Add optional hCaptcha support

Fixes #1649 This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then enabling the admin setting at `/admin/settings/edit#form_admin_settings_captcha_enabled` Subsequently, a hCaptcha widget will be displayed on `/about` and `/auth/sign_up` unless: - the user is already signed-up already - the user has used an invite link - the user has already solved the captcha (and registration failed for another reason) The Content-Security-Policy headers are altered automatically to allow the third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same rules as above.
2022-01-24 19:06:19 +01:00
parent e58e0eb9aa
commit 1b493c9fee
15 changed files with 121 additions and 2 deletions
--- a/config/locales-glitch/en.yml
+++ b/config/locales-glitch/en.yml
@@ -2,6 +2,9 @@
 en:
  admin:
    settings:
+      captcha_enabled:
+        desc_html: Enable hCaptcha integration, requiring new users to solve a challenge when signing up. Note that this disables app-based registration, and requires third-party scripts from hCaptcha to be embedded in the registration pages. This may have security and privacy concerns.
+        title: Require new users to go through a CAPTCHA to sign up
      enable_keybase:
        desc_html: Allow your users to prove their identity via keybase
        title: Enable keybase integration
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -77,6 +77,7 @@ defaults: &defaults
  show_domain_blocks_rationale: 'disabled'
  outgoing_spoilers: ''
  require_invite_text: false
+  captcha_enabled: false

 development:
  <<: *defaults