Better support for a security question type captcha

[MoritzLost]

What are you trying to do?

Follow-up to the discussion on Discord

I'm trying to add a security question as a spam protection measure. The security question presents as a normal text input with the label being a question that is easy to answer for humans, but (hopefully) not for bots. The reply is checked against a whitelist of accepted answers, and the submission is only allowed to go through if it matches.

This is similar to a captcha and could be added as a custom captcha integration. However, the required behaviour differs slightly. While for a captcha it's ok to display a success message and silently discard the message as spam, or to display a very generic error message, with a security question people can make honest mistakes. So it's important to show a relevant error message (The answer is not correct, please try again) and highlight the security question field as invalid (aria-invalid).

The captcha integration base class / interface doesn't really support this, it would be great if this was easier to do.

What's your proposed solution?

The captcha integration class could be extended to better support this use-case.

As an alternative, the security question can be implemented as a custom field. However, building custom fields is relatively complicated for this rather simple use-case. Ideally, Formie could provide a Security Question as a built-in field or captcha with the behaviour described above out of the box. In this case, one important caveat is that the security question needs to allow a list of accepted answers, to support different spellings etc.

[engram-design]

I'll agree that there's some work to be done for this style of captcha, but as it's pretty common we'll want to allow for this. Most captchas in use a JS-based, so their validation happens through that, and often a third-party provider as well.