FlatCaptcha

Version 1.2.4 | GPL3 | flatboard.org
Compatibility: Flatboard Pro ≥ 5.0.0
License: GPL3
Download: in resources management

Autonomous and secure CAPTCHA plugin for Flatboard 5. Bot protection without third-party services, based on math and logic questions signed with HMAC-SHA256.

Features

• Math and logic questions generated dynamically (addition, subtraction, multiplication, missing number, general knowledge)
• HMAC-SHA256 signed token (anti-forgery and anti-replay protection)
• Minimum submit time check (timing-based bot detection)
• Server-side blocking, lightweight client-side validation
• AJAX/REST communication (compatible with standard Flatboard forms)
• Admin dashboard with:
  • HMAC secret key management (cryptographic key generation, masked display, one-click save)
  • Monthly bot-block statistics since plugin activation
  • Breakdown by context (registration, login, new topic, reply) and by block reason
• 2FA exemption — members who have enabled Flatboard's two-factor authentication (TOTP) can be automatically exempt from the CAPTCHA (configurable)
• Multilingual: French, English, German, Portuguese, Chinese
• 100% self-hosted — no external dependency

Installation

1. Copy the FlatCaptcha folder into your Flatboard plugins/ directory.
2. Enable the plugin from Admin → Plugins.
3. Configure options under Admin → Plugins → FlatCaptcha → Settings.
4. Access the admin dashboard via Admin → Plugins → FlatCaptcha → Admin view.

Configuration

Plugin Settings (standard)

Admin View (HMAC key)

Access /plugin/flatcaptcha/admin to:

• Generate a cryptographically secure HMAC key (96 hex characters, 48 random bytes via crypto.getRandomValues)
• Save the key with one click
• View monthly blocking statistics

⚠️ If no custom key is set, Flatboard's internal key (APP_SECRET) is used automatically.

Block Statistics

The plugin records every blocked attempt in stats.json (inside the plugin folder):

{
    "activated_at": "2026-01-15",
    "total_blocks": 142,
    "monthly": {
        "2026-01": {
            "total": 87,
            "by_context": { "registration": 52, "login": 35 },
            "by_reason": { "too_fast": 41, "invalid": 28, "missing": 18 }
        }
    }
}

Recorded block reasons:

• too_fast — submission too fast (bot detected by timing)
• invalid — invalid or forged HMAC token
• missing — missing fields (automated submission)
• replay — token already consumed (replay attempt)
• expired — expired token
• wrong — wrong answer

API Endpoints

License

GPL3 — Flatboard Team

[1.2.5] — 2026-02-27

Fixed

• CSS light mode — invisible widget — The custom --mc-* variables used near-transparent colors (rgba(0,0,0,0.04), rgba(0,0,0,0.45)) that were invisible against a white background, making the widget's container, border, label, and question text effectively unreadable in light mode. The entire flatcaptcha.css has been rewritten to use only native Bootstrap 5 / Flatboard CSS variables (--bs-body-bg, --bs-body-color, --bs-tertiary-bg, --bs-border-color, --bs-secondary-color, --bs-emphasis-color, --bs-primary, --bs-primary-rgb). The @media (prefers-color-scheme: dark) block and the [data-bs-theme="dark"] / .dark-mode / body.dark overrides have been removed — the active theme now manages these variables automatically, making the plugin visually consistent with any theme without manual overrides.

FlatCaptcha in place configured for registration only on my forum.
works perfectly !
thx :)

1.2.7 — 2026-03-28

Changed

• Added update_url and changelog_url fields to plugin.json. Flatboard now detects available updates and displays them in Admin Panel > Tools > Updates. The changelog_url links to the plugin's resource page on flatboard.org.
• Updated minimum Flatboard requirement from >=5.0.0 to >=5.2.0 in plugin.json.