new Feature: Add a Captcha for allowing new users to be whitelisted

bitvora / wot-relay

archiving every note in your web of trust

65 stars 24 forks source link

new Feature: Add a Captcha for allowing new users to be whitelisted #50

Open girino opened 2 months ago

girino commented 2 months ago

As i proposed in : https://primal.net/e/note1wfe2rcdxl5eqwmkxefk6z7uxj3vq7lm3y5030lzhmrw8eznl9jus7rxnc6

The idea should be, we add a page with a captcha and a place for the user to paste their npub. If they answer the captcha correctly, user gets added to a whitelist for a limited time (say 24h).

If user tries to access the relay and is not in the whitelist, nor in the WoT, relay responds with both an "auth" request and a private message pointing to the url of the captcha page.

When validating events, check for both WoT and whitelist.

If user tries to abuse the captcha page (3 bad captchas in a minute, or 10 bad captchas in an hour), blacklist them and their IP address.

What do you think about it?

derekross commented 2 months ago

As a runner of a popular WoT relay, I don't feel this fits the scope of WoT. This feature would allow anyone outside of the Web of Trust to utilize the relay. Maybe this could be added as an optional feature?

Perhaps you could just run the Pyramid relay and utilize the invite tree and manually build out the WoT with invites.

girino commented 2 months ago

As a runner of a popular WoT relay, I don't feel this fits the scope of WoT. This feature would allow anyone outside of the Web of Trust to utilize the relay. Maybe this could be added as an optional feature?

It may be seen as fitting the scope if you consider the major flaw of WoT relays is making it difficult for newbies to enter the WoT. This would give the newbies a temporary way in.

And of course, as anything in nostr, this should be optional!

derekross commented 2 months ago

I understand WoT alienates new users, it's a downfall, however that's how a trust model works. They are new and have not yet earned said trust. Clicking on a few buttons doesn't mean I trust said user. It means that they're verified as human. That seems different here. Optional would be best so that you could decide what type of relay you wish to run. Do you wish to run a relay of verified humans or a relay of trusted humans. There's a benefit to both options. I still think it's out of scope, but I can see the need for it.

barrydeen commented 2 months ago

I think we should add this as an option. As well as others like paying sats, or even email verification. A relay operator can decide what methods they trust.

Everyone on nostr crying so much about spam but also resisting WoT because of the new user issue