Opened 10 years ago

Last modified 9 years ago

#1087 new enhancement

Smart captcha system

Reported by: Christopher Allan Webber Owned by:
Priority: major Milestone:
Component: programming Keywords:
Cc: Parent Tickets:

Description

Obviously related to and dependent on #1086

This maybe could wait a bit to be implemented, but I've been thinking about a captcha system that provides the following features:

  • Serves image-based (and maybe audio-based) captchas, but *doesn't* require saving any image files on-server (which you later have to garbage collect...)
  • Doesn't require any rows in the database
  • Doesn't require any nonfree software
  • Integrates with the forms system
  • Makes use of our existing crypto/session stuff.

Here's how I think it would work.

  • hooks are run to initialize the captcha for whatever form / view. Attach validation requirement to wtforms and generate the image.
  • When generating the image (I'm not sure what kind of algorithm we should use for this), *don't* write to a file on disc static-served via apache. Instead, we can base64 encode the image after rendering, pack it into the response, and serve it directly. See mediagoblin/plugins/persona/static/js/persona.js for an example of this in action.
  • Provide a question and *hashed* version of the expected answer from the captcha which the user needs to answer. We sign the question and hashed answer with itsdangerous (and set a time limit to solve it) so that the user can't make up their own question and answer.

I think doing the above could be a pretty smart and elegant solution... it means being able to do a captcha that doesn't require storing any extra junk server-side, but still provides a way to pass a captcha along.

The trickiest part of this might be writing some code to make some visual captchas in the first place.

Note: I'm not sure if it's possible to base64 encode audio in the same way? But if so, we could provide both audio and visual captchas.

Change History (1)

comment:1 by Loic Dachary, 9 years ago

Type: defectenhancement
Note: See TracTickets for help on using tickets.