add math captcha type (#514)

Author: solverat

README.md

@@ -21,7 +21,7 @@
 ## Installation
 
 ```bash
-composer require "dachcom-digital/formbuilder":"~5.2.0"
+composer require "dachcom-digital/formbuilder":"~5.3.0"
 ```
 
 Add Bundle to `bundles.php`:
@@ -56,6 +56,7 @@ Nothing to tell here, it's just [Symfony](https://symfony.com/doc/current/templa
   - [FriendlyCaptcha](docs/03_SpamProtection.md#friendly-captcha)
   - [Honeypot](docs/03_SpamProtection.md#honeypot)
   - [ReCaptcha V3](docs/03_SpamProtection.md#recaptcha-v3)
+  - [Math Captcha](docs/03_SpamProtection.md#math-captcha)
   - [Email Checker](docs/03_SpamProtection.md#email-checker)
   - [Double-Opt-In Feature](docs/04_DoubleOptIn.md)
 - [Output Workflows](docs/OutputWorkflow/0_Usage.md)

UPGRADE.md

@@ -3,6 +3,7 @@
 ## 5.3.0
 - **[IMPROVEMENT]** New field added to `form_builder_form_attributes`: `autocomplete`
 - **[BUGFIX]** Solidify check for empty value in output transformer [#486](https://github.com/dachcom-digital/pimcore-formbuilder/issues/508)
+- **[SECURITY FEATURE]** Math CAPTCHA Field [#511](https://github.com/dachcom-digital/pimcore-formbuilder/issues/511), read more about it [here](./docs/03_SpamProtection.md#math-captcha)
 
 ## 5.2.0
 - **[LICENSE]** Dual-License with GPL and Dachcom Commercial License (DCL) added

config/install/translations/admin.csv

@@ -62,6 +62,9 @@
 "form_builder_type.time_type","Time Type","Uhrzeit Element"
 "form_builder_type.birthday_type","Birthday Type","Geburtstag Element"
 "form_builder_type.recaptcha_v3","reCAPTCHA v3 Field","reCAPTCHA v3 Feld"
+"form_builder_type.math_captcha","Math Captcha Field","Mathematisches Captcha Feld"
+"form_builder_type_field.math_captcha.validation_message_trans_note","Validation messages will be translated via pimcore translation manager: 'The given answer is not correct', 'Captcha has expired due to inactivity. Please refresh the page and try again.'","Validierungsmeldungen werden mit dem Pimcore Translation-Manager übersetzt: 'The given answer is not correct', 'Captcha has expired due to inactivity. Please refresh the page and try again.'"
+"form_builder_type_field.math_captcha.difficulty","Difficulty","Schwierigkeit"
 "form_builder_type.friendly_captcha","Friendly Captcha Field","Friendly Captcha Feld"
 "form_builder_type.cloudflare_turnstile","Cloudflare Turnstile Field","Cloudflare Turnstile Feld"
 "form_builder_type_tab.default","Default","Standard"

config/services/forms/forms.yaml

@@ -22,6 +22,13 @@ services:
         tags:
             - { name: form.type }
 
+    FormBuilderBundle\Form\Type\MathCaptchaType:
+        public: false
+        arguments:
+            - '@FormBuilderBundle\Tool\MathCaptchaProcessor'
+        tags:
+            - { name: form.type }
+
     FormBuilderBundle\Form\Type\DynamicFormType:
         public: false
         arguments:

config/services/system.yaml

@@ -31,6 +31,13 @@ services:
     FormBuilderBundle\Tool\CloudflareTurnstileProcessorInterface: '@FormBuilderBundle\Tool\CloudflareTurnstileProcessor'
     FormBuilderBundle\Tool\CloudflareTurnstileProcessor: ~
 
+    # tool: math captcha processor
+    FormBuilderBundle\Tool\MathCaptchaProcessorInterface: '@FormBuilderBundle\Tool\MathCaptchaProcessor'
+    FormBuilderBundle\Tool\MathCaptchaProcessor:
+        arguments:
+            - '%pimcore.encryption.secret%'
+            - '@FormBuilderBundle\Configuration\Configuration'
+
     # configuration
     FormBuilderBundle\Configuration\Configuration: ~
 

config/services/validator.yaml

@@ -14,6 +14,11 @@ services:
         tags:
             - { name: validator.constraint_validator }
 
+    FormBuilderBundle\Validator\Constraints\MathCaptchaValidator:
+        public: false
+        tags:
+            - { name: validator.constraint_validator }
+
     FormBuilderBundle\Validator\Constraints\CloudflareTurnstileValidator:
         public: false
         tags:

config/types/type/math_captcha.yaml

@@ -0,0 +1,27 @@
+form_builder:
+    types:
+        math_captcha:
+            class: FormBuilderBundle\Form\Type\MathCaptchaType
+            backend:
+                form_type_group: security_fields
+                label: 'form_builder_type.math_captcha'
+                icon_class: 'form_builder_icon_math_captcha'
+                constraints: false
+                fields:
+                    optional.email_label: ~
+                    options.help_text: ~
+                    options.data: ~
+                    options.value: ~
+                    options.difficulty:
+                        display_group_id: base
+                        type: select
+                        label: 'form_builder_type_field.math_captcha.difficulty'
+                        config:
+                            options:
+                                - ['easy','easy']
+                                - ['normal','normal']
+                                - ['hard','hard']
+                    options.validation_message_trans_note:
+                        display_group_id: base
+                        type: label
+                        label: 'form_builder_type_field.math_captcha.validation_message_trans_note'

docs/03_SpamProtection.md

@@ -60,6 +60,8 @@ form_builder:
 4. Enable the FriendlyCaptcha [javascript module](./91_Javascript.md)
 4. Done
 
+***
+
 ## Cloudflare Turnstile
 Turnstile delivers frustration-free, CAPTCHA-free web experiences to website visitors - with just a simple snippet of free code.
 Moreover, Turnstile stops abuse and confirms visitors are real without the data privacy concerns or awful user experience of CAPTCHAs.
@@ -80,6 +82,47 @@ form_builder:
 4. Enable the CloudFlareTurnstile [javascript module](./91_Javascript.md)
 4. Done
 
+***
+
+## Math Captcha
+This simple math captcha form provides a lightweight and session-free way to prevent automated submissions.
+It offers three difficulty levels, allowing customization based on security needs.
+The captcha generates random math problems that users must solve before submitting the form.
+Since no session storage is required, it can be easily integrated with minimal overhead.
+
+> [!CAUTION]  
+> The Math captcha doesn't solve the problem of figuring out that a user has previously solved the captcha.
+> It only protects individual requests and might help if you're in the middle of a spam attack.
+> However, it will give you time, to set up stronger spam protection like 
+> recaptcha, turnstile or friendly captcha (which are all supported by this bundle) to get rid of smart bots!
+
+### Encryption Secret
+
+> [!IMPORTANT]  
+> Math Captcha requires a valid encryption key!
+> It uses the `%pimcore.encryption.secret%` as default, but you're able to set a dedicated one:
+
+```yaml
+form_builder:
+    spam_protection:
+        math_captcha:
+            encryption_secret: 'my-very-long-encryption-secret'
+```
+
+### Math Captcha TTL | Expiration
+To prevent replay attacks in a long-term view, a math captcha gets invalided after 30 minutes.
+
+If you want to change the value, you need to update the configuration
+
+```yaml
+form_builder:
+    spam_protection:
+        math_captcha:
+            hash_ttl: 30 # 30 minutes (default value)
+```
+
+***
+
 ## Email Checker
 The Email Checker Validator is available, if you've added at least one service. Per default, no service is registered by default. 
 

public/css/admin.css

@@ -202,6 +202,10 @@
     background: url(/bundles/formbuilder/img/friendly_captcha.svg) left center no-repeat !important;
 }
 
+.form_builder_icon_math_captcha {
+    background: url(/bundles/formbuilder/img/math_captcha.svg) left center no-repeat !important;
+}
+
 /*
     Conditional Logic
 */

public/img/math_captcha.svg

@@ -662,6 +662,14 @@ private function buildSpamProductionNode(): NodeDefinition
                     ->end()
                 ->end()
 
+                ->arrayNode('math_captcha')
+                    ->addDefaultsIfNotSet()
+                    ->children()
+                        ->scalarNode('encryption_secret')->defaultNull()->end()
+                        ->integerNode('hash_ttl')->defaultValue(30)->end()
+                    ->end()
+                ->end()
+
                 ->arrayNode('email_checker')
                     ->addDefaultsIfNotSet()
                     ->children()

src/DependencyInjection/Configuration.php

@@ -0,0 +1,72 @@
+<?php
+
+/*
+ * This source file is available under two different licenses:
+ *   - GNU General Public License version 3 (GPLv3)
+ *   - DACHCOM Commercial License (DCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ * @copyright  Copyright (c) DACHCOM.DIGITAL AG (https://www.dachcom-digital.com)
+ * @license    GPLv3 and DCL
+ */
+
+namespace FormBuilderBundle\Form\Type;
+
+use FormBuilderBundle\Tool\MathCaptchaProcessor;
+use FormBuilderBundle\Validator\Constraints\MathCaptcha;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\HiddenType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Form\FormInterface;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+final class MathCaptchaType extends AbstractType
+{
+    public function __construct(protected MathCaptchaProcessor $mathCaptchaProcessor)
+    {
+    }
+
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $stamp = $this->mathCaptchaProcessor->generateStamp();
+        $challenge = $this->mathCaptchaProcessor->generateChallenge($options['difficulty'], $stamp);
+
+        $challengeFieldOptions = [
+            'label'      => $challenge['user_challenge'],
+            'label_attr' => [
+                'class' => 'math-captcha-challenge-label'
+            ],
+        ];
+
+        if ($challenge['hash'] === null) {
+            $challengeFieldOptions['attr']['disabled'] = true;
+            $challengeFieldOptions['label'] = 'No encryption secret found. cannot create challenge.';
+        }
+
+        $builder->add('challenge', TextType::class, $challengeFieldOptions);
+        $builder->add('hash', HiddenType::class, ['data' => $challenge['hash']]);
+        $builder->add('stamp', HiddenType::class, ['data' => $stamp]);
+    }
+
+    public function buildView(FormView $view, FormInterface $form, array $options): void
+    {
+        $view->vars['attr']['class'] = 'math-captcha';
+    }
+
+    public function getBlockPrefix(): string
+    {
+        return 'form_builder_math_captcha_type';
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            'mapped'      => false,
+            'difficulty'  => 'easy',
+            'constraints' => [new MathCaptcha()],
+        ]);
+    }
+}

src/Form/Type/MathCaptchaType.php

@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This source file is available under two different licenses:
+ *   - GNU General Public License version 3 (GPLv3)
+ *   - DACHCOM Commercial License (DCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ * @copyright  Copyright (c) DACHCOM.DIGITAL AG (https://www.dachcom-digital.com)
+ * @license    GPLv3 and DCL
+ */
+
+namespace FormBuilderBundle\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+use FormBuilderBundle\Tool\Install;
+use Symfony\Component\DependencyInjection\ContainerAwareInterface;
+use Symfony\Component\DependencyInjection\ContainerAwareTrait;
+
+final class Version20250306140903 extends AbstractMigration implements ContainerAwareInterface
+{
+    use ContainerAwareTrait;
+
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $installer = $this->container->get(Install::class);
+        $installer->updateTranslations();
+    }
+
+    public function down(Schema $schema): void
+    {
+    }
+}