🚀 Feature: Support captchas on Open Reg #546

New Issue

OVERLORD · 2026-02-04T20:25:01+03:00

OVERLORD commented

2026-02-04 20:25:01 +03:00

Originally created by @lifeofguenter on GitHub (Nov 17, 2025).

Feature description

Analogue to https://github.com/pocket-id/pocket-id/issues/810 when allowing sign-up, an optional Captcha should be displayed.

This would allow us to run pocket-id in a more public setting (Mastodon, Matrix, ...) but still having a base layer of anti spam measurement.

Pitch

There is a push in the Matrix community to enable SSO authentication: https://github.com/matrix-org/matrix-spec-proposals/pull/3861

Having base security measurements such as email verification and captcha would put it on-par with Matrix/Synapse own/in-house authentication method and thus make pocket-id a seamless replacement.

Originally created by @lifeofguenter on GitHub (Nov 17, 2025). ### Feature description Analogue to https://github.com/pocket-id/pocket-id/issues/810 when allowing sign-up, an optional Captcha should be displayed. This would allow us to run pocket-id in a more public setting (Mastodon, Matrix, ...) but still having a base layer of anti spam measurement. ### Pitch There is a push in the Matrix community to enable SSO authentication: https://github.com/matrix-org/matrix-spec-proposals/pull/3861 Having base security measurements such as email verification and captcha would put it on-par with Matrix/Synapse own/in-house authentication method and thus make pocket-id a seamless replacement.

OVERLORD closed this issue

2026-02-04 20:25:03 +03:00

OVERLORD commented

2026-02-04 20:25:08 +03:00

@kmendell commented on GitHub (Nov 17, 2025):

Thinking outloud here, wouldnt cloudflares protection be easier to use? I havent used there stuff like this in awhile, so maybe its changed since i last used it.

@kmendell commented on GitHub (Nov 17, 2025): Thinking outloud here, wouldnt cloudflares protection be easier to use? I havent used there stuff like this in awhile, so maybe its changed since i last used it.

OVERLORD commented

2026-02-04 20:25:16 +03:00

@lifeofguenter commented on GitHub (Nov 18, 2025):

Thinking outloud here, wouldnt cloudflares protection be easier to use? I havent used there stuff like this in awhile, so maybe its changed since i last used it.

If you mean their captcha solution, yes, I don't think there is value in implementing your own captcha but instead "simply" offering integration to the popular ones: recaptcha, hcaptcha, cloudflare turnstile.

@lifeofguenter commented on GitHub (Nov 18, 2025): > Thinking outloud here, wouldnt cloudflares protection be easier to use? I havent used there stuff like this in awhile, so maybe its changed since i last used it. If you mean their captcha solution, yes, I don't think there is value in implementing your own captcha but instead "simply" offering integration to the popular ones: recaptcha, hcaptcha, cloudflare turnstile.

OVERLORD commented

2026-02-04 20:25:19 +03:00

@stonith404 commented on GitHub (Nov 18, 2025):

Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with Cloudflare.

@stonith404 commented on GitHub (Nov 18, 2025): Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with [Cloudflare](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/).

OVERLORD commented

2026-02-04 20:25:23 +03:00

@lifeofguenter commented on GitHub (Nov 18, 2025):

Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with Cloudflare.

Good to be independent of Cloudflare: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7

And while I agree, Cloudflare made things really really simple, this also would enforce anyone to use them by design & decision making.

@lifeofguenter commented on GitHub (Nov 18, 2025): > Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with [Cloudflare](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). Good to be independent of Cloudflare: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7 <img width="773" height="329" alt="Image" src="https://github.com/user-attachments/assets/de8a77e8-b53d-469a-b292-6803bba48fe7" /> And while I agree, Cloudflare made things really really simple, this also would enforce anyone to use them by design & decision making.

OVERLORD commented

2026-02-04 20:25:26 +03:00

@hax0r31337 commented on GitHub (Nov 21, 2025):

Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with Cloudflare.

Good to be independent of Cloudflare: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7

And while I agree, Cloudflare made things really really simple, this also would enforce anyone to use them by design & decision making.

also not to mention cloudflare js challenge can be bypassed easily with a headless WebView
it's designed for ddos protection, not mass registering

@hax0r31337 commented on GitHub (Nov 21, 2025): > > Thanks for your feature request. In my opinion this isn't something that Pocket ID should handle because the functionality of Pocket ID should stay simple and there are ways to implement bot protection with third party tools pretty easily, for example with [Cloudflare](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). > > Good to be independent of Cloudflare: https://www.cloudflarestatus.com/incidents/8gmgl950y3h7 > <img alt="Image" width="773" height="329" src="https://private-user-images.githubusercontent.com/241073/515707477-de8a77e8-b53d-469a-b292-6803bba48fe7.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM3MzI2NDYsIm5iZiI6MTc2MzczMjM0NiwicGF0aCI6Ii8yNDEwNzMvNTE1NzA3NDc3LWRlOGE3N2U4LWI1M2QtNDY5YS1iMjkyLTY4MDNiYmE0OGZlNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUxMTIxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MTEyMVQxMzM5MDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT04ZmM4YmI5MzM4YmYwOTMxNjY5MzA3NTVlNTk1OTE4MzkwM2NiMWNmMjUxMWMwNGQwODhhNjVmMTNiZmI5ZjFlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Vny0evgB-hZdJbWvFDTsE8qPQ2Y5-OkMBH1MscwmWLk"> > > And while I agree, Cloudflare made things really really simple, this also would enforce anyone to use them by design & decision making. also not to mention cloudflare js challenge can be bypassed easily with a headless WebView it's designed for ddos protection, not mass registering

OVERLORD referenced this issue

2026-02-04 20:56:46 +03:00

[PR #537] [MERGED] v1.0.0 #819

OVERLORD referenced this issue

2026-02-04 20:57:02 +03:00

[PR #546] [MERGED] chore: address linter's complaint in 1.0 branch #824

Sign in to join this conversation.