Implement captcha
Closed this issue · 2 comments
Mapas Coletivos suffered a spam attack at the sign up page while ago, affecting user registration. We need to implement a captcha strategy to restore new user creation. I believe the options available are:
-
Add own image generator with svg-captcha or another node captcha module.
-
Add Google ReCaptcha.
It seems that reCaptcha is the less intrusive for the user and more reliable to prevent attacks. There are two public routes exposed to this kind of attack: sign up and reset password. The others are protected by authentication or do not write the database.
To implement this feature, the affected routes must require a recaptchaToken
parameter, containing the token obtained by the web app at reCaptcha service. Also, these routes must query recaptcha verification endpoint and return an error if the token is invalid.
Reference: https://developers.google.com/recaptcha/docs/verify
Implemented in #53 and reviewed by @bwstefano at the staging enviroment.