[Form] Captcha Component

[ky940819]

Feature Request

A Captcha form component should be added to help prevent bots/spamming. Although there is (currently) no server-side validation for forms, a Captcha would go a long way to at least preventing outright abuse.

Describe the solution you'd like

• The proposed solution is to create a Captcha component which could be placed within a Form Container.
• The private/public keys for the Captcha would be controlled via Context-Aware configuration.
• A CaptchaValidator service would be created that would handle validation of tokens.
• The CoreFormHandlingServlet would be updated to check for the presence of a Captcha component within the form, and, if found, pass the submitted token to the validator service prior to forwarding the request to the FormsHandlingServletHelper for processing.
• If the token validation fails then a forbidden response code would be returned.
• Additionally, a policy property would be added to the form container such that a template editor could specify the requirement of a Captcha. This policy would not automagically add a Captcha to all forms, but would cause any form lacking such a Captcha to fail. This feature would serve simply as a mechanism to prevent content authors from forgetting to add a Captcha to their forms - as they would quickly realize that the form always results in a forbidden response.
• Due to the lack of a general server-side validation framework, simply sending a forbidden response would have to suffice at this time. This isn't the most desirable experience; however, there is very little legitimate reason for a Captcha to fail validation after having completed a successful client-side challenge.

Are there alternatives? Currently no OOTB alternatives.

I can submit a PR with this feature, but would appreciate any thoughts or feedback on the proposed solution.

[kwin]

Why not making it an option on the form container? An additional form component could be added multiple times which doesn't make sense for CAPTCHAs. Also such a flag on the container would allow to insert it by default via content policy.

[ky940819]

That was my first thought as well. I didn't like the behavior though because if it's part of the container then where does it go? It would need to be inserted either before the form layout container or after it.

The standard location for a captcha is before the submit button, but that's also a component and may be included multiple times. Having it as a stand alone component allows the author to decide where to place it, and to apply various layouts to it.

[kwin]

IMHO just having a placement dropdown with beginning or end as option is sufficient as CAPTCHAs nowadays are almost always invisible (except for some disclaimer text and the optional modal dialog for the challenge)

[gabrielwalt]

Hi @ky940819, your contribution would be more than welcome!

Your specification makes a lot of sense to me, just one detail:

• For the key, I'd rather control it via a Sling context-aware configuration, as we did for the PDF public key via com.adobe.cq.wcm.core.components.internal.services.pdfviewer.PdfViewerCaConfig. Our current intent is to create a basic AEM admin console for an admin persona to be able to edit these configs, probably by early 2021.

I agree that a validation framework will also greatly enhance the overall experience. Let's hope that we'll be able to tackle this asap, but probably also not before early 2021.

[JasonUSC]

Has there been any progress on adding captcha to forms? The forms components aren't really useful in production without this basic feature.