Add CAPTCHA Support for CredentialsProvider in NextAuth v5

[vdamov]

Goals

1. Enhance security for applications using CredentialsProvider by mitigating automated login attempts.
2. Integrate CAPTCHA services (e.g., Cloudflare Turnstile, Google reCAPTCHA) as an optional feature.
3. Provide a configurable solution to allow developers to easily enable and customize CAPTCHA settings.

Non-Goals

1. Implementation of CAPTCHA for OAuth-based providers.
2. Providing CAPTCHA-specific UI designs or themes.
3. Supporting non-standard or custom CAPTCHA solutions outside commonly used services.

Background

CredentialsProvider is widely used for handling custom username and password authentication. However, it currently lacks built-in measures to prevent brute force attacks or automated login attempts. Integrating a CAPTCHA service during the authentication flow would significantly improve security by adding a verification layer to ensure the request is legitimate.
There are alternatives, such as implementing CAPTCHA in custom API routes, but this requires additional effort and may result in inconsistent implementations across projects. Adding native support in NextAuth.js would standardize this security measure and save developers from implementing it manually.

Proposal

Introduce a CAPTCHA validation step in the CredentialsProvider flow. The proposed implementation could include:

• Adding an optional captcha field to the CredentialsProvider configuration object, where developers can specify the CAPTCHA provider (e.g., Google reCAPTCHA, Cloudflare Turnstile).
• Validating the CAPTCHA response server-side before proceeding with credential validation.
• Providing clear documentation and examples for developers on how to enable and configure CAPTCHA support.

[GeorgiGinev]

+1 Looking for such solution.