Self-hosted captcha for matrix-synapse registrations?
I have a self-hosted matrix-synapse server up and running on a Debian linux server, but before I open it up I want to at least get a captcha service in place to reduce spamming. The only module I've seen to handle this function appears to require setting up a Google recaptcha though, however I would prefer to keep all of this entirely self-contained for the privacy of my users. Can anyone recommend a module that allows for a local captcha option? For that matter, can anyone also recommend a captcha system that is pretty straightforward to set up (which is compatible with matrix-synapse) and uses basic preinstalled code bases like perl or python?
And while I'm here, I would also like to provide the option of registering with an email address, but I'm having trouble finding any clear how-to pages on this. Seems like that function might be built directly in to matrix-synapse but I'm just not finding anything helpful. Any suggestions?
I'm fairly new to matrix in general, but I have an initial setup running with the homeserver, Element web page, and an IRC bridge, so if I can just nail down the validation part of registrations I'll have what I think is a good starting point to launch from.
I can’t help with a self-hosted captcha, but I do know that hCAPTCHA claims to be more privacy respecting than reCAPTCHA. They also have a 1:1 comparability layer with the reCAPTCHA API so it should be a drop-in replacement without too much effort.
I’m interested to hear if anyone chimes in with a self-hosted solution, but I’d imagine a managed solution would probably be best for an application of any size if you’re worried about bots.
Also, while I agree with the other poster that bots may be better than humans at solving captchas, I do want to say that they’re better than nothing. Just like I wouldn’t leave my front door unlocked (even though house doors are easily picked / broken), a simple deterrent is better than nothing. A site I was working on went from hourly spam to none at all with just a simple Cloudflare captcha.
You could use something like mCaptcha, which isn't really a captcha (because it doesn't do a Turing test), but fills the same use case, by providing users with a proof of work challenge, which rate limits them like a captcha would
I tried their demo page but it just takes the login credentials and never actually shows a captcha. Maybe it broken? Could you tell me what I should be seeing here?
You need to register an account on their demo page (this account gets automatically deleted after a while). And then you can create deployments, that can be embedded into other forms