Open source alternative to reCAPTCHA for GitLab.com registration
What does this MR do?
This MR adds an "invisible captcha" behind a feature flag. The invisible captcha uses 2 ways to fight spam:
- A honeypot (invisible input field) in the registration form: either
firstname
orlastname
(randomly picked) - A time-sensitive registration, set to 4 seconds, being the idea that humans take longer than this time to fill in and submit the registration form.
When the honeypot is filled, the application assumes a bot, and returns a 200
status with an empty body.
When the registration form is submitted before the defined threshold has been reached, an alert warning (That was a bit too quick! Please resubmit.
) is displayed (just in case of a false positive and a human submits the form in less than 4 seconds), preventing a bot to register an account.
To test the effectivity, the ReCAPTCHA can be disabled through the recaptcha_enabled
Application Setting and the invisible_captcha
can be enabled through Feature Flags.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry for user-facing changes, or community contribution. Check the link for other scenarios. -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team