Open SebastianGode opened 5 months ago
I've thought about this feature before. I'm not sure how FriendlyCaptcha works, but in mCaptcha we have lifetimes for the PoW challenges (and the authorization token received after successful PoWs). The lifetime is the same as the cooldown period.
So if PoW generated becomes too old, then it will be rejected. And since it is a background process, the visitor will experience unexplained delay because of it.
Personally, I would love to see this feature in mCaptcha, but t has to be built with good guardrails. I would appreciate any input that you might have in this regard.
Generally the easiest solution would be to just increase the lifetime to like 5minutes. If it takes even longer for the user to fill something in, the frontend captcha would just need to get back to a "timeout" state and recheck again. ReCaptcha does that in the same way, if you fill out the captcha and you need more than 5min, it will automatically return to the non-filled state as the token isn't valid anymore. I would assume that FriendlyCaptcha does it the same way.
Wouldn't the following workflow be viable to minimize disruption to the user?
Using this approach, the token's lifetime remains unchanged, and the mCaptcha widget can be completely hidden from the user. Additionally, users no longer have to wait for the result after clicking, further enhancing the user experience.
TL;DR: The client continuously to receives, solves, and submits challenges until the user initiates the final action necessitating the computed token.
It would be great if the captcha check could be automatically started with a JavaScript trigger. I haven't found a way to do that (or at least I'm not aware of one).
Background: If I use the captcha for a contact form it can automatically be solved once the user enters the text in a text field so he doesn't need to click on it and wait for it before sending the contact formular.
Solutions like FriendlyCaptcha have this feature.