[FEATURE] Support Captcha and Appsec mode at the same time

[mathieuHa]

Is your feature request related to a problem? Please describe. 🐛 Currently, if appsec is enabled, captcha remediation is never called.

if bouncer.appsecEnabled {
        if err := appsecQuery(bouncer, remoteIP, req); err != nil {
                bouncer.log.Debug(fmt.Sprintf("handleNextServeHTTP ip:%s isWaf:true %s", remoteIP, err.Error()))
                handleBanServeHTTP(bouncer, rw)
                return
        }
}

Describe the solution you'd like ✨ If appsec is enabled, it should call handleRemediationServeHTTP which decides what remediation to call (ban or captcha)

However, should we cache that the captcha has been completed by the user ?
If a malicious user completes a captcha manually and then is cached in the allow list and can use auditing tools with no additional checks from appsec.

If we don't cache and appsec returns a false positive on some pages, the user experience would not be great as the user would have to to a captcha each time he visits this one page.

Last solution could be to cache the user IP and the page accessed for instance to get in the middle.

We're open to suggestion on this.

[dhenry437]

Following, probably unable to be of much help.

[mathieuHa]

Followup, Right Now the best approch is to use handleBanServeHTTP and not handleRemediationServeHTTP so appsec takes precedence and is not bypassed by a captcha decision grace period.

Will look into what other bouncers are doing and what Crowdsec doc might recomend