Captcha support about kitsune HOT 6 CLOSED

Another viable captchas to consider are:

• captcha crate - This is the one that lemmy uses, but it's quite easy to break and annoying to use as it requires solving a challenge every time as opposed to other proof of work or DDoS detection captchas. Also no API, just pure image generation with the
• Cloudflare Turnstile - Free, closed source, so not really to be trusted, but they claim that they don't harvest any data for ad targeting and the like. The question is if these statements can be trusted?

Anyhow, for me it seems that mCaptcha is the best choice for now, so it'd be the best to implement it first. However, I also think that it'd be useful to have an interface and config variables that allow server admins to choose their preferred captcha provider. What do you think?

from kitsune.

Yeah, I think we should provide an interface similar to what we have for the storage providers.
Abstraction crate with the name kitsune-captcha and then an internally tagged union via a type field inside the configuration.

I think a good line-up for an MVP here would be support for mCaptcha and hCaptcha.

mCaptcha for more privacy conscious folks and hCaptcha for most others.

About the captcha crate: I have accessibility concerns. Vision impaired folks might not be able to get through the registration process with that crate and there is no alternative, such as an audio challenge.

hCaptcha offers "accessibility cookies" which is, presumably, a manual application process, but they at least have a solution.
mCaptcha is fully based on proof-of-work, just requiring computation resources, so no accessibility concerns there.

I'm not sure about Cloudflare Turnstile in this area, I never paid attention when I clicked through it to get on websites when using Tor.
I'm gonna check when I get the time, but I'm assuming they either have an audio challenge or an alternative bypass method.

from kitsune.

I'm gonna check when I get the time, but I'm assuming they either have an audio challenge or an alternative bypass method.

Good question actually, from what I've gathered turnstile uses a "managed" mode which runs non-interactive challenges that "include, but are not limited to, proof-of-work, proof-of-space, probing for web APIs, and various challenges for detecting browser-quirks and human behavior".

If that fails, and the site is configured to allow it, then there is an interactive challenge with pressing a button. However, I haven't ever failed at it and I haven't found any info on what happens on a fail in that case. By reading the forums, like this post it seems that Turnstile may flag users who use a keyboard to navigate, for example, which is indeed problematic. I don't know what the scale of this issue is though, I only found this one post.

One thing that I'm sure of though is that mCaptcha and hCaptcha are definitely friendly when it comes to accessibility, so I agree that this should be the target. Turnstile would be a nice-to-have I guess.

If it's okay I can start working on captcha implementation.

from kitsune.

Sure! You can give it a go! You can take inspiration on how to do the multiple backends from either kitsune-storage or kitsune-search, since they both have similar approaches.

The approach is:

1. Define a trait with common functionality
2. Implement the backends
3. Use the enum_dispatch crate (or manual enum dispatch) to combine them down into a single type

Then you can either write a service wrapper around it or just use it directly. Depends whether you need to add more functionality that more closely falls into the scope of the main binary.

(example: if you need access to the URL service or some configuration, that's where you'd usually write a service wrapper and expose a nice little API on top of that).

As for configuration, it's actually not that difficult. We use an internally tagged enum to differentiate between the backends. That's pretty much it.

You can find examples in the config.rs module with either the cache or the search backend.

from kitsune.

(just assigned you the issue for organization sake. Not that the issues are really well organized, but oh well)

from kitsune.

Alright, thanks for the tips! Looking at kitsune-storage it does look well-organized and like a good template to start

from kitsune.