search

AnthonyNahas / ngx-auth-firebaseui

Angular Material UI component for firebase authentication
https://ngx-auth-firebaseui.firebaseapp.com
MIT License
589 stars 165 forks source link

feat: reCAPTCHA support #331

Closed waleko closed 2 years ago

waleko commented 5 years ago

Bug Report or Feature Request (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x] feature request

Is there an easy way to have a recaptcha verifier with ngx-auth-firebaseui? I looked up the documentation and haven't found a thing. I think it would be a pretty useful feature.

AnthonyNahas commented 5 years ago

@waleko why did you close this ticket? I believe that reCAPTCHA would be an awesome feature for this library...

waleko commented 5 years ago

@AnthonyNahas sorry, it was a misclick

AnthonyNahas commented 5 years ago

@jeandat what do you think about this feature?

jeandat commented 5 years ago

I don't know much about reCAPTCHA (I'm not using it) but as I understand it, reading google reCAPTCHA v3 documentation you need to integrate a script working in the background that will provide you with a score on demand. This script should be integrated in several places in your app to maximise precision.

The difference with v2 is that user is not bothered with a challenge. This is transparent and you can use it in more contexts. So i guess most people today will use v3 over v2. Thus, IMO ngx-auth-firebaseui should not integrate the famous checkbox (reCAPTCHA v2) which will disappear progressively.

Regarding v3 if it was integrated, what would be the scenario/interactions between reCAPTCHA and ngx-auth-firebaseui?

Consumers of this library are already free to compute a score before showing ngx-auth-firebaseui component and decide whether or not it is safe to pursue.

@waleko In your mind what should be ngx-auth-firebaseui behavior? What would you want it to do?

waleko commented 5 years ago

@jeandat At first I thought of using built-in RecaptchaVerifier class, which uses a checkbox. reCAPTCHA v3 is a good idea, but it returns a score for each request, so we would still need a reCAPTCHA v2 for dealing with low score users or something entirely different. For example reCAPTCHA documentation suggests requiring 2FA or email verification:

reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion. reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.

Use case Recommendation

... login | With low scores, require 2-factor-authentication or email verification to prevent credential stuffing attacks. ...

So, if we would be using v3, we would still need the v2 checkbox, because 2FA and email verification are only available with EmailAuthProvider and unapplicable for some providers.

So, in my opinion, v3 is too advanced and ngx-auth-firebaseui should just implement the standard v2 checkbox.

jeandat commented 5 years ago

If recaptcha v2 is integrated, it must be an opt-in option IMO.

waleko commented 5 years ago

Yeah, I agree. I think it should just be mentioned in the docs, so people who need it can turn it on.

Blunderchips commented 4 years ago

Any progress on this issue?

messaddek commented 4 years ago

hello, i need this feature too