CAPTCHA at login time

[rastaval]

is reCaptcha possible to be implemented? thank you! :)

[MaxLeiter]

In public mode? I guess it could see use, but until registration exists it doesn't make a ton of sense to implement. Would require another server-side setting

[rastaval]

The configuration of my lounge is on public. And i dont want to make it private coz it is being associated to my site. But a lot of ip's are scanning my lounge, just connect and quit (spamming my irc room with joins and quits). So I wish to put recaptcha on it.

[MaxLeiter]

If you hop on IRC I can walk you through setting It up

[rastaval]

I'm there. Thanks a lot.

[ghost]

Implementing this for private servers would probably be nice too, I don't think there's anything against bruteforce attacks right now?

[astorije]

On a private instance, I think this should only be present in an account creation page (like #914 attempt) and not at every login.

[ghost]

@aspic Every login seems overkill, but maybe after three failed attempts?

[dgw]

CAPTCHA protection that kicks in after n failed login attempts would be good. A number of other services do it, including big players like Google.

[astorije]

So, all the time on public instance, after 3 failed logins on private instance, and whenever someone works on #914 / #641 again, there as well. This does not warrant yet another option IMO, let's make this a reasonable experience for the user, and have it where it should.

In my mind though, a captcha is so 2000s 😅 I know Google has the "I'm not a robot" thing. Is there a way we can do something that un-intrusive without requiring to use Google or another third-party?

[dgw]

In my mind though, a captcha is so 2000s :sweat_smile: I know Google has the "I'm not a robot" thing.

That is reCAPTCHA. They call it "the No CAPTCHA reCAPTCHA experience". I wasn't able to find anything offhand that would let The Lounge do it without a third-party dependency, though.

[ghost]

Sure but is there any other real way of defeating spam/bruteforce? 😕 I don't think showing one every time on a public instance is needed, but hey, guess it could be a config option.

There's https://github.com/DoubleSpout/ccap & https://github.com/lemonce/svg-captcha among the very few FOSS alternatives, but I personally don't really mind using a Google service in this case.

[astorije]

Sure but is there any other real way of defeating spam/bruteforce? 😕

Plenty, some are creative and not really preventing anything, some are very efficient but obstructive. You can see things like "Enter the result of 1 + 2" (or what I've seen very recently, 0.1 + 0.2 ahah), or "What day of the week is today", etc. but those get annoying.

Because of the essence of the project (i.e. we are not Google nor any other favorite target), we could do something as simple as radio buttons: "Are you a robot? ( ) Yes ( ) No" and 99.9% of the spam would be avoided. This is the same rule than displaying "email @ domain dot com" on a website, while the easiest thing to detect if you're a spammer, is good enough is pretty much all cases, because there are so many easy targets out there than spammers don't try too hard. This would make for a pleasant experience and I'd be surprised if you get any robot-generated spam with that. It would also avoid us to maintain an image generator, etc. so much easier for us. And finally, implementing it would be much easier, less edge cases, less accessibility/usability issues, etc. meaning it can end up in a release sooner :)

but hey, guess it could be a config option.

Ahahah, I knew this was coming :D As usual, my motto is: if the UX is excellent, no need for an option. If the UX is atrocious, let's fix it instead. If we have to be anywhere in the middle, then let's consider an option :)

I personally don't really mind using a Google service in this case.

We will definitely not force our users/admins to tie their instance to a third-party, let alone to Google, especially after we just removed a privacy leak (https://github.com/thelounge/lounge/pull/1307) and working on notifications that don't require tying to Google (https://github.com/thelounge/lounge/pull/1124) :) Hope you understand where we're coming from!

That is reCAPTCHA. They call it "the No CAPTCHA reCAPTCHA experience".

Ah, that's correct, I read this thread about adding a CAPTCHA thing in general, not specifically reCAPTCHA. Will rename the issue to make it clear we are not set on the details.

[ghost]

Hope you understand where we're coming from!

I absolutely understand the concern, I meant that as a "I personally don't mind but I know others do".

Because of the essence of the project (i.e. we are not Google nor any other favorite target), we could do something as simple as radio buttons: "Are you a robot? ( ) Yes ( ) No" and 99.9% of the spam would be avoided.

That would probably stop random crawlers, but not an attack directed at a specific instance, though. Maybe an IP-based rate-limit? Or maybe I'm just a bit too paranoid~

By the way, kudos for your concerns about UX, The Lounge definitely feels polished. :)