https://www.ory.sh/ logo
Join Slack
Powered by
Anyone with experience on adding captcha validatio...
# ory-selfhosting
b
Anyone with experience on adding captcha validation on self-hosted Kratos for password only authentication? I can’t use CF under attack mode models with captcha or similar. I tried to check if it was feasable to use hooks but even with web_hook we are really limited as we can’t access request body and we can only access a limited set of request_headers. The only approach I’m thinkng of at the moment is to build a custom Traefik plugin and manage this on proxy
s
We have build an integration with cloudflare turnstile in Kratos OEL. Other providers could also be supported with a bit of work.
b
@steep-lamp-91158 I do respect your work and I understand that it has to pay off somehow, but I don’t understand how captchas are an enterprise feature when the whole project is based on having an open-source secure authentication system, and captchas are mandatory when dealing with password login / registration or recovery. Anyway just to have an idea what’s the starting price for Ory OEL?
s
The point is that an integration with a proprietary vendor is not well-placed in an open source repo really, although we also support some proprietary OIDC providers 🤷 It is definitely possible to also implement that on your side, the pointer here is the 
transient_payload
. For a quote on OEL, I recommend to reach out to https://www.ory.com/contact as it highly depends on what you need.
b
I do completely agree on not having proprietary vendors captchas inside the repository, don’t get me wrong. Let’s make an example as I might have missed a functionality: I can include the captcha token inside 
transient_payload
add an 
after
hook (because documentation mentions that 
transient_payload
is only available in 
after
hooks), make it so that the action is only triggered on 
password
method for login and registration flows then trigger a flow-interrupting web_hook action. Now my question here is: do flow-interrupting hooks rollback the database transaction? More specifically for registration the documentation says:
Copy code
after registration: The hook runs when a user successfully registers in the system.
Would an hook (webhook) executed after registration flow that interrupts the flow rollback the user registration / prevent it to be finalized?
l
just my $0.05c's worth - but wouldn't a diferent flow give you the same results, like email verification upon registration along with enforcing totp/passkeys Pointing to docs - https://www.ory.com/docs/kratos/mfa/totp https://www.ory.com/docs/kratos/mfa/webauthn-fido-yubikey) this removes the requirement for "proprietary extensions"
b
@late-rocket-58728 Maybe for authentication, but what about registration via password, someone could spam requests (IP based rate limit is easily eludibile) and I get the database filled with users
l
if email not verified within {say 24 hours) delete.....
and the token sent in the verification has a lifetime of 1 hour
so, if the user is legit, they can request a new verification email (or that flow kicks in at login) (user_verfied=false => send verfication email)
if its an illegitimate user, the unverfied account gets nuked after 24 hrs
b
I think this is more a complementary solution. Google itself enforces captchas for registration if needed. Instead of preventing the issue you are dealing with it later
l
you could i(i guess) also implement domain blacklisting - deny registration for yahoo.com, for example)
personally, i just think we are living in a world where ai can break captcha
b
“so, if the user is legit, they can request a new verification email (or that flow kicks in at login) (user_verfied=false => send verfication email)” How do you achieve this? Via API and a custom software or is there a native way to do this
l
b
“personally, i just think we are living in a world where ai can break captcha” and I do agree but it’s also about resources needed to register each user. Even just having AI solving the captcha requires: 1. More skills 2. More time 3. More resources Just 2 of these are worth to have a captcha, most of the new ones are 99.9% passive for most users anyway
l
if i put on my black hat - i want in, and using all resources at my beck and call.
or disable password auth, and just use magic links
b
I never said it can’t be bypassed, it’s complementary, if you have 10 possible attackers with captcha and rate limit you now have 3 that wants to succeed
“disable password auth, and just use magic links” I’m not the one making the requirements here unfortunately
By the way I actually meant the documentation regarding deleting non verified users after 24 hours. Is it done natively or via API?
l
i havent seen it - it may need to be a custom job/api
b
It’s not even convenient deleting via API with custom job. You can only delete one identity at the time it looks like
l
Copy code
for i in `select id from users where email_verified=FALSE`; do DELETE_CALL HERE; done
over simplified....
b
While you can do it directly via SQL you never know if the application needs to do extra stuff internally after identity deletion
Unless they added deletion routines on the database itself
l
i meant the sql is just the lookup to get the correct paramaters to pass to the api
b
Ah yes but batch deletion is not available unfortunately
l
that should parse as:
Copy code
DELETE CALL user_id_1
DELETE CALL user_id_2
batch job but calling individual deletes
8 Views
Open in Slack
PreviousNext
Powered by