feat: add invisible_captcha on signup form

log signup attempts that fill in the honeypot without their IP address.
2020-06-20 12:06:38 +02:00 · 2020-06-20 12:06:38 +02:00 · 2b242886b9
parent d1eaf4d58a
commit 2b242886b9
6 changed files with 26 additions and 0 deletions
--- a/4
+++ b/4
@ -113,6 +113,10 @@ gem 'acts_as_list', '~> 0.4'
 # locking in to latest major to fix API
 gem 'validates_email_format_of', '~> 1.6'

+# Used to keep spammers from creating accounts
+# locking in to latest major to fix API
+gem 'invisible_captcha', '~>1.0'
+
 ##
 ## GEMS required, and compilation is required to install
 ##
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -131,6 +131,8 @@ GEM
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
    innertube (1.1.0)
+    invisible_captcha (1.0.1)
+      rails (>= 4.2)
    joiner (0.4.2)
      activerecord (>= 5.2.beta1)
    json (2.3.0)
@ -306,6 +308,7 @@ DEPENDENCIES
  haml-rails (~> 1.0)
  http_accept_language (~> 2.0)
  i18n (~> 0.7)
+  invisible_captcha (~> 1.0)
  json (~> 2.3)
  mail-gpg (~> 0.3.3)
  mime-types
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -8,6 +8,9 @@

 class AccountsController < ApplicationController
  layout 'notice'
+  invisible_captcha only: [:create],
+    honeypot: :email_confirmation,
+    scope: :user

  ##
  ## SIGNUP
--- a/app/views/accounts/new.html.haml
+++ b/app/views/accounts/new.html.haml
@ -16,6 +16,8 @@
        - r.input user.text_field(:email, class: 'form-control')
        - unless Conf.require_user_email
          - r.info :signup_email_info.t
+      - f.row do |r|
+        - r.input user.invisible_captcha :email_confirmation
      - f.button submit_tag(:signup_button.t, class: 'btn btn-primary')

    - if params[:redirect]
--- a/config/initializers/invisible_captcha.rb
+++ b/config/initializers/invisible_captcha.rb
@ -0,0 +1,7 @@
+InvisibleCaptcha.setup do |config|
+  config.timestamp_enabled = !Rails.env.test?
+end
+
+ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data|
+  Rails.logger.warn 'Potential spam detected. Signup refused.'
+end
--- a/test/functional/accounts_controller_test.rb
+++ b/test/functional/accounts_controller_test.rb
@ -36,6 +36,13 @@ class AccountsControllerTest < ActionController::TestCase
    end
  end

+  def test_should_refuse_signup_with_honeypot
+    assert_no_difference 'User.count' do
+      post_signup_form(user: { email_confirmation: 'I filled this out' })
+      assert_response :success
+    end
+  end
+
  def test_should_not_allow_duplicate_username_or_groupname
    [users(:quentin).login, groups(:rainbow).name].each do |login|
      assert_no_difference 'User.count', "number of users should not increase when creating #{login}" do