Idea: Bot Detection - Captcha - Githubissues

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth

https://www.authgear.com

Apache License 2.0

83 stars 37 forks source link

Idea: Bot Detection - Captcha #3186

Closed fungc-io closed 6 months ago

fungc-io commented 1 year ago

Problem

To mitigate automated attacks and messaging spam by detecting if a request may come from bots

Appetite

6 weeks

Solution

Overview

In AuthUI, use captcha to detect bots in the first interaction of each flows.
- Signup
- Login
- Email/Phone verification
- Reset/Change password
Supported Captcha solution
- reCaptcha v2 + v3
- reCaptcha Enterprise
- hCaptcha
- Cloudflare turnstile
- Widget Types: Managed
- a simple built-in one / opensources one for on-perm deployment usage

Configuration

The user can enable the bot detection in the Portal.
It's disabled by default, the user can choose one of the supported service
the user must fill in their own captcha service credentials (except the built-in one)

Credentials needed:

reCaptcha v2:
- Site Key
- Secret Key
reCaptcha v3: (?)
reCaptcha Enterprise:
- Site Key
- API Key
- Project ID
hCaptcha
- Site Key
- Secret Key
Cloudflare Turnstile
- Site Key
- Secret Key

Rabbit holes

The built-in one if proven too complicated for this pitch, could be for next stage (another pitch)
Target to only support built-in AuthUI first. For Authflow API direct usage from end customers, we can discuss in the technical design phase to see how feasible it is.

No-goes

fungc-io commented 6 months ago

Turned into a Project in Backlog - Captcha Support