Open agseaton opened 1 year ago
I'm unsure if Captchas are still a feasible solution to prevent form abuse. OCR often is better than humans, making Captchas obsolete. Using Google's Recaptcha might be a solution, but then you run into GDPR issues.
If you know about a solution which works as well as Google's Recaptcha and does not require any user input, please let me know. I have some ideas on this myself, but I'm open to good and user-friendly solutions.
Yesterday I had a look at possible solutions. Captchas decrease the user experience and that's the opposite intention of this library. Therefore instead of Captchas, I would suggest to let the client do a proof of work. This means that the server creates a set of puzzles, the client has to solve. This at least will slow down brute force attacks considerably.
If you're willing to implement them, I can give you all the instructions on how to do this.
Thanks for getting back to me about this!
I agree that the captchas that rely on OCR/image processing/some other user input are not ideal. And while modern versions of Google recaptcha mostly avoid these problems, I hadn't considered the privacy implications. So perhaps supporting django-recaptcha
is not necessary/useful for many real-world applications.
Yes, I'd be interested in looking into the 'proof of work' solution you suggested. I've also seen discussion elsewhere of using 'honeypots' to confuse bots. Perhaps a combination of these two techniques could be a viable solution?
Many sites need to prevent misuse by bots, and this is often accomplished with Google reCAPTCHA. The package django-recaptcha allows this to be integrated into a Django form.
Unfortunately, at present django-formset appears to be incompatible with django-recaptcha.
I've created a test case to demonstrate this; please see eab80b7.
At the moment I'm not sure precisely what the issue is that prevents reCAPTCHA from working. I get the following error from the django test server:
WARNING: Unprocessable Entity: /bootstrap/article-captcha
Additionally, Google Chrome shows the response from the server as
{"captcha": ["This field is required."]}
.