Added captcha verification system for login and signup #1167
Conversation
Dynamic text field detection (MutationObserver) Cleanup event listeners (prevent memory leaks)
|
|
There was a problem hiding this comment.
Thanks for your contribution! This looks pretty good so far. I noticed a possible area of improvement: it would be nice if we could conditionally display the captcha for login/signup using logic in a backend extension. I noticed you already implemented the behavior to check a flag on the requester object, the only missing piece then is to emit an event for extensions and update login/signup to be conditional.
Here's an event from CleanEmailService that lets extensions validate email addresses:
const svc_event = this.services.get('event');
const event = { allow: true, email };
await svc_event.emit('email.validate', event);
if ( ! event.allow ) return false;| const { CaptchaService } = require('./services/CaptchaService'); | ||
|
|
||
| // Get configuration from environment or use defaults | ||
| const captchaEnabled = process.env.CAPTCHA_ENABLED !== 'false'; // Enabled by default |
There was a problem hiding this comment.
This should probably come from configuration instead.
const config = require("../../config");|
|
||
| // Register captcha middleware | ||
| const captchaMiddleware = require('./middleware/captcha-middleware'); | ||
| context.set('captcha-middleware', captchaMiddleware); |
There was a problem hiding this comment.
Is captcha-middleware accessed via context anywhere?
There was a problem hiding this comment.
You're right, it's not. I removed the content integration
src/backend/src/modules/captcha/middleware/captcha-middleware.js
Outdated
Show resolved
Hide resolved
src/backend/src/modules/captcha/middleware/captcha-middleware.js
Outdated
Show resolved
Hide resolved
.lsp/.cache/db.transit.json
Outdated
There was a problem hiding this comment.
should this file be here?
.clj-kondo/.cache/v1/lock
Outdated
There was a problem hiding this comment.
should this file be here?
|
I just tried the latest changes. It seems to work great on the backend side of things. On the frontend, because you made the change I requested for conditional captcha requirement via extensions, we no longer have a good way to determine when the captcha element doesn't need to be displayed. I think the best way to resolve this is to split the captcha middleware into two middlewares:
|
|
I think I closed this by mistake |
|
That's okay, I assume #1174 contains these changes plus the new ones correct? In the future you should be able to re-open closed pull-requests |
For my Captcha verification I added the following components
Captcha Module:
The Captcha Module serves as the integration point for the captcha verification system within the Puter platform. It registers the captcha service and middleware with the application, making them available throughout the system. This module enables protection against automated abuse for sensitive operations like login and signup.
Captcha Service:
The Captcha Service handles the core functionality of generating and verifying captchas. It creates visual challenges using SVG-based captchas, manages token generation and storage, and validates user responses. The service supports configurable difficulty levels and token expiration times, and uses an in-memory token storage system with automatic cleanup of expired tokens.
Captcha Middleware:
The Express middleware component provides a simple way to protect routes with captcha verification. It can be configured to either always require captcha verification or conditionally require it based on user behavior (such as failed login attempts). The middleware seamlessly integrates with existing routes, checking for valid captcha tokens and answers before allowing requests to proceed.