Don't the client to pick the number of possibilities

[jasny]

Currently in the demos, the client application (browser) can pick the number of possibilities. This allows a spammer to simply do /start/2 and succeed on 50% of the tries.

The number of possibilities should be a fixed setting on the server and never be allowed be set by the client.

[BrunoBernardino]

The server does set a minimum limit, and can be customized by everyone.

I understand the need for your requirement, but we intentionally left this open so people can define how many images to show easily, from many places for visualCaptcha.

We can increase the minimum limit to 4 instead of 2, though. What do you think about that?

[jasny]

Letting the front end choose the number of options, is basically letting the user (spammer) choose how secure he wants to have it. He'll always choose the lowest number possible: 2.

Showing 2, 5 or 20 images in your application, set by the client, will have zero impact on the security. So if you set the system minimum to 4, there is absolutely no reason to show more than 4 images on the client.

Conclusion: In order for the developer to decide the level of security, the number of images must be set on the server, never ever by the client.

[BrunoBernardino]

Great argument, Arnold, and I hope you understand you can already do that with visualCaptcha. Set whatever you want the number of images to be for your needs. We're talking about improving the "default" security.

I'm curious, though: How do you propose this could be done, keeping in mind you can have more than one visualCaptcha in your application?

[jasny]

If you want the number of options to differ for each place, simply use the namespace.

In this example the number of options is defined per ns and defaults to 8.

var howmany = {
  'login' => 8,
  'register' => 12,
  'comment' => 5
};

var visualCaptcha = require( 'visualcaptcha' )( req.session, req.query.namespace );
visualCaptcha.generate( howmany[ req.query.namespace ] || 8 );
res.status( 200 ).send( visualCaptcha.getFrontendData() );

As you see, there is no req.params.howmany.

The demo code is important, since most users will just copy/paste this stuff.

[BrunoBernardino]

Sounds like a good idea. It's harder to guess a namespace with less images than just the number.

Do you want to make a PR about it?

I'm planning to spend some time revising some things in all the back-ends perhaps in April, but definitely not sooner, since there's nothing critical for now.

[jasny]

When you're doing a post, the client doesn't need to pass the captcha namespace. If I do a login action, the server should just use the 'login' namespace. So no guessing will grant you less options.

I might do a PR for PHP and/or NodeJS if I have time. Though I also have a ton of work / open issues on my own open source projects.

[BrunoBernardino]

All packages and demos updated with a higher limit. As for your suggestion on using the namespace, it really gets deep into how the integration is made, since the request to /start/* will need to parse some kind of parameter to know where it's being set from, or using the session.

It will make initial setup harder, though, so I don't think it's good to have it there by default.