Skip to content

Open source alternative to reCAPTCHA for GitLab.com registration

What does this MR do?

This MR adds an "invisible captcha" behind a feature flag. The invisible captcha uses 2 ways to fight spam:

  • A honeypot (invisible input field) in the registration form: either firstname or lastname (randomly picked)
  • A time-sensitive registration, set to 4 seconds, being the idea that humans take longer than this time to fill in and submit the registration form.

When the honeypot is filled, the application assumes a bot, and returns a 200 status with an empty body.

When the registration form is submitted before the defined threshold has been reached, an alert warning (That was a bit too quick! Please resubmit.) is displayed (just in case of a false positive and a human submits the form in less than 4 seconds), preventing a bot to register an account.

To test the effectivity, the ReCAPTCHA can be disabled through the recaptcha_enabled Application Setting and the invisible_captcha can be enabled through Feature Flags.

Does this MR meet the acceptance criteria?

Conformity

Performance and testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading