Ok, sounds good. Yes, hCaptcha is API compatible with reCaptcha. |
|
Want to toss this out too, Cloudflare just announced this as a privacy-focused captcha replacement https://blog.cloudflare.com/turnstile-private-captcha-alternative/ |
|
Awesome, and it also seems to be API compatible |
|
There's google's enterprise reCaptcha as well... |
|
Is there really no better solution than the abomination of *Captcha? Serious question, not just a vent. |
honey-pot fields, sso, mfa, ... nothing else really... |
|
What about the cloudflare one |
There are alternatives, Ali and Binance both use this: completing an image by moving the missing piece in place (and verifying the X/Y error). Code example here https://pub.dev/packages/slider_captcha |
|
Agreed @Morpheus0x, protecting the user create API is essential. Currently a two-liner bash script can cause havoc on the backend. Instead of changing Pocketbase, I think example code / handlers would be enough as not everyone would need the exact setup. |
|
Rate limiting those APIs could be done via the public facing reverse proxy. Would take away the wast majority of script kiddies. One way of doing it; https://caddyserver.com/docs/modules/http.handlers.rate_limit |
I think it would be a great feature to protect user creation with a captcha challenge.
This would require minimal changes to the user create API and to the admin dashboard.
The user create API endpoint should have an optional body parameter called captchaPasscode.
Nothing has to be added to the client SDKs, I think. Because AFAIK all bodyParams should just get passed to the PocketBase API.
If this is a wanted feature, I would be willing to implement this.
As an example, I would implement the hCaptcha provider, since this is what I would be using.
The Pocketbase Admin panel just needs an option to select a captcha provider, if any.
Additionally, a text input field is needed for the provider account secret.
When a POST request is made to the PocketBase create user API endpoint, another post request should be made by PocketBase to the hCaptcha
/siteverifyendpoint, which verifies captchaPasscode. Depending on the response, either allow user creation or return an error.The text was updated successfully, but these errors were encountered: