Hi,

In its current state I would very much advise NOT to implement this component as is done in the demo. 

This component could be part of a good Captcha solution, but the way it is used in the demo is not secure at all.

The issue with the implementation is that the problem (the generated image) AND the solution (the code) are sent to the client as a response from the "GenerateCaptcha" Data Action. 

The whole point of a captcha is to make sure that no automated script can bypass the captcha.  In this case however, such an automated script only has to look at the response from the "GenerateCaptcha" Data Action and it gets the solution to the problem handed on a silver platter.  It's like sending the username AND password to the client.

How I believe it could work is by doing the following:

• Create a Service module with a Captcha Entity to store generated captcha's (these could even be generated upfront).
  • Create a GenerateCaptcha() server action to generate a new captcha
    • This would call the server action from the extension and create a new Captcha entity with an id and the generated code and save it to the database.
    • Return the id of the Captcha entity and the generated image from the extension as output parameters (do NOT return the code!)
  • Create a ValidataCaptcha() server action taking as input the Captcha id and the code.
    • Fetch the Captcha entity from the database and check the code.
    • Return IsValid = True if the code is correct.  False if not. 
• In the UI
  • In the GenerateCaptcha data action, call the new GenerateCaptcha server action.  This returns a Captcha id and image (no code!)
  • Upon submitting the form, validate the entered code using the ValidateCaptcha server action

This way we are not exposing the captcha code to the client and the implementation is secure.

Best regards,

Steven