Open Aadithya-J opened 3 months ago
github-actions[bot]
commented
3 months ago Hello Aadithya-J, Thanks for opening an issue, your contribution is valuable to us. The maintainers will review this issue and provide feedback as soon as possible.
Aadithya-J
commented
3 months ago I would like to work on this myself using the api of hCaptcha or reCaptcha. Can you assign this to me under gssoc 24.
thestarsahil
commented
3 months ago Thank you for pointing out this security concern. It's crucial that our captcha system is robust enough to prevent bot attacks. The current text-based captcha system indeed seems to have a vulnerability as it can be viewed by inspecting the webpage. We will prioritize addressing this issue and consider implementing a more secure captcha system, such as image-based or interactive captchas. Your vigilance in ensuring the security of our website is greatly appreciated.
Aadithya-J
commented
3 months ago @thestarsahil how are you using the environment variables it seems like npm cannot resolve vite-plugin-dotenv. i have to use .env for the sitekey and secret key for reCaptcha.
hereisSwapnil
commented
3 months ago @thestarsahil how are you using the environment variables it seems like npm cannot resolve vite-plugin-dotenv. i have to use .env for the sitekey and secret key for reCaptcha.
Hey, if you are facing issues with .env file
Try to make a .env file in the root directory of the project
Then add environment secrets in CAPS EXAMPLE ''' VITE_SECRET = abc '''
And now you are ready to import it from your vite app ''' import.meta.env.VITE_SECRET '''
Note : VITE_... is important to write in the beginning of each env variable
Just ping me if you could not fix it
Aadithya-J
commented
3 months ago Thank you, I managed to make it work, but it seems that implementing hCaptcha or reCaptcha v2 requires backend . I'm not sure what i should do.
Pranali3103
commented
3 months ago Hi @Aadithya-J I would like to work on this issue.
hereisSwapnil
commented
3 months ago @Pranali3103 Please give clear idea on how you will work on this ?
Pranali3103
commented
3 months ago Yeah sure
Pranali3103
commented
3 months ago I'll use two approaches : 1)Move CAPTCHA Generation to the Server: Generate the CAPTCHA on the server-side and send it to the client. so that , client never has the generation logic or the CAPTCHA value itself. 2)Hash and Compare CAPTCHA on the Server: Store a hashed version of the CAPTCHA text on the server and compare the user input with the hashed value to verify correctness. using sha-512 algorithm or any other hashing algorithm
Pranali3103
commented
3 months ago Can you please assign me this.
hereisSwapnil
commented
3 months ago You then need to set up the server as well and remove unnecessary files from there
@thestarsahil Please assign @Pranali3103
Pranali3103
commented
3 months ago I could not find the backend part of login ?
Pranali3103
commented
3 months ago Okay I'll make the server side and work on files likewise .
thestarsahil
commented
3 months ago @Pranali3103 Good to go !
Pranali3103
commented
3 months ago I have added done changes ,please review it
Is your feature request related to a problem? Please describe. The captcha in the sign up page is simple text. It can viewed just by inspecting the webpage. This makes to website vulnerable to bot attacks.
Describe the solution you'd like I would like to change it to using a captcha api like hcaptcha or reCaptcha.