Request for Recaptcha on sign-up form #1116
Comments
|
Having an optional CAPTCHA (on/off in settings) is not a problem, but my concern is about hardcoding one particular CAPTCHA service. Are there examples of a generic pluggable CAPTCHA interface in other projects? |
|
Phplist provides both Hcaptcha and Recaptcha as two separate plugins so you can turn them on and off. I don't think there is any generic CAPTCHA interface to fit into all CAPTCHA projects because they all work quite differently. The general idea is that the user solves the CAPTCHA and you send the results to a different server either self-hosted or a well-known one like Hcaptcha for verification. I would say it's good to start with Hcaptcha because it's simple and reliable. It would be awesome if you refactor the Listmonk project to support a plugin system so everyone can integrate their own favorite CAPTCHA project into Listmonk. It could be a lot of work but for now probably Hcaptcha is enough. |
|
Let me take a look at hCaptcha.
As listmonk is a Go program, a traditional plugin system isn't feasible. Go has a built in plugin system, but it's sub optimal and painful to use for end users in production. There are solutions like https://github.com/traefik/yaegi, but unsure how feasible they would be for building a plugin system. I'll give this some thought also. |
|
I'm not familiar with the Go language or its plugin system but it would be great to have Captcha set up on Listmonk as soon as possible to block the bots. It's not fun once your mailing list is targeted and you receive hundreds of apparent fake sign-ups. Everyone will be happy if that's done. There are mainly two Captchas since most websites use either Recaptcha or HCaptcha so hardcoding here is not a big problem and can be refactored later once you figure out the plugin system. |
Are they all from a similar/same domain? I believe there's an option to block certain domains on Listmonk (in the meantime). |
|
No, every time it's a different domain name that I have never heard of and sometimes it's from a common domain like Gmail or Outlook. I have no idea what is the purpose of signing up with other people's email addresses. |
Bots easily bypass the simple `nonce` hack. This commit adds support for the hcaptcha.com widget. - New `Security` tab in the admin settings UI. - Enable/disable CAPTCHA. - Render CAPTCHA on the public subscription form. Closes #1116.
|
@knadh Great thank you! I switched to phplist but I will switch back to Listmonk! Please merge the PR and publish the next minor version so I can pull the latest docker image to upgrade easily. I didn't even know you are working on this but anyway thank you for the efforts to make it work. |
Bots easily bypass the simple `nonce` hack. This commit adds support for the hcaptcha.com widget. - New `Security` tab in the admin settings UI. - Enable/disable CAPTCHA. - Render CAPTCHA on the public subscription form. Closes #1116.
I see at https://github.com/knadh/listmonk/releases/tag/v2.4.0 it says
I'm guessing this is why after I enabled captcha in /admin/settings it still doesn't show up on my form? But when I try to submit the form it says captcha failed. Will this be updated at some point? |
|
If you're using custom templates, then you've to add the CAPTCHA bits to your template manually. listmonk cannot mutate custom templates. |
|
I mean on this page |
I've been having the same issue. I got an "Error - Invalid CAPTCHA" after the user submits the embedded sign up form on my static site:
The CAPTCHA on my hosted public signup form works fine:
|
|
This was a miss in HTML form generation. Fixed here: d87a01f To the generated HTML form in v2.4.0, this has to be manually added if CAPTCHA is enabled. <div class="captcha">
<div class="h-captcha" data-sitekey="xxxxxxxx"></div>
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
</div> |
|
Thanks @knadh ! I tried on my end, and it works. |
Thanks for this! By the way, this is still not included in /admin/lists/forms admin page when generating Form HTML. |
Is your feature request related to a problem? Please describe.
I have been using Listmonk for a while and also contributed to the translation project but recently I have received tons of fake sign-ups to the point that I'm thinking about switching to Phplist if there is no Recaptcha integrated into Listmonk anytime soon. Love your Listmonk project and truly hope it gets better.
Describe the solution you'd like
I think Hcaptcha could be a good choice and other self-hosted open-source Recaptcha projects are even better!
The text was updated successfully, but these errors were encountered: