[GMG-Devel] CAPTCHA framework for your consideration

[ayleph]

Hi Goblins!

As some of you may know, I cobbled together a Google reCAPTCHA plugin a 
while back. My reCAPTCHA solution was far from optimal. I basically 
reimplemented the entire basic_auth plugin with customized views just so 
I could add a bit of CAPTCHA code to a page and receive POST data back. 
And the reCAPTCHA plugin couldn't be run alongside the basic_auth 
plugin; to ensure that the CAPTCHA view showed properly, you had to 
disable the basic_auth plugin.

In the months since my first CAPTCHA attempt, I've been thinking a lot 
about how to recreate my plugin in a more efficient way. Rather than 
replacing the basic_auth plugin, it should supplement the basic_auth 
plugin with only the CAPTCHA code. I think I've finally found a way to 
make that happen that makes sense in a MediaGoblin sort of way, and I'd 
like to present that for your consideration.


I. Basic Needs
In my mind, a CAPTCHA plugin needs to perform two main functions. First, 
it should display a CAPTCHA challenge on the appropriate view(s). 
Second, it should provide a mechanism of validating the CAPTCHA 
response, which probably requires analyzing some POST data of a form.


II. Hook it up
In the world of Gnu MediaGoblin, we seem to handle this kind of stuff 
with hooks. A simple template_hook should suffice for the function of 
displaying a CAPTCHA challenge. To that end, I propose we add a 
"captcha_challenge" template hook which can be placed wherever 
appropriate. For a specific example, I would suggest adding it to the 
register view [1], which would appear something like [2].

The second function is a little trickier. A CAPTCHA plugin must process 
POST data from a form with varying field names. A CAPTCHA plugin could 
provide its own forms and views to accommodate these extra fields, but 
this causes the CAPTCHA plugin to duplicate functionality (displaying 
forms and views) that the basic_auth plugin already does. One option I 
discovered was to allow appending fields to a form by adding a 
@classmethod on the base form. However, it doesn't seem to be in the 
spirit of the MediaGoblin codebase. The solution I've come up with is to 
add an additional authentication hook. I propose we add an 
"auth_captcha_challenge" authentication hook which passes the entire 
request object to a plugin for CAPTCHA validation. There currently 
exists an "auth_extra_validation" hook which I tried to use for this 
purpose, but the "auth_extra_validation" only passes the registration 
form object, and I need access to POST data for fields which don't exist 
in the registration form. Because of this, I opted to create a dedicated 
hook for CAPTCHA processing which passes the entire request object. I 
propose to implement this hook into the base auth code [3].


III. Summary of proposed changes
To ease the creation of various CAPTCHA plugins, I would like to 
implement two changes into the MediaGoblin infrastructure. First, I 
would like to add a "captcha_challenge" template hook which can be used 
to add CAPTCHA code to a page. Second, I would like to add a 
"auth_captcha_challenge" authentication hook which will actually perform 
the CAPTCHA validation. I have compiled these changes (along with basic 
API documentation for the auth_captcha_challenge hook) in a branch for 
your consideration [4].


IV. Proof of concept
The branch linked below [4] and an updated Google no CAPTCHA reCAPTCHA 
plugin (thanks to yanosz on GitHub for his contributions) are running on 
a test instance of mine [5]. However, there is currently a bug in the 
CAPTCHA plugin which causes it to fail if you're blocking scripts on the 
domain, so please be aware that the server error is due to a bug in the 
CAPTCHA plugin itself, not in the template or authentication hook 
implementation.


Thank you. I look forward to your responses.

[1] 
https://gitorious.org/mediagoblin/aylephs-mediagoblin/commit/ca90cdb44cbfe12e9d3a870244000445efd1dff7
[2] https://goblinrefuge.com/mediagoblin/u/andrew/m/captcha-challenge/
[3] 
https://gitorious.org/mediagoblin/aylephs-mediagoblin/commit/3f11524ce4034f191ec9f4f24d412f2324e2ca94
[4] 
https://gitorious.org/mediagoblin/aylephs-mediagoblin/commits/ca90cdb44cbfe12e9d3a870244000445efd1dff7
[5] http://gmgtest.thisshitistemp.com/auth/register/

--
ayleph