I was searching for any documentation/guide for integrating Cloudflare Turnstile with Discourse but not able to find it. Can any one help with this?
2 Likes
Same question here. Very eager to find out
Yeah this is a much needed feature. I prefer Turnstile over all the other captcha services. Hopefully someone will create a plugin or something for this soon.
1 Like
Users must validate their email address in order to create an account. How does turnstile do anything but discourage users from creating an account?
What problem are you solving?
2 Likes
I guess youāre right.
1 Like
I am considering the possibility that if some automated programs crazily register users, it could consume the daily sending quota of the email server (which is integrated from a third party), leading to increased costs.
3 Likes
Is Cloudflare Turnstile currently supported by Discourse, or are there any plans to support it in the future?
I believe you could integrate it with a theme component, but as I asked before, are you currently experiencing a problem that Turnstile will solve?
Thanks for your reply! I recently noticed Cloudflare verification when registering or posting on other forums, which made me curious whether Discourse can do the same.
Seems like itād solve the same problem hCaptcha solves, except that unlike hCaptchaās free tier, Turnstileās free tier offers a transparent/zero-friction mode, better analytics, and itās integrated into the cloudflare stack and manageable from the CF dashboard, which is potentially valuable to self-hosters already utilizing CF (or anyone who wants a transparent captcha offering without forking over $99/month).
Do you have a bunch of examples of fake accounts getting set up? Since you have to validate your email address when creating an account, most sites donāt bother Wuthering captcha as it makes it harder for real users to register without any benefit.
When I stood up my current discourse instance this past summer, I had about 100 spam accounts sign up within 24 hours, all with throwaway email domain accounts (all of which had functional SPF and DKIM). Turning on hCaptcha eliminated the problem entirely. I deployed discourse on an existing site to replace native WordPress comments that were absolutely swimming in abusive spam, and the spammers immediately shifted tactics to follow.
I canāt speak to āmost sites,ā other than to say that that your personal experience is not mine. The benefit for me is a massive, measurable decrease in spam sign-ups with hCaptcha. Validating e-mail accounts is not a barrier to spam sign-ups. I appreciate that hCaptcha has an official Discourse plugin, though Iād prefer to use Turnstile because of the added value.
1 Like
Wow. Thatās crazy. Showās what I know!
I think it should be possible with a theme componentāif the Bad Actors are using the javascript front end and not the API (in which case Turnstile wouldnāt make a difference).
Anyway, I canāt quite tell how it works, but itās possible that my GitHub - literatecomputing/discourse-custom-components theme component would let you paste whatever it is that Cloudflare gives you into the component and have it render on some place on the signup form.
Edit: oh, but thatāll just put the captcha on the page, I guess, not require it to submit the form.
What is required
Thereās a client side piece: Embed the widget Ā· Cloudflare Turnstile docs
And a server-side piece: Validate the token Ā· Cloudflare Turnstile docs
Youād first need to add the client-side piece and see that the stuff from there gets submitted with the account-creation data. Then the server-side piece would validate that they indeed passed the test. Iām not quite sure how hard it would be, Iām guessing $500-2000 would get someone to do it in Marketplace.
2 Likes
Maybe with this:
It was included here: éæéäŗé®ä»¶ęØéę ę³ä½æēØ