New-user creation will probably break with integration of ReCAPTCHA

[jimrandomh]

LessWrong gets a lot of spam, in the form of a bot which creates accounts and then makes a single post from it. This spam isn't displayed on the site, because we hide posts from new users until a moderator approves them, but it's been clogging up the moderation queue, so we want to put a CAPTCHA into the new-user creation process. We plan to use reCAPTCHA v2.

GreaterWrong also has a new-user creation form, which will probably break when we add a CAPTCHA requirement. The simplest fix would probably be to tell users to create accounts via LessWrong; a more complex fix would involve integrating reCAPTCHA into GreaterWrong.

[Discordius]

reCAPTCHA v3 actually just seems better than reCAPTCHA v2.

In either case, I would be happy to help you set it up so that users can still create accounts via Greaterwrong. Also open to alternative ideas about how to limit spam.

[kronusaturn]

The simplest way of dealing with this would be to add a captcha to GreaterWrong and then skip the LW-side captcha check using the same whitelist that's used for trusting X-Forwarded-For; would that be acceptable?

[Discordius]

Our current plan is actually that we simply add a captcha to LW that allows us to automatically verify users when they pass the captcha.

When signing up via GW or some other external service they don't get the captcha which just means we don't verify them automatically and instead add them to the user review queue, which is usually processed in less than 24 hours. The only drawback of not being reviewed is not being able to post (commenting still works from an unreviewed account), which is a rare thing for a new user to do anyways, so I think this gets us basically everything we want.

[Discordius]

I think if spam from GW becomes a problem, or something in that space, then we can probably reassess

[jpaddison3]

[EA Forum dev here] Possible solution: can you add ReCaptcha v3 to your site and use the LW and EA Forum apiKeys? They're not secrets, and Google will I believe happily tell us GW sign ups are legitimate when our backends ask.