[5.1] A simple Captcha, which not every AI can solve

[Fedik]

Summary of Changes

Implementing a simple Math captcha. Independent from external services.
To solve captcha User should do a math (It's a simple addition for now).

Testing Instructions

Go to Exctension => Discovery
Install new plugin, and enable as default captcha (in global config).

Go to password reset (or any other form that use captcha)
Try submit the form without solution, then with valid and invalid values.
Note: for test with "password reset" form need to enable enable Debug in Global configuration.

Actual result BEFORE applying this Pull Request

Nothing

Expected result AFTER applying this Pull Request

Works

Link to documentations

Please select:

• Documentation link for docs.joomla.org:
• No documentation changes for docs.joomla.org needed
• Pull Request link for manual.joomla.org:
• No documentation changes for manual.joomla.org needed

[C-Lodder]

Just wrote a mini scraper in Node.js and was easily able to obtain the question and calculate the answer.
Seeing as it's text based, it might be worth doing something similar to that of <joomla-hidden-mail>.

[brianteeman]

If we can't have something useful like a schema plugin in core how can we have this?

[Fedik]

it might be worth doing something similar to that of joomla-hidden-mail

hmhm, yea, some random markup could really be an improvement

how can we have this?

You saying it is not a good thing? thank you very much :)

[brianteeman]

@Fedik I am not saying that at all. Just asking how we can have this and reject other stuff

[Fedik]

That a philosophical question, which life throw on us every day :)

For now, we do not have "this" also ;)
It just an idea that I have seen on other sites and thought that it is not that bad for a very basic captcha.
Can probably combine with "honeypot", will see.

[alikon]

@brianteeman are you referring about this one #42710 right ?

in my view remove all captcha from core +

This plugin would be a great benefit for the JED

if our goal is to have a lighter core...

anyway always hard to have a common opinion on this " dark matter" imho
😃

[sandewt]

Just a suggestion to check the answer by using the onDisplay function, maybe the following is useful?

public function onDisplay($name = null, $id = 'jform_captcha', $class = '')
{
    $html = '<input type="text" name="' . htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
        . '" id="' . htmlspecialchars($id, ENT_QUOTES, 'UTF-8')
        . '" class="form-control validate-number required" autocomplete="off" required>';

    return $html;
}

[Fedik]

It already in use within display(), to render input.
onDisplay is an old thing, in Joomla 5 we have a new api for Captcha, old onDisplay() changed to display()
https://manual.joomla.org/docs/building-extensions/plugins/captcha-plugin

[sandewt]

@Fedik Thanks for the information.

[Fedik]

@C-Lodder lets hack it again now 😉

[Fedik]

Please check whether the plugin is enabled, maybe you unpublish it by accident.
And whether all PHP plugin files are present:

layouts/plugins/captcha/math/mathcaptcha.php
libraries/src/Captcha/Captcha.php
plugins/captcha/math/math.xml
plugins/captcha/math/services/provider.php
plugins/captcha/math/src/Extension/Math.php
plugins/captcha/math/src/Provider/MathCaptchaProvider.php

[sandewt]

Please check whether the plugin is enabled, maybe you unpublish it by accident.
And whether all PHP plugin files are present:

Fixed. The first two files from the list were not present. I have now added this.

[sandewt]

608 + 8 = 6 -> 608 + 8 = 616, so 16 is correct appears from the test

608 + 8 = 6 -> 608 + 8 = 616, so 61 is NOT correct appears from the test

I think a lot of people have trouble finding the right answer. If they already understand what exactly the intention is.

[Fedik]

I think a lot of people have trouble finding the right answer

Yeah, nowaday it hard to do math without calculator 😄
It also a pros, gives a time to think before submit the form 😉

And, as you may noticed, it is random. Sometimes User need to enter a full number, and sometime only remaining digits.

[sandewt]

Yeah, nowaday it hard to do math without calculator

Completely agree, although this may differ per country.
The following sum can be solved by most, in which one number is a multiple of 10 and the other number is between 0 and 9.

The question is whether such a captcha provides sufficient protection against external digital access by ensuring that only a person with the correct password can open the account?

How larger the range of the number to be entered, how smaller the chance of guessing the number.

[Fedik]

The riddle updates on each request, and resets on each submit. There also some other "invisible for human" things happens to confuse a regular bot. I do not think someone will brutforce captcha.

[crimle]

I have tested this item 🔴 unsuccessfully on a006b7a

I entered an invalid value and could nevertheless submit the form.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.}

[Fedik]

You can submit the form with any captcha, but there an error message after that.

[crimle]

I have tested this item 🔴 unsuccessfully on a006b7a

Second Test: captcha not displaying anymore.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.}

[crommie]

I have tested this item 🔴 unsuccessfully on a006b7a

Class "Joomla\Plugin\Captcha\Math\Extension\Math" not found

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.}

[sandewt]

I have tested this item ✅ successfully on a006b7a

The question is whether the captcha is sufficiently understandable and manageable. See also my previous comment.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.}

[sandewt]

For inspiration, the following reads better for me than the text in brackets.

[Fedik]

the following reads better for me than the text in brackets.

Does it equaly good for 73+6= ?

[sandewt]

Does it equaly good for 73+6= ?

In that case, this is my preference.

[Fedik]

hmhm, I would like to keep 1 "unified" string,

[Quy]

Submitted the password reset form with the captcha blank and got no error message. It redirected to the verification page:

http://localhost/Joomla_5.1.0-alpha4-dev+pr.42777-Development-Full_Package/component/users/reset?layout=confirm&Itemid=101

[Fedik]

@Quy does it always happen to you or randomly?
hmhm, I can't really see why it can happen

[Quy]

Every time.

[Fedik]

hm, no idea, I cannot reset the PW when solution is empty, unless I totaly disable the captcha.
Something wrong with installation?

[Fedik]

@Quy can you please try add dd($code); around here

joomla-cms/plugins/captcha/math/src/Provider/MathCaptchaProvider.php

Lines 166 to 168 in a006b7a

	public function checkAnswer(string $code = null): bool
	{
	$code = $code ? json_decode($code, true) : false;

Does you still get redirect, or debug with response?

[Quy]

Here is the response:

array:3 [
  0 => ""
  1 => ""
  2 => ""
]

[Fedik]

Okay, thanks, that is correct.
And if you do dd($code, $isOk, $solution, $inputIdx); before return

joomla-cms/plugins/captcha/math/src/Provider/MathCaptchaProvider.php

Line 195 in a006b7a

return $isOk;

hmhm It should be false in result.

[Quy]

It is still not working. I will investigate further to see why.

^ array:2 [▼
  0 => ""
  1 => ""
]

^ false

^ 536

^ 2

[Fedik]

Thanks. Interesting.
The result is false that is correct, but why it is ignored.

[Fedik]

Ah, I found, the validation for "reset pasword" is ignored when Debug is OFF

joomla-cms/components/com_users/src/Controller/ResetController.php

Line 64 in 2d99f3b

if ($return === false && JDEBUG) {

[Fedik]

@Quy please test the PR with debug ON, does it work with it?
I think there a bug in ResetController for com_user

[Quy]

It is working now with debug on.

[sandewt]

@Fedik Thank you for this contribution. I hope this isn't the end of it, and it still gets a follow-up.