id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	parents
1087	Smart captcha system	Christopher Allan Webber		"Obviously related to and dependent on #1086

This maybe could wait a bit to be implemented, but I've been thinking about a captcha system that provides the following features:

 - Serves image-based (and maybe audio-based) captchas, but *doesn't* require saving any image files on-server (which you later have to garbage collect...)
 - Doesn't require any rows in the database
 - Doesn't require any nonfree software
 - Integrates with the forms system
 - Makes use of our existing crypto/session stuff.

Here's how I think it would work.

 - hooks are run to initialize the captcha for whatever form / view.  Attach validation requirement to wtforms and generate the image.
 - When generating the image (I'm not sure what kind of algorithm we should use for this), *don't* write to a file on disc static-served via apache.  Instead, we can base64 encode the image after rendering, pack it into the response, and serve it directly.  See mediagoblin/plugins/persona/static/js/persona.js for an example of this in action.
 - Provide a question and *hashed* version of the expected answer from the captcha which the user needs to answer.  We sign the question and hashed answer with itsdangerous (and set a time limit to solve it) so that the user can't make up their own question and answer.

I think doing the above could be a pretty smart and elegant solution... it means being able to do a captcha that doesn't require storing any extra junk server-side, but still provides a way to pass a captcha along.

The trickiest part of this might be writing some code to make some visual captchas in the first place.

Note: I'm not sure if it's possible to base64 encode audio in the same way?  But if so, we could provide both audio and visual captchas.
"	enhancement	new	major		programming