mcaptcha / mcaptcha Goto Github PK

A no-nonsense CAPTCHA system with seamless UX | Backend component

License: GNU Affero General Public License v3.0

Rust 60.76% JavaScript 0.42% SCSS 4.53% HTML 9.49% Makefile 0.81% TypeScript 22.17% Dockerfile 0.22% CSS 0.30% Shell 1.31%

actix-web captcha ddos-mitigation ddos-protection mcaptcha privacy proof-of-work rust self-host self-hosted spam-protection

mcaptcha's Introduction

mCaptcha

Proof of work based, privacy respecting CAPTCHA system with a kickass UX.

STATUS: ACTIVE DEVELOPMENT

Skip to demo

mCaptcha is a privacy respecting, free CAPTCHA system with a kickass UX. Your users no longer have to interact with ridiculous image-based CAPTCHA system, wasting precious mental bandwidth. Instead, your computer will do the work for you, see for yourself!

How does it work?

mCaptcha uses SHA256 based proof-of-work (PoW) to rate limit users.

When a user wants to do something on a mCaptcha-protected website,

they will have to generate proof-of-work (a bunch of math that will takes time to compute) and submit it to mCaptcha.
We'll validate the proof:
- if validation is unsuccessful, they will be prevented from accessing their target website
- if validation is successful, read on,
They will be issued a token that they should submit along with their request/form submission to the target website.
The target website should validate the user-submitted token with mCaptcha before processing the user's request.

The whole process is automated from the user's POV. All they have to do is click on a button to initiate the process.

mCaptcha makes interacting with websites (computationally) expensive for the user. A well-behaving user will experience a slight delay (no delay when under moderate load to 2s when under attack; PoW difficulty is variable) but if someone wants to hammer your site, they will have to do more work to send requests than your server will have to do to respond to their request.

Why use mCaptcha?

Free software, privacy focused
Seamless UX - No more annoying CAPTCHAs!
No tracking: Our CAPTCHA routes are cookie free!
IP address independent: your users are behind a NAT? We got you covered!
Resistant to replay attacks: proof-of-work configurations have short lifetimes (30s) and can be used only once. If a user submits a PoW to an already used configuration or an expired one, their proof will be rejected.

Demo

Client-side widget:

mCaptcha's UX is super silent, solving CAPTCHAs have never been more easier. One click and you are on your way. To observe mCaptcha in action, open dev tools and monitor console and network activity.

Demo servers are available at:

https://demo.mcaptcha.org/
https://demo2.mcaptcha.org/ (runs on a Raspberry Pi!)

Core functionality is working but it's still very much work-in-progress. Since we don't have a stable release yet, hosted demo servers might be a few versions behind master. Please check footer for build commit.

Feel free to provide bogus information while signing up (project under development, database frequently wiped).

Self-hosted:

Clone the repo and run the following from the root of the repo:

git clone https://github.com/mCaptcha/mCaptcha.git
docker-compose up -d

After the containers are up, visit http://localhost:7000 and login with the default credentials:

username: aaronsw
password: password

It takes a while to build the image so please be patient :)

See DEPLOYMENT.md for detailed alternate deployment methods.

Development:

See HACKING.md

Deployment:

See DEPLOYMENT.md

Configuration:

See CONFIGURATION.md

Funding

NLnet

2023 development is funded through the NGI0 Entrust Fund, via NLnet. Please see here for more details.

mcaptcha's People

Contributors

Stargazers

Watchers

mcaptcha's Issues

Many console errors when solving the captcha

I get the following errors in the console when solving the captcha:

Uncaught (in promise) TypeError: Cannot mix BigInt and other types, use explicit conversions

This originates from the following line:
https://github.com/mCaptcha/mCaptcha/blob/master/templates/widget/index.ts#L97

[SECURITY ISSUE] this is not a captcha

Hi, i'm trying to estimate the reliability of this mechanism as an actual captcha (and not just as an overcomplicated rate limiter).

So I was wondering, what would prevent a bot from automatically fetch the PoW configuration (since sitekey is accessible), solve the challenge (maybe reusing the same Rust code for simplicity and efficiency), submit the PoW, get the token and either use it for every following request or repeat the process (for bruteforcing as an example)?

I get that the difficulty can be tuned, but still, I assume a bot implemented in Rust would be faster than its js/wasm counterpart, so it's safe to say a bot would take less than a browser anyway, thus kind of bypassing the rate limiting factor.

What am I missing?

Edit: adding PoC code https://github.com/evilsocket/mcaptcha_bypass

multi user accounts for managing captchas

`/docs/openapi.json` serialization error

/api/v1/something gets converted to api//something when json is converted into HttpResponse. This seems to happen only in current(3.3.2) version as testing with 4.0.0-beta.4 produced expected result.

Can mCaptcha be used also like Cloudflare "Browser Check before Continue"?

Hi,
can mCaptcha work also as a checking CAptcha before entering the Site, like Cloudflare is doing?

Accounts not saved

Hello,
I wanted to test the docker-compose version.
Now I noticed that user accounts are not saved permanently.
When I shut down the container and start it again, registered accounts are no longer available.

How can I fix the error?

Unable to login

Hello,

I've setup the bare metal install, everything seems to be working but login doesn't.

I can see the user and argon2 hash in the DB, but I'm redirected to the login path: /login?redirect_to=%2F

I've also set the email_verified to true

Setup Weblate for localization

Deploy weblate
integrate weblate into mCaptcha codebases

Verification not working anymore, restart container helped

Hi,

after couple of months without issues the verification step did not work anymore.
The widget looked correct.

Unfortunately I do not have the errors from the client console (I try to get more infos).
But in the mcaptcha service I have the following log (Broken pipe (os error 32):

Defense { levels: [Level { visitor_threshold: 2000, difficulty_factor: 50000 }, Level { visitor_threshold: 10000, difficulty_factor: 3000000 }, Level { visitor_threshold: 20000, difficulty_factor: 5000000 }], current_visitor_threshold: 0 }
 ERROR mcaptcha::errors              > Broken pipe (os error 32)
 INFO  actix_web::middleware::logger > 10.42.0.226 "POST /api/v1/pow/config HTTP/1.1" 400 37 "https://*********/widget/?sitekey=*****" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 0.081178
 INFO  sqlx::query                   > /* SQLx ping */; rows affected: 0, rows returned: 0, elapsed: 339.746µs

Is it possible to monitor the verification endpoint in some way? Next time I prefer to get a mail from our monitoring and not a customers call. :-)

Are there additional logs I can have a look?
Please let me know if I can help to solve this issue. If I fix something by myself, of course I will generate a Pull request (as always).

Bye and have a nice day
Darian

Docker redis failing to connect

Greetings,
After the most recent update my docker container for mcaptcha all of a sudden stopped working due to redis not being able to connect, I haven't changed anything in the docker compose before the update. Everything was working fine

Version: 0.1.0 commit: 9e77eec6576558e5440bd4d00f0947c62cffae1c

 INFO  mcaptcha::settings > Loading config file from /etc/mcaptcha/config.toml

 INFO  mcaptcha::data     > Initializing credential manager

 INFO  sqlx::postgres::notice > relation "_sqlx_migrations" already exists, skipping

thread 'main' panicked at /usr/local/cargo/git/checkouts/libmcaptcha-3667a1c790960085/6bc0d11/src/redis/mod.rs:46:22:

called `Result::unwrap()` on an `Err` value: Connection refused (os error 111)

Can mCaptcha protect a contact form against spam?

Sorry for the possibly stupid question...

I have a contact form that is subject to spam. I'm currently using reCAPTCHA to protect it but clearly bots are getting past it.
Is this a good use case for mCaptcha?

The home page says that mCaptcha is a xCaptcha drop-in replacement.
But when I tried to use it by creating a account on the demo platform, I had to provide maximum traffic metrics.

It seems that mCaptcha is more of a rate-limiting/anti-DDOS tool than a reCAPTCHA/hCaptcha replacement?

Can it be used to protect contact forms, registration forms, etc. against bots?

mCaptcha suddenly restarting

I had mcaptcha working for a while, but suddenly it is down and the logs show the following:

mcaptcha-mcaptcha-1           |  DEBUG sqlx::query        > summary="SELECT current_database()" db.statement="" rows_affected=0 rows_returned=1 elapsed=586.012µs
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query        > summary="SELECT pg_advisory_lock($1)" db.statement="" rows_affected=1 rows_returned=1 elapsed=596.292µs
mcaptcha-mcaptcha-1           |  INFO  sqlx::postgres::notice > relation "_sqlx_migrations" already exists, skipping
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query            > summary="CREATE TABLE IF NOT …" db.statement="\n\nCREATE TABLE IF NOT EXISTS _sqlx_migrations (\n  version BIGINT PRIMARY KEY,\n  description TEXT NOT NULL,\n  installed_on TIMESTAMPTZ NOT NULL DEFAULT now(),\n  success BOOLEAN NOT NULL,\n  checksum BYTEA NOT NULL,\n  execution_time BIGINT NOT NULL\n);\n" rows_affected=0 rows_returned=0 elapsed=523.102µs
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query            > summary="SELECT version FROM _sqlx_migrations …" db.statement="\n\nSELECT\n  version\nFROM\n  _sqlx_migrations\nWHERE\n  success = false\nORDER BY\n  version\nLIMIT\n  1\n" rows_affected=0 rows_returned=0 elapsed=1.116349ms
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query            > summary="SELECT version, checksum FROM …" db.statement="\n\nSELECT\n  version,\n  checksum\nFROM\n  _sqlx_migrations\nORDER BY\n  version\n" rows_affected=12 rows_returned=12 elapsed=445.767µs
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query            > summary="SELECT current_database()" db.statement="" rows_affected=0 rows_returned=1 elapsed=109.938µs
mcaptcha-mcaptcha-1           |  DEBUG sqlx::query            > summary="SELECT pg_advisory_unlock($1)" db.statement="" rows_affected=1 rows_returned=1 elapsed=377.335µs
mcaptcha-mcaptcha-1           |  INFO  mcaptcha::data         > Initialized credential manager
mcaptcha-mcaptcha-1           | thread 'main' panicked at /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/libmcaptcha-0.2.4/src/redis/mod.rs:46:22:
mcaptcha-mcaptcha-1           | called `Result::unwrap()` on an `Err` value: Connection refused (os error 111)
mcaptcha-mcaptcha-1           | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
mcaptcha-mcaptcha-1 exited with code 101

I did not change anything, is there something wrong?

ERROR [frontend 16/16] RUN make frontend -> make: ./scripts/librejs.sh: Command not found

sorry again, I get this error running the docker-compose up -d command

 => ERROR [frontend 16/16] RUN make frontend                                                                                                                                                                                   33.9s 
------
 > [frontend 16/16] RUN make frontend:
#0 1.033 yarn install
#0 1.321 yarn install v1.22.5
#0 1.605 [1/4] Resolving packages...
#0 2.405 success Already up-to-date.
#0 2.424 Done in 1.11s.
#0 2.473 cd docs/openapi && yarn install
#0 2.756 yarn install v1.22.5
#0 2.834 warning package.json: License should be a valid SPDX license expression
#0 2.985 warning [email protected]: License should be a valid SPDX license expression
#0 2.990 [1/4] Resolving packages...
#0 3.535 success Already up-to-date.
#0 3.551 Done in 0.81s.
#0 3.605 cd docs/openapi && yarn build
#0 3.968 yarn run v1.22.5
#0 4.157 warning package.json: License should be a valid SPDX license expression
#0 4.226 $ swagger-cli bundle openapi.yaml --outfile dist/openapi.yaml --type yaml
#0 4.923 Created dist/openapi.yaml from openapi.yaml
#0 4.941 Done in 0.99s.
#0 4.963 yarn install
#0 5.341 yarn install v1.22.5
#0 5.640 [1/4] Resolving packages...
#0 6.494 success Already up-to-date.
#0 6.514 Done in 1.19s.
#0 6.584 yarn build
#0 6.977 yarn run v1.22.5
#0 7.110 $ webpack --mode production
#0 24.77 Browserslist: caniuse-lite is outdated. Please run:
#0 24.77   npx browserslist@latest --update-db
#0 24.77   Why you should do it regularly: https://github.com/browserslist/browserslist#browsers-data-updating
#0 25.57 assets by path *.js 25.7 KiB
#0 25.57   asset bundle.js 17.6 KiB [emitted] [minimized] (name: bundle)
#0 25.57   asset bench.js 5.83 KiB [emitted] [minimized] (name: bench)
#0 25.57   asset verificationWidget.js 2.28 KiB [emitted] [minimized] (name: verificationWidget)
#0 25.57 asset d31bd4308c685c96d507.module.wasm 72 KiB [emitted] [immutable] (auxiliary name: bench)
#0 25.57 asset verificationWidget.css 1.55 KiB [emitted] [minimized] (name: verificationWidget)
#0 25.57 Entrypoint bundle 17.6 KiB = bundle.js
#0 25.57 Entrypoint verificationWidget 3.83 KiB = verificationWidget.css 1.55 KiB verificationWidget.js 2.28 KiB
#0 25.57 Entrypoint bench 5.83 KiB (72 KiB) = bench.js 1 auxiliary asset
#0 25.57 orphan modules 55.8 KiB (javascript) 937 bytes (runtime) [orphan] 59 modules
#0 25.57 runtime modules 4.72 KiB 8 modules
#0 25.57 cacheable modules 63.2 KiB (javascript) 1.59 KiB (css/mini-extract) 72 KiB (webassembly)
#0 25.57   javascript modules 63.2 KiB
#0 25.57     modules by path ./templates/ 57.9 KiB
#0 25.57       modules by path ./templates/widget/ 7.46 KiB 3 modules
#0 25.57       ./templates/index.ts + 47 modules 49.9 KiB [built] [code generated]
#0 25.57       ./templates/logger.ts 529 bytes [built] [code generated]
#0 25.57     modules by path ./node_modules/@mcaptcha/ 5.31 KiB
#0 25.57       ./node_modules/@mcaptcha/pow_sha256-polyfill/dist/index.js 1.15 KiB [built] [code generated]
#0 25.57       ./node_modules/@mcaptcha/pow-wasm/pow_wasm_bg.js 4.16 KiB [built] [code generated]
#0 25.57   css ./node_modules/css-loader/dist/cjs.js!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[1].use[2]!./templates/widget/main.scss 1.59 KiB [built] [code generated]
#0 25.57   ./node_modules/@mcaptcha/pow-wasm/pow_wasm_bg.wasm 50 bytes (javascript) 72 KiB (webassembly) [built] [code generated]
#0 25.57 webpack 5.58.1 compiled successfully in 15557 ms
#0 25.66 Done in 18.69s.
#0 26.08 yarn run v1.22.5
#0 26.17 $ /src/node_modules/.bin/sass -s compressed templates/main.scss ./static/cache/bundle/css/main.css
#0 27.48 Done in 1.42s.
#0 27.84 yarn run v1.22.5
#0 27.97 $ /src/node_modules/.bin/sass -s compressed templates/mobile.scss ./static/cache/bundle/css/mobile.css
#0 28.88 Done in 1.05s.
#0 29.24 yarn run v1.22.5
#0 29.39 $ /src/node_modules/.bin/sass -s compressed templates/widget/main.scss ./static/cache/bundle/css/widget.css
#0 30.27 Done in 1.04s.
#0 30.28 make: ./scripts/librejs.sh: Command not found
#0 30.28 make: *** [Makefile:49: frontend] Error 127
------
failed to solve: executor failed running [/bin/sh -c make frontend]: exit code: 2

Disabling registration and demo on docker not working.

Greetings,
The following docker configuration still allows account registration and the demo account.

version: "3.9"

services:
  mcaptcha:
    image: mcaptcha/mcaptcha:latest
    ports:
      - 7000:7000
    environment:
      DATABASE_URL: postgres://postgres:epic_password@mcaptcha_postgres:5432/postgres
      MCAPTCHA_REDIS_URL: redis://mcaptcha_redis/
      MCAPTCHA_SERVER_DOMAIN: mcaptcha.epic_domain.com
      MCAPTCHA_COMMERCIAL: false
      MCAPTCHA_ALLOW_REGISTRATION: false
      MCAPTCHA_ALLOW_DEMO: false
      RUST_LOG: debug
      PORT: 7000
    depends_on:
      - mcaptcha_postgres
      - mcaptcha_redis

  mcaptcha_postgres:
    image: postgres:13.2
    volumes:
      - mcaptcha-data:/var/lib/postgresql/
    environment:
      POSTGRES_PASSWORD: epic_password
      PGDATA: /var/lib/postgresql/data/mcaptcha/

  mcaptcha_redis:
    image: mcaptcha/cache:latest

volumes:
  mcaptcha-data:
    driver: local

Troubles with ports using docker

Hi,
I'm trying to run mCaptcha with docker compose, on a server that already have some redis and postgres containers mapped on 6379 and 5432.

I tried to map postgres and redis on other port, but the main app doesn't recognise.

Here is my conf file :

version: '3.9'

services:
  mcaptcha:
    image: mcaptcha/mcaptcha:latest
    ports:
      - 7000:7000
    environment:
      DATABASE_URL: postgres://postgres:password@postgres:5433/postgres # set password at placeholder
      MCAPTCHA_REDIS_URL: redis://mcaptcha-redis:6380/
      RUST_LOG: debug
      RUST_BACKTRACE: 1
      PORT: 7000
    depends_on:
      - postgres
      - mcaptcha-redis

  postgres:
    image: postgres:13.2
    ports:
      - "5433:5432"
    volumes:
      - mcaptcha-data:/var/lib/postgresql/
    environment:
      POSTGRES_PASSWORD: password # change password
      PGDATA: /var/lib/postgresql/data/mcaptcha/

  mcaptcha-redis:
    image: mcaptcha/cache:latest
    ports:
      - "6380:6379"

volumes:
  mcaptcha-data:

Repositories metadata: homepage mcaptcha.org

In all repositories, change the homepage to https://mcaptcha.org.

#suggestion

Problem with the postgress cluster

When the deployment occurs, the following error occurs:
DBError(Execute(Database(PgDatabaseError { severity: Error, code: "42P05", message: "prepared statement \"sqlx_s_1\" already exists",

I believe this is being fixed "disable_statement_logging"

use crate::settings::Settings;
use db_core::prelude::*;

pub type BoxDB = Box<dyn MCDatabase>;

pub mod pg {
    use super::*;
    use db_sqlx_postgres::{ConnectionOptions, Fresh};
    use sqlx::postgres::PgPoolOptions;

    pub async fn get_data(settings: Option<Settings>) -> BoxDB {
        let settings = settings.unwrap_or_else(|| Settings::new().unwrap());
        let pool = settings.database.pool;
        let pool_options = PgPoolOptions::new().max_connections(pool);
        let connection_options = ConnectionOptions::Fresh(Fresh {
            pool_options,
            url: settings.database.url.clone(),
            disable_logging: !settings.debug,
        });
        let db = connection_options.connect().await.unwrap();
        db.migrate().await.unwrap();
        Box::new(db)
    }
}

However, I don't understand how to enable it. Judging by the source code, you need to change the debug = true setting for this. But it didn't work for me.

Tag the docker image

We only have latest and master dockerhub tag. Maybe because the git project have no tag/release yet. Could be nice to avoid the usage of the :latest docker tag.

`Difficulty factor should increase with level` when using Easy mode of setting New Sitekey

Good morning,

I've got a problem/bug with mCaptcha UI, where I couldn't add New Site Key using Easy Mode.

The error what I'm getting is Difficulty factor should increase with level with a 400 Bad request from https://captcha.chimmie.k.vu/api/v1/mcaptcha/add/easy.

My parameters:

Description: Bruteforce Protection
Average Traffic of your website: `2000
Maximum traffic that your website can handle: 10000
Traffic that broke your website(Optional): 20000

Version: v0.1.0-59e339f2
Installation method: using Docker compose.

Use mcaptcha under a certain path prefix

Hi everybody,

is it possible to add a configuration option, to operate mcatcha also under a certain path prefix? For our use case it would be perfect, if mcatpcha would behave properly if server und a path like https://somdomain.com/mcatpcha or something like that.

Kind regards,
Christian

Add curl in the image

Would it be possible to include curl in the image ?

The goal is to have a healthcheck like curl -f http://localhost:7000/api/v1/meta/health

Better documentation around new site key form

Its not very clear what goes into the following fields:

Average traffic to your site
Maximum traffic that your website can handle
Traffic that broke your website

For instance, I don't know if this is traffic per month, per minute, ect

failed to load source for dependency `actix-web-codegen`

I get this error running the docker-compose up -d command

 => [rust  2/15] WORKDIR /src                                                                                                                                                                 1.9s 
#0 47.95     Updating git repository `https://github.com/realaravinth/cache-buster`
#0 48.72     Updating git repository `https://github.com/mCaptcha/libmcaptcha`
#0 49.47     Updating git repository `https://github.com/realaravinth/actix-web`
#0 51.92 error: failed to get `actix-web-codegen` as a dependency of package `mcaptcha v0.1.0 (/src)`
#0 51.92
#0 51.92 Caused by:
#0 51.92   failed to load source for dependency `actix-web-codegen`
#0 51.92
#0 51.92 Caused by:
#0 51.92   Unable to update https://github.com/realaravinth/actix-web#950d1265
#0 51.92
#0 51.92 Caused by:
#0 51.92   object not found - no match for id (950d1265ee32f34efe6acb6663c56881ba1b489a); class=Odb (9); code=NotFound (-3)
------
failed to solve: executor failed running [/bin/sh -c cargo build --release]: exit code: 101

steps followed:

git clone https://github.com/mCaptcha/mCaptcha
cd mCaptcha
docker-compose up -d

Some settings cannot be set via environment

It seems that some settings cannot be set via environment. Because:

They have underscores in their names.
And the separator (as in config::Environment::separator) is an underscore.

For example, one might try to set database.database_type via MCAPTCHA_DATABASE_DATABASE_TYPE.
But that doesn't work. Because it will be resolved to database.database.type 😟 😢 .

Some users of the config crate are confused about this, but here's the gist of it, as far as I understand: you can't use the separator in a name.

Request for aarch64 architecture mCaptcha compatability

Hey,

Off topic from my other raised issue, please could I request mCaptcha be made compatible with aarch64 cpu architectures. The underlying node, rust, debian images being used for mCaptcha are also available as aarch64v8.

Thanks

Stuck on processing

When trying out the demo site on my Pixel6 using GrapheneOS and Vanadium (based on Chrome) as browser, it gets stuck at processing.

This is the sitekey i used:
https://demo.mcaptcha.org/widget/?sitekey=pHy0AktWyOKuxZDzFfoaewncWecCHo23

I will later try to connect from my PC to my phone to be able to open up the dev tools and provide more information.

docker compose file - can't log into application

Hi,

maybe someone can help me. I've got the docker image running, using the docker-compose.yml file provided. I have the Service running behind an ngnix Server.

When I try to log in with wrong user credentials I get the red error message, but if I use the ones given (aaronsw, password), I get forwarded to:
https://mydomain/login?redirect_to=%2F (302 instead of the 200)

here is an excerpt of the log files:

mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "POST /api/v1/signin HTTP/1.0" 200 0 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.037804
mcaptcha_1           |  INFO  sqlx::query                   > /* SQLx ping */; rows affected: 0, rows returned: 0, elapsed: 534.716µs
mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "GET / HTTP/1.0" 302 0 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.000330
mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "GET /login?redirect_to=%2F HTTP/1.0" 200 5775 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.001699

ngnix config:

server {
    server_name my-domain;

    # security - prevent information disclosure about server version
    server_tokens off;

    access_log /var/log/nginx/captcha.access.log;
    error_log  /var/log/nginx/captcha.error.log;

    location / {
        proxy_pass http://localhost:7000;
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_pass_request_headers on;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      300;
        proxy_send_timeout         300;
        proxy_read_timeout         300;

        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = my-domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name my-domain;
    listen 80;
    return 404; # managed by Certbot
}

thread panicked while panicking. aborting. error: test failed, to rerun pass '--bin mcaptcha'

~~Tests are failing for no apparent reason~~ There seems to be a test suite, which is failing and the test harness/test runner/cargo test is unable to pinpoint the exact test that is failing

See CI runs around https://github.com/mCaptcha/mCaptcha/actions/runs/1588127731

Unable to change account password from web interface

I wonder if I missed something but It seems that it's not possible to change the account password from the web interface? (no API routes found either)

Could it be implemented ?

Thanks,

rm token name unique

Token name is to assist users, having unique constraints make token names less user friendly.

So token name unique constraint must be removed and when performing token name lookups, they'll have to be scoped to the domain name.

Can't login using docker compose installation

Hi, it's me again,
I'm using docker-compose installation.
I tried to login use default credentials or create new one but it's not working.
It redirects me to login page.
I see the INSERT in the log when creating an account, and the SELECT, but it says from conversin: Account not found

Add memory-hard hash function

This ticket is a feature request for mCaptcha to support support a memory-hard hash function (in addition to sha256).

For example, scrypt is an option that's used by PoW! Captcha

But it might be better to use something specifically designed for proof-of-work, such as CryptoNight, which is what's used by Monero and crypto-loot's CAPTCHA implementation.

Are you sure this should be called CAPTCHA?

CAPTCHAs should be able to tell humans and robots apart, not to rate limit them. I can write a demo using selenium which could've easily clicked that "I'm not a robot" button and passed the test

Browser engine integration?

Hi, I'm working on an NLnet-funded browser engine "Haphaestus" & I'd be keen to figure out with you how we can mCaptcha working in my browser engine.

The catch is that for several reasons I will not & cannot support JavaScript, so mCaptcha will need to be integrated directly into my webform engine "Bureaucromancy" as a new type. Thoughts?

mcaptcha.org down

I have noticed that mcaptcha.org is not online anymore. Do you know what happened or is it intentional?

Helm chart for mCaptcha

Hi!

Thanks for all your effort in mCaptcha!

We're doing a POC with using mCaptcha at work on our kubernetes cluster deploying it using a helm chart: Would you be open to an MR sharing this helm chart?

production readiness and our effort to get something production ready

First of all, thank you again for working on this library. I appreciate it that much b/c I planned to work on it for a very long time. The first time I wrote about it in 2015 on my old, now not existing blog https://web.archive.org/web/20210302100358/https://blog.wizardtales.com/2015/12/18/a-captchas-tale/, but I never found the time for it.

So thank you for your efforts :)

Now we finally were forced to look into it and found your solution aside from a few different implementations (just demos) and were happy to see a quite thought-through solution.

Next I want to highlight: This is not intended as advertising, but more our way of sharing it with you and the community. I have no doubt you and the community bring this module to production readiness as well at some point. So I want to encourage you, if you feel this is wrongly placed in your opinion, please go ahead and delete the issue.

Continuing, now that we have run it in production, though, it became clear it is far too unstable to run production. We don't think that is really on your side of things but more on the general immaturity of rust as a whole. So we decided to write an own backend for processing pows in a different language with a toolset ready for production use. You can find it over here:

https://github.com/WizardTales/pow-node

You're very welcome to utilize the code, as well as ignoring it :)

Thank you again for your efforts!

docker/podman build error

Trying to build this project:

I am getting a

error: couldn't read src/../docs/openapi/dist/openapi.yaml: No such file or directory (os error 2)

when I run podman build -t mcaptcha/mcaptcha:latest .

Docker-compose up using the default docker-compose.yml file does not create mCaptcha container when using Oracle Linux Server 8.8 (Oracle Cloud)

Hi,

I am trying to set up mCaptcha on a Oracle Could VM instance. I only want to set up the default configuration for now whilst I learn about mCaptcha.

For some reason I keep hitting these errors when I run docker-compose up within the mCaptcha directory:

Creating network "mcaptcha_default" with the default driver
Creating mcaptcha_mcaptcha_redis_1    ... done
Creating mcaptcha_mcaptcha_postgres_1 ... done
Creating mcaptcha_mcaptcha_1          ... done
Attaching to mcaptcha_mcaptcha_redis_1, mcaptcha_mcaptcha_postgres_1, mcaptcha_mcaptcha_1
mcaptcha_1           |  INFO  mcaptcha > mcaptcha: mCaptcha - a PoW-based CAPTCHA system.
mcaptcha_1           | For more information, see: https://mcaptcha.org
mcaptcha_1           | Build info:
mcaptcha_1           | Version: 0.1.0 commit: 6ede578ad55441457b016a7a3d52f038263641ed
mcaptcha_1           |  INFO  mcaptcha::settings > Loading config file from /etc/mcaptcha/config.toml
mcaptcha_1           |  INFO  mcaptcha::settings > Overriding [server].port with environment variable
mcaptcha_1           |  INFO  mcaptcha::settings > Overriding [database].url and [database].database_type with environment variable
mcaptcha_postgres_1  | The files belonging to this database system will be owned by user "postgres".
mcaptcha_postgres_1  | This user must also own the server process.
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | The database cluster will be initialized with locale "en_US.utf8".
mcaptcha_postgres_1  | The default database encoding has accordingly been set to "UTF8".
mcaptcha_postgres_1  | The default text search configuration will be set to "english".
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | Data page checksums are disabled.
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | fixing permissions on existing directory /var/lib/postgresql/data/mcaptcha ... ok
mcaptcha_postgres_1  | creating subdirectories ... ok
mcaptcha_postgres_1  | selecting dynamic shared memory implementation ... posix
mcaptcha_postgres_1  | selecting default max_connections ... 100
mcaptcha_postgres_1  | selecting default shared_buffers ... 128MB
mcaptcha_postgres_1  | selecting default time zone ... Etc/UTC
mcaptcha_postgres_1  | creating configuration files ... ok
mcaptcha_postgres_1  | running bootstrap script ... ok
mcaptcha_1           |  INFO  mcaptcha::data     > Initializing credential manager
mcaptcha_redis_1     | 1:C 21 Jun 2023 23:45:51.323 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
mcaptcha_redis_1     | 1:C 21 Jun 2023 23:45:51.324 # Redis version=6.2.6, bits=64, commit=00000000, modified=0, pid=1, just started
mcaptcha_redis_1     | 1:C 21 Jun 2023 23:45:51.324 # Configuration loaded
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.325 * monotonic clock: POSIX clock_gettime
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.325 * Running mode=standalone, port=6379.
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.326 # Server initialized
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.326 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.329 * <mcaptcha_cahce> Created new data type 'mcaptbuck'
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.329 * <mcaptcha_cahce> Created new data type 'mcaptmcap'
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.329 * <mcaptcha_cahce> Created new data type 'mcaptsafe'
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.329 * <mcaptcha_cahce> Created new data type 'mcaptchal'
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.329 * Module 'mcaptcha_cahce' loaded from /usr/lib/redis/modules/libcache.so
mcaptcha_redis_1     | 1:M 21 Jun 2023 23:45:51.330 * Ready to accept connections
mcaptcha_1           | thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: DBError(Io(Custom { kind: Uncategorized, error: "failed to lookup address information: Name or service not known" }))', src/db.rs:36:53
mcaptcha_1           | stack backtrace:
mcaptcha_1           |    0: rust_begin_unwind
mcaptcha_1           |              at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/panicking.rs:579:5
mcaptcha_1           |    1: core::panicking::panic_fmt
mcaptcha_1           |              at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/panicking.rs:64:14
mcaptcha_1           |    2: core::result::unwrap_failed
mcaptcha_1           |              at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/result.rs:1750:5
mcaptcha_1           |    3: std::thread::local::LocalKey<T>::with
mcaptcha_1           |    4: <core::pin::Pin<P> as core::future::future::Future>::poll
mcaptcha_1           |    5: tokio::runtime::scheduler::current_thread::Context::enter
mcaptcha_1           |    6: tokio::macros::scoped_tls::ScopedKey<T>::set
mcaptcha_1           |    7: tokio::runtime::scheduler::current_thread::CurrentThread::block_on
mcaptcha_1           |    8: tokio::runtime::runtime::Runtime::block_on
mcaptcha_1           |    9: mcaptcha::main
mcaptcha_1           | note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
mcaptcha_postgres_1  | performing post-bootstrap initialization ... ok
mcaptcha_postgres_1  | syncing data to disk ... ok
mcaptcha_postgres_1  |
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | Success. You can now start the database server using:
mcaptcha_postgres_1  |
mcaptcha_postgres_1  |     pg_ctl -D /var/lib/postgresql/data/mcaptcha/ -l logfile start
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | initdb: warning: enabling "trust" authentication for local connections
mcaptcha_postgres_1  | You can change this by editing pg_hba.conf or using the option -A, or
mcaptcha_postgres_1  | --auth-local and --auth-host, the next time you run initdb.
mcaptcha_postgres_1  | waiting for server to start....2023-06-21 23:45:57.019 UTC [47] LOG:  starting PostgreSQL 13.2 (Debian 13.2-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
mcaptcha_postgres_1  | 2023-06-21 23:45:57.023 UTC [47] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
mcaptcha_postgres_1  | 2023-06-21 23:45:57.034 UTC [48] LOG:  database system was shut down at 2023-06-21 23:45:55 UTC
mcaptcha_postgres_1  | 2023-06-21 23:45:57.043 UTC [47] LOG:  database system is ready to accept connections
mcaptcha_postgres_1  |  done
mcaptcha_postgres_1  | server started
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | 2023-06-21 23:45:57.436 UTC [47] LOG:  received fast shutdown request
mcaptcha_postgres_1  | waiting for server to shut down....2023-06-21 23:45:57.517 UTC [47] LOG:  aborting any active transactions
mcaptcha_postgres_1  | 2023-06-21 23:45:57.524 UTC [47] LOG:  background worker "logical replication launcher" (PID 54) exited with exit code 1
mcaptcha_postgres_1  | 2023-06-21 23:45:57.527 UTC [49] LOG:  shutting down
mcaptcha_postgres_1  | 2023-06-21 23:45:57.612 UTC [47] LOG:  database system is shut down
mcaptcha_postgres_1  |  done
mcaptcha_postgres_1  | server stopped
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | PostgreSQL init process complete; ready for start up.
mcaptcha_postgres_1  |
mcaptcha_postgres_1  | 2023-06-21 23:45:57.923 UTC [1] LOG:  starting PostgreSQL 13.2 (Debian 13.2-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
mcaptcha_postgres_1  | 2023-06-21 23:45:57.923 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
mcaptcha_postgres_1  | 2023-06-21 23:45:57.923 UTC [1] LOG:  listening on IPv6 address "::", port 5432
mcaptcha_postgres_1  | 2023-06-21 23:45:57.932 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
mcaptcha_postgres_1  | 2023-06-21 23:45:57.940 UTC [66] LOG:  database system was shut down at 2023-06-21 23:45:57 UTC
mcaptcha_postgres_1  | 2023-06-21 23:45:58.016 UTC [1] LOG:  database system is ready to accept connections
mcaptcha_mcaptcha_1 exited with code 101

I dont know why this occuring, here is my docker-compose.yml file

version: "3.9"                                                                                                           
                                                                                                                         
services:                                                                                                                
  mcaptcha:                                                                                                              
    image: mcaptcha/mcaptcha:latest                                                                                      
    ports:                                                                                                               
      - 7000:7000                                                                                                        
    environment:                                                                                                         
      DATABASE_URL: postgres://postgres:password@mcaptcha_postgres:5432/postgres # set password at placeholder           
      MCAPTCHA_REDIS_URL: redis://mcaptcha_redis/                                                                        
      RUST_LOG: debug                                                                                                    
      PORT: 7000                                                                                                         
      RUST_BACKTRACE: 1                                                                                                  
    depends_on:                                                                                                          
      - mcaptcha_postgres                                                                                                
      - mcaptcha_redis                                                                                                   
                                                                                                                         
  mcaptcha_postgres:                                                                                                     
    image: postgres:13.2                                                                                                 
    volumes:                                                                                                             
      - mcaptcha-data:/var/lib/postgresql/                                                                               
    environment:                                                                                                         
      POSTGRES_PASSWORD: password # change password                                                                      
      PGDATA: /var/lib/postgresql/data/mcaptcha/                                                                         
                                                                                                                         
  mcaptcha_redis:                                                                                                        
    image: mcaptcha/cache:latest                                                                                         
                                                                                                                         
volumes:                                                                                                                 
  mcaptcha-data:

Any help is appreciated

AGPL code is served with MIT and X11 license

see

https://github.com/mCaptcha/mCaptcha/blob/master/templates/widget/service-worker.ts (the compiled asset is delivered as X11 and MIT licensed work, not agpl)
https://mcaptcha.de/assets/bundle/verificationWidget.F4101A044A41436FC5A31A39AECEB37C46E73DF2F43E7273E21E63BE18F71520.js (link may be outdated if you deploy a new version in between...)
https://demo.mcaptcha.org/assets/bundle/bench.0AD0CC244EF8AA4C9E0D7483BD97AC1EE1B9FD7BDC997E2F298F069F67521DBF.js

https://github.com/mCaptcha/mCaptcha/blob/master/templates/widget/main.scss (the compiled asset is delivered without any license)
https://mcaptcha.de/assets/bundle/css/widget.97172DE5AAA08F31E0D092C06C194ED731D4C12D47E3F36641ABEED7EF8E3027.css (link may be outdated if you deploy a new version in between...)

my guess is that the service worker was by accident not mit like the rest and the CSS, i don't know.

Document Hash Function

Uhh, what hash function does mCaptcha use?

Problem

I searched the issues and I searched the README, and there's no mention of which hash function mCaptcha uses by default, and which others it supports.

This seems like critical information when deciding which type of hashcash captcha solution to use!

Solution

The solution to this problem is not to just answer me here on this GitHub issue.

The solution to this problem is to document the list of all supported cryptographic hash functions somewhere in the documentation of mCaptcha, such as the README.md file

Add versioning to the project

Currently there are no tags for the project. Would be great to have them to be able to always build a set-version of mCaptcha.

docker-compose.yml is broken on master

I'm getting several naming issues starting the project with docker compose as the services naming convention is inconsistent:

I'm about to send a PR to fix this

MCaptchaRediSModuleCommandNotFound error while deploying with Docker

Hello,

I've tried to deploy mCaptcha with Docker and I have an error that I'm not able to fix:

Version: 0.1.0 commit: c1f6ce3ae29321f0fdecf801ba789f60e4f89511
 INFO  mcaptcha::settings > Loading config file from /etc/mcaptcha/config.toml
 INFO  mcaptcha::data     > Initializing credential manager
 INFO  sqlx::postgres::notice > relation "_sqlx_migrations" already exists, skipping
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: MCaptchaRediSModuleCommandNotFound("MCAPTCHA_CACHE.ADD_VISITOR")', src/data.rs:140:22
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Below is my Docker compose:

version: '3'

services:
  mcaptcha:
    container_name: mcaptcha
    image: mcaptcha/mcaptcha:latest
    restart: always
    volumes:
      - /opt/mcaptcha/config.toml:/etc/mcaptcha/config.toml
    networks:
      - mcaptcha-network
      - postgresql-network
    ports: 
      - 127.0.0.1:7000:7000
  mcaptcha-redis:
    image: redis:latest
    container_name: mcaptcha-redis
    restart: always
    networks:
      - mcaptcha-network

networks:
  mcaptcha-network:
    name: mcaptcha
  postgresql-network:
    name: postgresql
    external: true

And here is my config file:

debug = false
source_code = "https://github.com/mCaptcha/mCaptcha"
commercial = false
allow_demo = false
allow_registration = false

[server]
cookie_secret = "******"
port = 7000
ip = "0.0.0.0"
domain = "mcaptcha.domain.com"
proxy_has_tls = true

[captcha]
salt = "******"
gc = 30
runners = 4
queue_length = 2000
enable_stats = true

[captcha.default_difficulty_strategy]
avg_traffic_difficulty =  50000
peak_sustainable_traffic_difficulty = 3000000
broke_my_site_traffic_difficulty = 5000000
duration = 30

[database]
hostname = "postgresql"
port = "5432"
username = "******"
password = "******"
name = "mcaptcha"
pool = 4
database_type="postgres"

[redis]
url = "redis://mcaptcha-redis/"
pool = 4

[smtp]
from = "admin@localhost"
reply = "admin@localhost"
url = "127.0.0.1"
port = 10025
username = "admin"
password = "password"

Thanks for any help

Accessibility issues

Hello,

Some accessibility problems have been detected, according to international WCAG, french RGAA... Here are the accessibility issues to be fixed:

On <iframe> tag, replace frameborder, scrolling, width and height HTML attributes by their equivalents in CSS (border, overflow, width and height ).
It will allow some users to customize the appareance by overriding CSS.
On <iframe> tag, replace aria-roledescription=presentation (that provides no interesting information) by role=group title="mCaptcha: Mandatory checkbox for security check" (or something like that).
Replace the <main> tag by a <div> tag.
No need to define a main content area while this module is always implemented via an iframe in a specific area of a website)
Remove the text "mCaptcha logo" from the logo.
The wrapping link will have the accessible name "mcaptcha" instead of "logo mcaptcha mCaptcha".
Provide translations for every texts ("I'm not a robot", "Processing", "Verified", "mCaptcha: Mandatory checkbox for security check"...), maybe using a GET parameter in the API URL. Ex.: https://demo.mcaptcha.org/widget?sitekey=XXXX&lang=fr (for french language for example).

Boolean Environment settings are ignored

Hey,

I tried to change environment variables like "MCAPTCHA_ALLOW_REGISTRATION" and "MCAPTCHA_ALLOW_DEMO" to false.
This envs are ignored.

I had to change the /etc/mcaptcha/config.toml in order the achieve this configuration.
It seams like merging bool envs into the rust settings are not working correct.
But it works correct with strings.

Maybe its a bug or I did something wrong.

Thanke you and Bye
Darian

Mutli language support for the widget?

Hello,

are there plans to implement multilingual support, at least for the widget?

Greetings

Question: Experiencing relatively low security

Actually when this project solves the problem of user experience, we have arisen another problem:

The previous websites using CAPTCHA are in fact making their websites more expensive computationally as well to defend attacks (e.g. need to run a deep learning stuff to identify the characters in the CAPTCHA). As human brains are better doing those jobs than machines, humans take a shorter time than machines doing those, which means to achieve a relatively acceptable delay of user visiting the website, the traditional plans can bring more calculation work to robots. Yet now this project is definitely costing the same when a usual user or a robot visits the website. So when required high levels of security, this plan could work poorly.

This is just a personal question, and it may not be true.

Allow Registration from "admin" users

Right now you can only disable new registrations for a running mCaptcha instance.

However to add a user while the instance is running you would need to shut the instance down, change the enironment variable, start it again, then add a user, afterwards shut it down again and change the environment variable back.

It would be way nice if an admin user could add a new user directly from the dashboard even if the public registration is closed.

Question: How to reset mcpatcha widget?

Hello, first of all thank you for this cool application, I'm currently using it in the development of a side project of mine.

I've got one question, right now I'm submitting all my data not via form but via a post request to my own webserver which handles the rest. For this I extract the token from the text input field. But after my request is successfull I would like to reset the checked state of the widget. Is that possible if I don't use a form?

(Currently you need to either refresh the page, which would have done if there wouldn't be some state I need to display, or click it again to reset it)

mcaptcha / mcaptcha Goto Github PK

mcaptcha's Introduction

mCaptcha

How does it work?

Why use mCaptcha?

Demo

Client-side widget:

Demo servers are available at:

Self-hosted:

Development:

Deployment:

Configuration:

Funding

NLnet

mcaptcha's People

Contributors

Stargazers

Watchers

Forkers

mcaptcha's Issues

Problem

Solution

Recommend Projects

Recommend Topics

Recommend Org