Rate Limit Integration

[AndreasDickow]

I was using simple captcha for some time now, as I found out that spam bots try to brute force captcha solving, which lead me to the integration of a rate limiter, as proposed in my merge request

[mbi]

Interesting, thank you!

My main concern with this is that in environments behind a proxy (think CloudFlare) where each request comes from the same IP, this would effectively block all the users.

django-ratelimit mentions this point in the documentation and issues and essentially (correctly!) states it doesn't want to address them, for security reasons, because each deploy is different and the way to obtain the "real" underlying user IP changes from environment to environment.

If we were to blindly deploy the solution as it is proposed here, we'd effectively block all the users in these environments. So the only way I would accept this PR is if

1. The rate limiting decorators can be enabled via a setting but are disabled by default
2. The user has to explicitly enable the option after having read the documentation of django-simple-captcha and django-ratelimit and thus made sure that IP address considered by the decorators are the correct one.

[9mido]

What about Ajax refresh? Wouldn't that need some kind of rate limiting protection? I imagine if someone malicious were to brute force click the refresh button millions of times per second on a captcha it would cause problems especially since the captchas are all loaded from the database?

Ajax refresh captcha image code jQuery and JavaScript:
https://stackoverflow.com/questions/18972515/how-to-create-ajax-refresh-for-django-simple-captcha/20371801

Ajax refresh audio code jQuery:
https://stackoverflow.com/questions/61996333/django-simple-captcha-refresh-audio-source