issue #594 add a honeypot #604
Conversation
|
Wonderful, thanks @kinow! I'll look at this more closely on Monday. Seems like you've done a lot of work to implement this, even unit tests for the Controller which we previously didn't have at all! |
|
Thanks @osma. Take your time. Probably may take some minutes to review it, and there is still the question on the encryption of server time. If we add the symfony-crawler and mockery dev dependencies, we can even cover more of the code in the controllers later :) |
|
Code looks good! I'm unsure how much this will improve spam blocking compared to the current, simple honeypot implementation, but we'll just have to try it to find out. In any case this is should be easy to extend later on if we want more sophisticated honeypot functionality. |
|
I replaced a captcha (not Google's "are you a robot" one) by the honeypot library used as reference, and it reduced the spam (to zero for the past year so far). I think the trick is to use meaninful names, that would suggest that need to be filled, and tweak the minimum time for users to write a message (45 seconds in my case). |
This pull request adds a honey pot to Skosmos. See issue #594 for more. It adds two configurations too. Would be useful for users to later add a section in the web site about these new parameters, and instruct them to tweak the values (adding more parameters, or changing the default time threshold).
The honey pot is based on msurguy/Honeypot module for Laravel, also licensed under the MIT Licence. The main difference being that instead of using Laravel's Crypt class, it simply base64 the server's current time.
There are two types of honey pots. In the first honey pot, a certain value must be empty. Otherwise the request is considered invalid. The user will receive a message of OK, but no e-mail will be sent (as with the previous trap field).
The second honey pot, called also a honey time, is based on time. This field contains the server base64 encoded time. The default threshold is 5 seconds. If any feedback form is submitted in less than 5 seconds, the request is then discarded.
The reason for using base64 was for simplicity. I think we could also use mcrypt, or some other hash algorithm, but preferred to keep the pull request simple, but it can be changed later (feel free to update this pull request, I'm checking "Allow edits from maintainers").
Simple unit test included. I could not find another test for a controller, so had to include a few libraries under Composer's require-dev entry. One for mocking certain methods (like sendFeedback), and another library for parsing HTML. The feedback page's HTML contain a
footertag that PHP's default DOMDocument fails to parse.Hope that helps.
Cheers
Bruno