Add captcha to new user page #628
Labels
Comments
|
Looking at this defect... some questions:
I have several existing reCAPTCHAs and have no trouble creating one for Clojars but I really don't think you want me using my account for this. Sorry for the litany of questions but figured it is best to get all them addressed up front or switch to a different validation mechanism if there are issues. |
|
Thanks for taking a look at this Alan
1. Google Identity: reCAPTCHA's API keys are tied to a Google identity
- in order to create one for Clojars I'll need someone who has an official
Clojars Google login of some kind. This identity/account will also receive
email if Google detects problems (e.g. "misconfiguration errors or an
increase in suspicious traffic".)
I have a key created that we can start with. If we want to switch to a key
under a clojars-specific account, we can do that in the future I think.
Ping me on slack and I can get the key pair to you.
2. Type: There are two kinds reCAPTCHA V2 (easy) and Invisible
reCAPTCHA (more complex.) Which kind do you want to use? I'm guessing the
normal V2 type.
Agreed, let's start with V2.
3. Domains: Each reCAPTCHA can cover multiple domains - which do we
want protected? Just clojars.org or are there any other
domains/subdomains, etc. we want covered by the same reCAPTCHA?
Just clojars.org for now.
4. Owner Email(s): Each reCAPTCHA can have more than one owner email.
Which email addresses do you want as owners?
The key I created just emails me ATM, but I can add you as well for
testing if you like. Ideally, the owner should be [email protected], but
the form tells me that's an invalid email address for some reason. Maybe
you're not allowed a contact at the domain you are protecting? Dunno.
5. Security Strength: There are three security preferences ranging
from Easiest for users <---> Most secure with one midpoint.
The default appears to be the middle, so let's start there.
6. Domain Name Validation: This is on by default but can be turned
off. I assume you want to keep the default (on, more secure.)
Yes, let's keep the default.
7. Error reporting: Are there any requirements for this? Notify all
errors via Sentry? Let Google reCAPTCHA error reporting do it's thing? I've
never had it report any issues with my sites but they are low traffic so
they aren't representative of what errors clarjars.org will encounter
when using it.
I guess it depends on the errors - if every auth failure is an error, I'm
fine ignoring those. I would just care about communication errors from
talking with google on the backend, and those should probably go through
sentry.
|
|
It might be worth looking at https://www.hcaptcha.com for this if we do pick it back up. It doesn't require us to use a google product. |
tobias
added a commit
that referenced
this issue
Sep 7, 2024
This should help prevent automated spam signups. Implements #628.
tobias
added a commit
that referenced
this issue
Sep 7, 2024
This should help prevent automated spam signups. Implements #628.
|
Done via #886. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We've had a few bot-created accounts lately (none of which have uploaded anything). We should try to confirm the account is being created by a real user.
https://www.google.com/recaptcha/intro/index.html
The text was updated successfully, but these errors were encountered: