-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃殌 Feature: Captcha Integration #5384
Comments
Could be great to have it, mainly turnstile or hCaptcha. Also for apple apps: #4791 (comment) And for android using Play integrity That way malicious traffic/abuse caused by bots will be reduced to a really small amount. Bot traffic, mainly malicious, could not be seen as a problem, but the fact is that 28% of the internet traffic is caused by bots, makes really possible that at some point, they could spam your app or even disrupt your services. |
@h0lybyte, thanks for creating this issue! 馃檹馃徏 I don't know precisely how captcha integration works, but I would assume the client passes some token to the server, and the server can then validate to see if they passed the captcha or not, right? If so, for now, maybe you can use an Appwrite Function to handle this:
|
@stnguyen90 Yes, that's a workaround, but in the case of reads it's going to be needed another new function, so the default data fetching system from appwrite could become completely useless if needed to stop malicious read and write data, since a function is going to replace it. |
That's kind of the expected scenario. Any sort of custom behavior should be handled with an Appwrite Function. Regardless, I think data fetching is related, but should be a separate issue. It would be good to 馃憤馃徏 this issue: #5060. |
Wouldnt this then limit the SSO? i.e lets say you have a captcha for the register but dont want to have it for SSO? |
Captchas work like this:
Usually, captcha client code gives you a client API to also check if it was verified, so you can still disable the submit button while waiting for a catcha (UX!). The good thing is that all you need to do is pass a token around, and the captcha can be as complex as it wants. In the case of appwrite, it would be good to offer some kind of integration by providing a code library which needs to be delivered to the client and can take over things like captcha integration. Or alteratively to offer integration with a number of popular captcha services and leave the client side to the customer. On a side-note, captchas can be broken by captcha farms (humans solving captchas for money) and AI (the "granny locket method" was big in the news just the other day). Captchas will keep bots out, but script kiddies and BHs can still easily crack it. Also, is there a status update? |
Can you please tell me if step 3 + 4 are also possible with a custom node backend using |
Please ignore my false alert, i confused the |
馃敄 Feature description
A captcha integration to help combat spam accounts from joining / abusing the self-hosted appwrite platform.
env variables:
_APP_CAPTCHA_SERVICE
- reCaptcha, hCaptcha, CF ect.. (if its not set, then it_APP_CAPTCHA_KEY
- backend key...Then under the function:
function createUser(string $hash, mixed $hashOptions, string $userId, ?string $email, ?string $password, ?string $phone, string $name, Document $project, Database $dbForProject, Event $events): Document
Maybe after
string $name
, we could add?string $captcha
.Then before processing the try catch, we could put a function to check the string against the captcha service.
馃帳 Pitch
With the continuing rise of spam bots, it makes sense to have some defensive layers to protect the user base and save resources.
馃憖 Have you spent some time to check if this issue has been raised before?
馃彚 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: