Smart captcha system

[Christopher Allan Webber]

Obviously related to and dependent on #1086

This maybe could wait a bit to be implemented, but I've been thinking about a captcha system that provides the following features:

• Serves image-based (and maybe audio-based) captchas, but *doesn't* require saving any image files on-server (which you later have to garbage collect...)
• Doesn't require any rows in the database
• Doesn't require any nonfree software
• Integrates with the forms system
• Makes use of our existing crypto/session stuff.

Here's how I think it would work.

• hooks are run to initialize the captcha for whatever form / view. Attach validation requirement to wtforms and generate the image.
• When generating the image (I'm not sure what kind of algorithm we should use for this), *don't* write to a file on disc static-served via apache. Instead, we can base64 encode the image after rendering, pack it into the response, and serve it directly. See mediagoblin/plugins/persona/static/js/persona.js for an example of this in action.
• Provide a question and *hashed* version of the expected answer from the captcha which the user needs to answer. We sign the question and hashed answer with itsdangerous (and set a time limit to solve it) so that the user can't make up their own question and answer.

I think doing the above could be a pretty smart and elegant solution... it means being able to do a captcha that doesn't require storing any extra junk server-side, but still provides a way to pass a captcha along.

The trickiest part of this might be writing some code to make some visual captchas in the first place.

Note: I'm not sure if it's possible to base64 encode audio in the same way? But if so, we could provide both audio and visual captchas.