Is there a way to enable SSO without disabling all the content spam checks/tools?
I own a community website that's open to the public with 200K+ users, and while our SSO app stops bots pretty effectively on the registration form, we still get several human spammers successfully registering every day. It's pretty much impossible to differentiate them from normal users until they post profile spam, threads, etc.
I saw this comment from @riking that all of Discourse's anti-spam stuff is disabled when SSO is turned on.
Is it possible to turn a lot of that back on and still use SSO?
I trust that a user who successfully registers is a human, but I don't trust them to not spam. So I still want the content-spam stuff like rate-limiting, sock-puppet checks, etc happening.
Since the code is already written, seems like a no-brainer to leverage it.
We have several other custom-built apps specific to the site's topic, so that's why we use SSO. I suppose we could hack things such that Discourse is the SSO gateway for the other apps, but it's a lot cleaner to stay with a dedicated SSO app outside of Discourse.
It'd also be handy if there was an endpoint where the SSO app can check if Discourse thinks someone is a spammer--then the SSO app can freeze their account across the entire site until the user record is manually reviewed by a moderator.