django-formset icon indicating copy to clipboard operation
django-formset copied to clipboard

Published 20 hours ago verified publisher icon jrief

Incompatible with django-recaptcha

Open agseaton opened this issue 1 year ago • 3 comments

Many sites need to prevent misuse by bots, and this is often accomplished with Google reCAPTCHA. The package django-recaptcha allows this to be integrated into a Django form.

Unfortunately, at present django-formset appears to be incompatible with django-recaptcha.

I've created a test case to demonstrate this; please see eab80b7.

At the moment I'm not sure precisely what the issue is that prevents reCAPTCHA from working. I get the following error from the django test server: WARNING: Unprocessable Entity: /bootstrap/article-captcha

Additionally, Google Chrome shows the response from the server as {"captcha": ["This field is required."]}.

agseaton avatar Apr 05 '23 01:04 agseaton

I'm unsure if Captchas are still a feasible solution to prevent form abuse. OCR often is better than humans, making Captchas obsolete. Using Google's Recaptcha might be a solution, but then you run into GDPR issues.

If you know about a solution which works as well as Google's Recaptcha and does not require any user input, please let me know. I have some ideas on this myself, but I'm open to good and user-friendly solutions.

jrief avatar Apr 14 '23 08:04 jrief

Yesterday I had a look at possible solutions. Captchas decrease the user experience and that's the opposite intention of this library. Therefore instead of Captchas, I would suggest to let the client do a proof of work. This means that the server creates a set of puzzles, the client has to solve. This at least will slow down brute force attacks considerably.

If you're willing to implement them, I can give you all the instructions on how to do this.

jrief avatar Apr 19 '23 11:04 jrief

Thanks for getting back to me about this!

I agree that the captchas that rely on OCR/image processing/some other user input are not ideal. And while modern versions of Google recaptcha mostly avoid these problems, I hadn't considered the privacy implications. So perhaps supporting django-recaptcha is not necessary/useful for many real-world applications.

Yes, I'd be interested in looking into the 'proof of work' solution you suggested. I've also seen discussion elsewhere of using 'honeypots' to confuse bots. Perhaps a combination of these two techniques could be a viable solution?

agseaton avatar Apr 20 '23 03:04 agseaton