id summary reporter owner description type status priority milestone component resolution keywords cc parents 1087 Smart captcha system Christopher Allan Webber "Obviously related to and dependent on #1086 This maybe could wait a bit to be implemented, but I've been thinking about a captcha system that provides the following features: - Serves image-based (and maybe audio-based) captchas, but *doesn't* require saving any image files on-server (which you later have to garbage collect...) - Doesn't require any rows in the database - Doesn't require any nonfree software - Integrates with the forms system - Makes use of our existing crypto/session stuff. Here's how I think it would work. - hooks are run to initialize the captcha for whatever form / view. Attach validation requirement to wtforms and generate the image. - When generating the image (I'm not sure what kind of algorithm we should use for this), *don't* write to a file on disc static-served via apache. Instead, we can base64 encode the image after rendering, pack it into the response, and serve it directly. See mediagoblin/plugins/persona/static/js/persona.js for an example of this in action. - Provide a question and *hashed* version of the expected answer from the captcha which the user needs to answer. We sign the question and hashed answer with itsdangerous (and set a time limit to solve it) so that the user can't make up their own question and answer. I think doing the above could be a pretty smart and elegant solution... it means being able to do a captcha that doesn't require storing any extra junk server-side, but still provides a way to pass a captcha along. The trickiest part of this might be writing some code to make some visual captchas in the first place. Note: I'm not sure if it's possible to base64 encode audio in the same way? But if so, we could provide both audio and visual captchas. " enhancement new major programming