klevze/SkinbaseNova
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

updated gallery

Browse Source
This commit is contained in:
Gregor Klevže
2026-03-17 18:34:26 +01:00
parent 7b37259a2c
commit 7da0fd39f7
52 changed files with 1216 additions and 870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/registration-antispam.md
View File

@@ -47,20 +47,23 @@ On repeated requests within cooldown:
- No additional verification email is queued
- Generic success message is returned
### 3) Progressive CAPTCHA (Turnstile)
### 3) Progressive CAPTCHA
Service:
- `app/Services/Security/TurnstileVerifier.php`
- `app/Services/Security/CaptchaVerifier.php`
- `app/Services/Security/TurnstileVerifier.php` (legacy compatibility wrapper)
Controller logic (`RegisteredUserController::shouldRequireTurnstile`):
Controller logic (`RegisteredUserController::shouldRequireCaptcha`):
- Requires Turnstile for suspicious IP activity (attempt threshold)
- Also requires Turnstile when registration rate-limit state is detected
- Requires CAPTCHA for suspicious IP activity (attempt threshold)
- Also requires CAPTCHA when registration rate-limit state is detected
- Active provider is selected through `forum_bot_protection.captcha.provider`
UI behavior (`resources/views/auth/register.blade.php`):
- Turnstile widget is only rendered when required
- Provider-specific widget is only rendered when required
- Turnstile, reCAPTCHA, and hCaptcha are supported
### 4) Disposable Domain Block
@@ -153,9 +156,10 @@ Key settings:
- `monthly_email_limit`
- `generic_success_message`
Turnstile config:
Captcha provider config:
- `config/services.php` under `turnstile`
- `config/services.php` under `turnstile`, `recaptcha`, and `hcaptcha`
- `config/forum_bot_protection.php` under `captcha`
Environment examples:
@@ -189,7 +193,7 @@ Covered scenarios:
- Cooldown suppresses extra sends
- Disposable domains blocked
- Quota exceeded blocks send and keeps generic success UX
- Turnstile required on abuse/rate-limit state
- CAPTCHA required on abuse/rate-limit state
- Tokens hashed, expire, and are one-time
- Responses avoid account enumeration
@@ -199,4 +203,7 @@ Covered scenarios:
- Ensure queue workers process the `mail` queue.
- Monitor `email_send_events` for blocked/sent patterns.
- Set `REGISTRATION_MONTHLY_EMAIL_LIMIT` based on provider quota.
- Configure `TURNSTILE_SITE_KEY` and `TURNSTILE_SECRET_KEY` in production.
- Configure the active CAPTCHA provider keys in production:
- Turnstile: `TURNSTILE_SITE_KEY`, `TURNSTILE_SECRET_KEY`
- reCAPTCHA: `RECAPTCHA_ENABLED`, `RECAPTCHA_SITE_KEY`, `RECAPTCHA_SECRET_KEY`
- hCaptcha: `HCAPTCHA_ENABLED`, `HCAPTCHA_SITE_KEY`, `HCAPTCHA_SECRET_KEY`