I’ve been working on PDS Gatekeeper to prepare selfhosted.social to open up without invite codes. Part of that work is to find ways to stop bots and spammers from abusing the PDS (and so other third party PDSs can benefit). A couple of months ago I had explored doing a captcha like the bsky entryway does, but I concluded that I didn’t think it would work. Well, by accident I found out today I can get it to work. I’m going to sleep on it and curious on input that it’s secure enough, but the video in the discord post is a proof of concept of me creating an account on a third party PDS via the bsky social app and it shows a captcha as part of the flow and passes it along to com.atproto.server.createAccount filling out the verificationCode field. The code there right now is just a placeholder one but will later be a more secure token that is signed by a key on PDS Gatekeeper like entryway does.
The big thing is the captcha is loaded in via an iframe and if the captcha is successful it redirects to bsky.app/?code={a code that my backend knows means the captcha is good}&state={state} mimicking what the entryway does. It does this cause this is the catch that the social app does to add it to the request for creating an account to the PDS.
Part of the gotcha there is also PDS migration tools would have to support this, or I’ve been experimenting with the idea that migrations can by pass the captcha check since ideally they had to get approved they were human at some point(most likely, not always)
Another thing I am debating is if this is really needed? It would be easier to just block `com.atproto.server.createAccount` unless you are migrating, which has a serviceAuth JWT which can be verified via the did doc. The PDS has baked in captcha already if you use the new-ish create an account on the OAuth flow. Either way, It was a big find and I thought I would share and get the community thoughts on it.
A full video of this flow can be found on ATProto Touchers in this message. Sorry wasn’t sure the best way to share a video here so y’all get just a picture.
