acts_as_textcaptcha 3.0.11 → 4.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 98ad0396a537ab06e540f42880d1fcd24993f59c
+  data.tar.gz: 57ee900760402ed0cc2e22c609efe2d550b841c4
+SHA512:
+  metadata.gz: aa692657b0f23e1fc0410cfa5c8f996c6465148b09fa0f4ab17d47f1f1008b2db5fe3c42f5f2a777d729645589f6e5883d9dd25c7f03a49396e5de79ec20b1a4
+  data.tar.gz: 2e53ec3dc94736c4ccaeba1fa5670b6e79d0c74e8e191d25b8bf7e0643493293999253d05aa60b73176b8e44fc20d3f9e7ef901fe934ed9a7f274e83f079978d

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.travis.yml

@@ -1,7 +1,10 @@
+before_install:
+  - gem update --system 2.1.11
+  - gem --version
 rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
   - 2.0.0
+  - 2.1.0
   - ree
-  - rbx

data/README.rdoc

@@ -1,16 +1,16 @@
-= ActAsTextcaptcha
+== ActAsTextcaptcha
 
-{<img src="https://secure.travis-ci.org/matthutchinson/acts_as_textcaptcha.png" alt="Travis Build Status" align="absmiddle"/>}[https://travis-ci.org/matthutchinson/acts_as_textcaptcha] {<img src="https://codeclimate.com/badge.png" align="absmiddle" alt="Code Climate Stats" />}[https://codeclimate.com/github/matthutchinson/acts_as_textcaptcha]
+{<img src="https://secure.travis-ci.org/matthutchinson/acts_as_textcaptcha.png" alt="Travis Build Status" align="absmiddle"/>}[https://travis-ci.org/matthutchinson/acts_as_textcaptcha] {<img src="https://coveralls.io/repos/matthutchinson/acts_as_textcaptcha/badge.png" alt="Coverage Status" align="absmiddle" />}[https://coveralls.io/r/matthutchinson/acts_as_textcaptcha] {<img src="https://codeclimate.com/badge.png" align="absmiddle" alt="Code Climate Stats" />}[https://codeclimate.com/github/matthutchinson/acts_as_textcaptcha]
 
-ActsAsTextcaptcha provides spam protection for your Rails models using logic questions from the excellent {Text CAPTCHA}[http://textcaptcha.com/] web service (by {Rob Tuley}[http://openknot.com/me/] of {Openknot}[http://openknot.com/]).  It is also possible to configure your own questions and answers instead of using this API (or as a fall back in the unlikely event of the web service being unavailable)
+ActsAsTextcaptcha provides spam protection for your Rails models using logic questions from the excellent {Text CAPTCHA}[http://textcaptcha.com/] web service (by {Rob Tuley}[http://openknot.com/me/] of {Openknot}[http://openknot.com/]).  It is also possible to configure your own text captcha questions (instead, or as a fall back in the event of any remote API issues).
 
-The gem makes use of {bcrypt}[http://bcrypt-ruby.rubyforge.org/] encryption when comparing a guess with the correct answer(s).  This gem is actively maintained, has good test coverage and is compatible with Rails 2.3.*, Rails 3 and 4.  If you have any issues {please report them here}[https://github.com/matthutchinson/acts_as_textcaptcha/issues].
+This gem is actively maintained, has good test coverage and is compatible with Rails >= 2.3.8 (including Rails 3 and 4).  If you have any issues {please report them here}[https://github.com/matthutchinson/acts_as_textcaptcha/issues/new].
 
-Text CAPTCHA's logic questions are aimed at a child's age of 7, so they can be solved easily by even the most cognitively impaired users. As they involve human logic, questions cannot be solved by a robot.  There are both advantages and disadvantages for using logic questions over image based captchas, {find out more at Text CAPTCHA}[http://textcaptcha.com/why].
+Logic questions from the web service are aimed at a child's age of 7, so they can be solved easily by even the most cognitively impaired users. As they involve human logic, questions cannot be solved by a robot. There are both advantages and disadvantages for using logic questions over image based captchas, {find out more at Text CAPTCHA}[http://textcaptcha.com/why].
 
 == Demo
 
-Here's a {fully working demo on heroku}[http://textcaptcha.heroku.com]!
+Try a {working demo here}[http://textcaptcha.heroku.com]!
 
 == Installing
 
@@ -26,15 +26,9 @@ Add this to your environment.rb file, then `gem install acts_as_textcaptcha`;
 
   config.gem 'acts_as_textcaptcha'
 
-=== Or as a plugin
+=== Or as a plugin (pre Rails 4)
 
-If you do decide to install this as a Rails plugin, you'll have to manually include the bcrypt-ruby gem in your Gemfile or environment config. Like so;
-
-  gem 'bcrypt-ruby', :require => 'bcrypt'
-  OR
-  config.gem 'bcrypt-ruby', :lib => 'bcrypt'
-
-Then install the plugin with rails or script/rails as follows;
+Install with rails or script/rails as follows;
 
   rails plugin install git@github.com:matthutchinson/acts_as_textcaptcha.git
   OR
@@ -42,93 +36,101 @@ Then install the plugin with rails or script/rails as follows;
 
 == Setting up
 
-*NOTE:* The procedure for configuring your app *changed significantly* from v2.* to v3.*  If you are having problems please carefully check the instructions below.
+*NOTE:* The steps to configure your app changed with the v4.0.* release. If you are having problems please carefully check the steps or {upgrade instructions}[https://github.com/matthutchinson/acts_as_textcaptcha#upgrading-from-3010] below.
 
-First {grab an API key for your website}[http://textcaptcha.com/api] then open you Rails console (or any irb session) and generate a new BCrypt salt by typing;
-
-  require 'bcrypt';BCrypt::Engine.generate_salt
-
-Next add the following code to models you'd like to spam protect;
+First {grab an API key for your website}[http://textcaptcha.com/api]. Next add the following code to any models you would like to protect;
 
   class Comment < ActiveRecord::Base
-    # (this is the most basic way to configure the gem, with an API key and Salt only)
-    acts_as_textcaptcha :api_key     => 'PASTE_YOUR_TEXTCAPTCHA_API_KEY_HERE',
-                        :bcrypt_salt => 'PASTE_YOUR_BCRYPT_SALT_HERE'
+    # (this is the simplest way to configure the gem, with an API key only)
+    acts_as_textcaptcha :api_key => 'PASTE_YOUR_TEXTCAPTCHA_API_KEY_HERE'
   end
 
-Next in your controller's *new* action you'll want to generate the logic question for your model, like so;
+Next in your controller's *new* action you'll want to generate and assign the logic question for the new record, like so;
 
   def new
     @comment = Comment.new
     @comment.textcaptcha
   end
 
-Finally, in your form view add the spam question and answer fields using the textcaptcha_fields helper.  You are free to arrange the HTML within this helper as you like;
+Finally, in your form view add the textcaptcha question and answer fields using the textcaptcha_fields helper.  Feel free to arrange the HTML within this block as you like;
 
+  # for Rails 2.3.* change <%= to <% on the next line
   <%= textcaptcha_fields(f) do %>
     <div class="field">
-      <%= f.label :spam_answer, @comment.spam_question %><br/>
-      <%= f.text_field :spam_answer, :value => '' %>
+      <%= f.label :textcaptcha_answer, @comment.textcaptcha_question %><br/>
+      <%= f.text_field :textcaptcha_answer, :value => '' %>
     </div>
   <% end %>
 
-*NOTE:* For Rails 2.* this step is slightly different (<%= changes to <%);
+*NOTE:* If you'd rather NOT use this helper and would prefer to write your own form view code, see the html produced from the textcaptcha_fields method in the {source code}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha_helper.rb].
 
-  <% textcaptcha_fields(f) do %>
-    <div class="field">
-      <%= f.label :spam_answer, @comment.spam_question %><br/>
-      <%= f.text_field :spam_answer, :value => '' %>
-    </div>
-  <% end %>
+=== Upgrading from 3.0.10
 
-*NOTE:* If you'd rather NOT use this helper and prefer to write your own view code, see the html produced from the textcaptcha_fields method in the source code.
+Due to a relatively {large hole}[https://github.com/matthutchinson/acts_as_textcaptcha/issues/15] that could allow bots to by-pass textcaptcha's, it was nessecary to re-engineer the gem for the v4.0.* release.  Thanks to {Jeffrey Lim}[https://github.com/jf] for spotting this and raising the issue. Upgrading is straightforward;
 
-=== Toggling Textcaptcha
+* Rename `spam_question` to `textcaptcha_question`
+* Rename `spam_answer` to `textcaptcha_answer`
+* Any {strong parameter}[http://weblog.rubyonrails.org/2012/3/21/strong-parameters/] calls should include the `textcaptcha_answer` and `textcaptcha_key` fields;
 
-You can toggle textcaptcha on/off for your models by overriding the `perform_textcaptcha?` method. If you overridde it to return false, no questions will be fetched from
-the web service and textcaptcha validation is not performed. Additionally the `textcaptcha_fields` form helper will render nothing.  This is useful for writing your own
-logic to disable spam protection for logged in users etc.
+    params.require(:comment).permit(:textcaptcha_answer, :textcaptcha_key, ... )
 
-For flexibility you can also use a `skip_textcaptcha` attribute (protected from mass-assignment) to skip the textcaptcha validation step only. This is helpful when you
-need to bypass spam protection after a question has been generated and `perform_textcaptcha?` is true.
 
-== More Configurations
+=== Toggling Textcaptcha
+
+You can toggle textcaptcha on/off for your models by overriding the `perform_textcaptcha?` method. If it returns false, no questions will be fetched from
+the web service and textcaptcha validation is disabled. 
 
-The gem can be configured for models individually (as shown above) or with a config/textcaptcha.yml file for the whole app.  A config must have a valid bcrypt_salt, and an api_key and/or an array of questions defined.
+This is useful for writing your own custom logic for toggling spam protection on/off e.g. for logged in users. By default the `perform_textcaptcha?` method {checks if the form object is a new (unsaved) record}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha.rb#L54].  
 
-=== Hash
+So out of the box, spam protection is only enabled for creating new records (not updating).  Here is a typical example showing how to overwrite the `perform_textcaptcha?` method, while maintaining the new record check.
 
   class Comment < ActiveRecord::Base
-    acts_as_textcaptcha :api_key     => 'YOUR_TEXTCAPTCHA_API_KEY',
-                        :bcrypt_salt => 'YOUR_BCRYPT_SALT',
-                        :bcrypt_cost => '3',
-                        :questions   => [{ 'question' => '1+1', 'answers' => '2,two' },
-                                         { 'question' => 'The green hat is what color?', 'answers' => 'green' }]
+    acts_as_textcaptcha :api_key => 'YOUR_TEXTCAPTCHA_API_KEY'
+    
+    def perform_textcaptcha?
+      super && user.admin?
+    end
   end
 
-* *api_key* (get from http://textcaptcha.com/api)
-* *bcrypt_salt* - used to encrypt the valid possible answers
-* *bcrypt_cost* - an optional logarithmic number which determines how computationally expensive the bcrypt hash will be (a cost of 4 is twice as much work as a cost of 3 - the default is 10)
-* *questions* - an array of question and answer hashes (see above) A random question from this array will be asked if the web service fails OR if no API key has been set.  Multiple answers to the same question are comma separated (e.g. 2,two) so don't use commas in your answers!
+== More configuration options
+
+You can configure acts_as_textcaptcha with the following options;
+
+* *api_key* - get a free key from http://textcaptcha.com/api
+* *questions* (_optional, array of question and answer hashes (see below) A random question from this array will be asked if the web service fails OR if no API key has been set.  Multiple answers to the same question are comma separated (e.g. 2,two). So do not use commas in your answers!
+* *cache_expiry_minutes* (_optional, minutes for answers to persist in the cache (default 10 minutes), see {below for details}[https://github.com/matthutchinson/acts_as_textcaptcha#what-does-the-code-do]
+* *http_read_timeout* (_optional, Net::HTTP option, seconds to wait for one block to be read from the remote API
+* *http_open_timeout* (_optional, Net::HTTP option, seconds to wait for the connection to open to the remote API
+
+For example;
+
+  class Comment < ActiveRecord::Base
+    acts_as_textcaptcha :api_key              => 'YOUR_TEXTCAPTCHA_API_KEY',
+                        :http_read_timeout    => 60,
+                        :http_read_timeout    => 10,
+                        :cache_expiry_minutes => 10,
+                        :questions            => [{ 'question' => '1+1', 'answers' => '2,two' },
+                                                  { 'question' => 'The green hat is what color?', 'answers' => 'green' }]
+  end
 
 === YAML config
 
-The gem comes with a handy rake task to copy over a {textcaptcha.yml}[http://github.com/matthutchinson/acts_as_textcaptcha/raw/master/config/textcaptcha.yml] template to your Rails config directory.  It will also generate a random BCrypt Salt when you first run it.
+The gem can be configured for models individually (as shown above) or with a config/textcaptcha.yml file.  The config file must have an api_key defined and optional array of questions. Options definied inline in model classes take preference over the configuration in textcaptcha.yml.  The gem comes with a handy rake task to copy over a {textcaptcha.yml}[http://github.com/matthutchinson/acts_as_textcaptcha/raw/master/config/textcaptcha.yml] template to your config directory;
 
   rake textcaptcha:config
 
-*NOTE:* If you are on Rails 2.3.*, you'll have to add the following to your Rakefile to make this task available;
+*NOTE:* For Rails 2.3.*, you'll have to add the following to your Rakefile to reveal this task;
 
   # load textcaptcha rake tasks
   Dir["#{Gem.searcher.find('acts_as_textcaptcha').full_gem_path}/lib/tasks/**/*.rake"].each { |ext| load ext } if Gem.searcher.find('acts_as_textcaptcha')
 
-=== Confguring _without_ the Text CAPTCHA web service
+=== Confguring _without_ the TextCAPTCHA web service
 
-To use only your own logic questions simply ommit the api_key from your config and define at least 1 logic question/answer.
+To use only your own logic questions, simply ommit the api_key from the configuration and define at least 1 logic question and answer (see above).
 
 == Translations
 
-Recent versions of the gem use standard Rails I18n translation for the error message generated by acts_as_textcaptcha, with a fall-back to English.  Unfortunately in some versions of Rails 2.3.* this translation fall-back fails.  For this case (and when translating) setup your own locale file with this hierarchy (assuming your model is Comment);
+The gem uses the standard Rails I18n translation approach for error messages, with a fall-back to English.  Unfortunately in some versions of Rails 2.3.* this translation fall-back fails.  For this case (and when translating) setup your own locale file with this hierarchy (assuming your model is Comment);
 
   en:
     activerecord:
@@ -136,66 +138,74 @@ Recent versions of the gem use standard Rails I18n translation for the error mes
         models:
           comment:
             attributes:
-              spam_answer:
-                incorrect_answer: "is incorrect, try another question instead"
+              textcaptcha_answer:
+                incorrect: "is incorrect, try another question instead"
+                expired: "was not submitted quickly enough, try another question instead"
     activemodel:
       attributes:
         comment:
-          spam_answer: "Spam answer"
+          textcaptcha_answer: "Textcaptcha answer"
 
 *NOTE:* currently the Text CAPTCHA API web service only offers logic questions in English.
 
 == Without Rails or ActiveRecord
 
-Although this gem has been built with Rails in mind, is entirely possible to use it without ActiveRecord, or Rails.  For an example, take a look at the {Contact}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/test/test_models.rb#L44] model used in the test suite {here}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/test/test_models.rb#L44].
+Although this gem has been built with Rails in mind, is entirely possible to use it without ActiveRecord, or Rails.  As an example, take a look at the {Contact}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/test/test_models.rb#L44] model used in the test suite {here}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/test/test_models.rb#L44].
+
+Please note that the built-in {TextcaptchaCache}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha_cache.rb] class directly wraps the {Rails.cache}[http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html].  An alternative  TextcaptchaCache implementation will be nessecary if Rails.cache is not available.
 
 == Testing and docs
 
 In development you can run the tests and rdoc tasks like so;
 
 * rake test (all tests)
-* rake test:coverage (all tests with code coverage reporting)
+* rake test:coverage (all tests with code coverage)
 * rake rdoc (generate docs)
 
 == What does the code do?
 
-The gem contains two parts, a module for your ActiveRecord models, and a single view helper method.
+The gem contains two parts, a module for your ActiveRecord models, and a single view helper method.  The ActiveRecord module makes use of two futher classes, {TextcaptchaApi}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha_api.rb] and {TextcaptchaCache}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha_cache.rb].
+
+A call to @model.textcaptcha in your controller will query the Text CAPTCHA web service.  A GET request is made with Net::HTTP and parsed using the default Rails ActiveSupport::XMLMini backend.  A textcaptcha_question and a random cache key is assigned to the record.  An array of possible answers is stored in the TextcaptchaCache with this random key.  The cached answers have (by default) a 10 minute TTL in your cache. If your forms take more than 10 minutes to be completed you can adjust this value setting the `cache_expiry_minutes` option.  Internally TextcaptchaCache wraps {Rails.cache}[http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html] and all cache keys are namespaced.
 
-A call to @model.textcaptcha in your controller will query the Text CAPTCHA web service.  A GET request is made with Net::HTTP and parsed using the default Rails ActiveSupport::XMLMini backend (or the standard XML::Parser in older versions of Rails).  A spam_question and an encrypted array of possible answers are assigned to the model.
+On saving, validate_textcaptcha is called on @model.validate checking that the @model.textcaptcha_answer matches one of the possible answers (retrieved from the cache).  By default, this validation is _only_ carried out on new records, i.e. never on edit, only on create.  All attempted answers are case-insensitive and have trailing/leading white-space removed.
 
-validate_textcaptcha is called on @model.validate and checks that the @model.spam_answer matches one of the possible answers (decrypted).  This validation is _only_ carried out on new records, i.e. never on edit, only on create.  All attempted spam answers are case-insensitive and have trailing/leading white-space removed.
+Regardless of a correct, or incorrect answer the possible answers are cleared from the cache and a new random key is generated and assigned.  An incorrect answer will cause a new question to be prompted.  After one correct answer, the answer and a mutating key are sent on further form requests, and no question is presented in the form.
 
-If an error or timeout occurs in loading or parsing the API, ActsAsTextcaptcha will fall back to choose a random logic question defined in your options.  If the web service fails or no API key is specified AND no alternate questions are configured, the @model will not require spam checking and will pass as valid.
+If an error or timeout occurs during API fetching, ActsAsTextcaptcha will fall back to choose a random logic question defined in your options (see above).  If the web service fails or no API key is specified AND no alternate questions are configured, the @model will not require textcaptcha checking and will pass as valid.
 
-For more details on the code please check the {documentation}[http://rdoc.info/projects/matthutchinson/acts_as_textcaptcha].  Tests are written with  {MiniTest}[https://rubygems.org/gems/minitest] and code coverage is provided by {SimpleCov}[https://github.com/colszowka/simplecov]
+For more details on the code please check the {documentation}[http://rdoc.info/projects/matthutchinson/acts_as_textcaptcha].  Tests are written with {MiniTest}[https://rubygems.org/gems/minitest].  Pull requests and bug reports are welcome.
 
 == Requirements
 
 What do you need?
 
-* {Rails}[http://github.com/rails/rails] >= 2.3.2  (including Rails 3 and 4)
-* {Ruby}[http://ruby-lang.org/] >= 1.8.7 (also tested with REE, RBX, 1.9.2, 1.9.3, 2.0.0)
-* {bcrypt-ruby}[http://bcrypt-ruby.rubyforge.org/] gem (to securely encrypt spam answers)
+* {Rails}[http://github.com/rails/rails] >= 2.3.8  (including Rails 3 and 4)
+* {Rails.cache}[http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html] - some basic cache configuration is nessecary
+* {Ruby}[http://ruby-lang.org/] >= 1.8.7 (also tested with REE, 1.9.2, 1.9.3, 2.0.0, 2.1.0)
 * {Text CAPTCHA API key}[http://textcaptcha.com/register] (_optional_, since you can define your own logic questions)
 * {MiniTest}[https://rubygems.org/gems/minitest] (_optional_ if you want to run the tests, built into Ruby 1.9)
 * {SimpleCov}[https://rubygems.org/gems/simplecov] (_optional_ if you want to run the tests with code coverage reporting)
 
+*Note*: The built-in {TextcaptchaCache}[https://github.com/matthutchinson/acts_as_textcaptcha/blob/master/lib/acts_as_textcaptcha/textcaptcha_cache.rb] class directly wraps the {Rails.cache}[http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html] object.
+
 == Links
 
-* {Documentation}[http://rdoc.info/projects/matthutchinson/acts_as_textcaptcha]
-* {Travis CI Testing}[http://travis-ci.org/#!/matthutchinson/acts_as_textcaptcha]
 * {Demo}[http://textcaptcha.heroku.com]
-* {Code}[http://github.com/matthutchinson/acts_as_textcaptcha]
+* {Travis CI}[http://travis-ci.org/#!/matthutchinson/acts_as_textcaptcha]
+* {Test Coverage}[https://coveralls.io/r/matthutchinson/acts_as_textcaptcha]
+* {Code Climate}[https://codeclimate.com/github/matthutchinson/acts_as_textcaptcha]
+* {RDoc}[http://rdoc.info/projects/matthutchinson/acts_as_textcaptcha]
 * {Wiki}[http://wiki.github.com/matthutchinson/acts_as_textcaptcha/]
-* {Bug Tracker}[http://github.com/matthutchinson/acts_as_textcaptcha/issues]
+* {Issues}[http://github.com/matthutchinson/acts_as_textcaptcha/issues]
+* {Report a bug}[http://github.com/matthutchinson/acts_as_textcaptcha/issues/new]
 * {Gem}[http://rubygems.org/gems/acts_as_textcaptcha]
+* {GitHub}[http://github.com/matthutchinson/acts_as_textcaptcha]
 
 == Who's who?
 
 * {ActsAsTextcaptcha}[http://github.com/matthutchinson/acts_as_textcaptcha] and {little robot drawing}[http://www.flickr.com/photos/hiddenloop/4541195635/] by {Matthew Hutchinson}[http://matthewhutchinson.net]
 * {Text CAPTCHA}[http://textcaptcha.com] API and service by {Rob Tuley}[http://openknot.com/me/] at {Openknot}[http://openknot.com]
-* {bcrypt-ruby}[http://bcrypt-ruby.rubyforge.org/] Gem by {Coda Hale}[http://codahale.com]
-
 
 == Gem Signing
 
@@ -211,7 +221,6 @@ After doing this, you should be able to install the gem with;
 
 == Todo
 
-* Achieve 100% test coverage, currently at 93%
 * Remove support for Rails 2.3.* in a future gem release (clean code and tests for this)
 
 == Usage

data/acts_as_textcaptcha.gemspec

@@ -23,8 +23,8 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- {test}/*`.split("\n")
   s.require_paths = ["lib"]
 
-  s.add_dependency('bcrypt-ruby', '~> 3.0.1')
-
+  # lock mime-types to pre 2.0 since we want to support 1.8.7/REE in tests
+  s.add_development_dependency('mime-types', '~> 1.25.1')
   s.add_development_dependency('rails')
   s.add_development_dependency('bundler')
   s.add_development_dependency('minitest')
@@ -33,4 +33,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency('sqlite3')
   s.add_development_dependency('fakeweb')
   s.add_development_dependency('strong_parameters')
+  s.add_development_dependency('coveralls')
+  s.add_development_dependency('pry')
 end

data/config/textcaptcha.yml

@@ -1,9 +1,9 @@
 development: &common_settings
   api_key: PASTE_YOUR_TEXTCAPCHA_API_KEY_HERE  # grab one from http://textcaptcha.com/api
-  bcrypt_salt: RAKE_GENERATED_SALT_PLACEHOLDER   # must be a valid bcrypt salt, we've generated this one for you randomly
-                                               # generate another with; require 'bcrypt'; BCrypt::Engine.generate_salt
-  bcrypt_cost: 10 # optional (default is 10) must be > 4 (a larger number means slower, but better encryption)
-                  # see http://bcrypt-ruby.rubyforge.org for more information on bcrypt
+  http_read_timeout: 60 # Optional seconds to wait for one block to be read from http://textcaptcha.com/api
+  # http_open_timeout: 10 # Optional seconds to wait for the connection to open
+  # cache_expiry_minutes: 10 # Optional minutes for captcha answers to persist in the cache (default 10 minutes)
+
   questions:
       - question: 'Is ice hot or cold?'
         answers: 'cold'
@@ -28,9 +28,7 @@ development: &common_settings
 
 test:
   <<: *common_settings
-  api_key: 6eh1co0j12mi2ogcoggkkok4o          # for gem test purposes only
-  bcrypt_salt: $2a$10$qhSefD6gKtmq6M0AzXk4CO  # for gem test purposes only
-  bcrypt_cost: 1
+  api_key: 6eh1co0j12mi2ogcoggkkok4o
 
 production:
   <<: *common_settings

data/lib/acts_as_textcaptcha/textcaptcha.rb

@@ -1,17 +1,8 @@
 require 'yaml'
 require 'net/http'
 require 'digest/md5'
-
-# compatiblity when XmlMini is not available
-require 'xml' unless defined?(ActiveSupport::XmlMini)
-require 'rexml/document'
-
-# if using as a plugin in /vendor/plugins
-begin
-  require 'bcrypt'
-rescue LoadError => e
-  raise "ActsAsTextcaptcha >> please gem install bcrypt-ruby and add `gem \"bcrypt-ruby\"` to your Gemfile (or environment config) #{e}"
-end
+require 'acts_as_textcaptcha/textcaptcha_cache'
+require 'acts_as_textcaptcha/textcaptcha_api'
 
 module ActsAsTextcaptcha
 
@@ -27,23 +18,19 @@ module ActsAsTextcaptcha
 
   module Textcaptcha #:nodoc:
 
-    # raised if an empty response is ever returned from textcaptcha.com web service
-    class BadResponse < StandardError; end;
-
     def acts_as_textcaptcha(options = nil)
       cattr_accessor :textcaptcha_config
-      attr_accessor  :spam_question, :spam_answers, :spam_answer, :skip_textcaptcha
+      attr_accessor  :textcaptcha_question, :textcaptcha_answer, :textcaptcha_key
 
       if respond_to?(:accessible_attributes)
         if accessible_attributes.nil? && respond_to?(:attr_protected)
-          attr_protected :spam_question
-          attr_protected :skip_textcaptcha
+          attr_protected :textcaptcha_question
         elsif respond_to?(:attr_accessible)
-          attr_accessible :spam_answer, :spam_answers
+          attr_accessible :textcaptcha_answer, :textcaptcha_key
         end
       end
 
-      validate :validate_textcaptcha
+      validate :validate_textcaptcha, :if => :perform_textcaptcha?
 
       if options.is_a?(Hash)
         self.textcaptcha_config = options.symbolize_keys!
@@ -61,51 +48,30 @@ module ActsAsTextcaptcha
 
     module InstanceMethods
 
-      # override this method to toggle textcaptcha spam checking altogether, default is on (true)
+      # override this method to toggle textcaptcha checking
+      # by default this will only allow new records to be
+      # protected with textcaptchas
       def perform_textcaptcha?
-        true
+        !respond_to?('new_record?') || new_record?
       end
 
-      # generate textcaptcha question and encrypt possible spam_answers
+      # generate and assign textcaptcha
       def textcaptcha
-        show_deprecation_warning
-
-        return if !perform_textcaptcha? || validate_spam_answer
-        self.spam_answer = nil
+        if perform_textcaptcha? && textcaptcha_config
+          question = answers = nil
 
-        if textcaptcha_config
-          unless BCrypt::Engine.valid_salt?(textcaptcha_config[:bcrypt_salt])
-            raise BCrypt::Errors::InvalidSalt.new "you must specify a valid BCrypt Salt in your acts_as_textcaptcha options, get a salt from irb/console with\nrequire 'bcrypt';BCrypt::Engine.generate_salt\n\n(Please check Gem README for more details)\n"
-          end
+          # get textcaptcha from api
           if textcaptcha_config[:api_key]
-            begin
-              uri_parser = URI.const_defined?(:Parser) ? URI::Parser.new : URI # URI.parse is deprecated in 1.9.2
-              response   = Net::HTTP.get(uri_parser.parse("http://textcaptcha.com/api/#{textcaptcha_config[:api_key]}"))
-              if response.empty?
-                raise Textcaptcha::BadResponse
-              else
-                parse_textcaptcha_xml(response)
-              end
-              return
-            rescue SocketError, Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNREFUSED, Errno::ETIMEDOUT,
-                   Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError, URI::InvalidURIError,
-                   REXML::ParseException, Textcaptcha::BadResponse
-              # rescue from these errors and continue
-            end
+            question, answers = TextcaptchaApi.fetch(textcaptcha_config[:api_key], textcaptcha_config)
           end
 
-          # fall back to textcaptcha_config questions if they are configured correctly
-          if textcaptcha_config[:questions]
-            random_question = textcaptcha_config[:questions][rand(textcaptcha_config[:questions].size)].symbolize_keys!
-            if random_question[:question] && random_question[:answers]
-              self.spam_question = random_question[:question]
-              self.spam_answers  = encrypt_answers(random_question[:answers].split(',').map!{ |answer| md5_answer(answer) })
-            end
+          # fall back to config based textcaptcha
+          unless question && answers
+            question, answers = textcaptcha_config_questions
           end
 
-          unless self.spam_question && self.spam_answers
-            self.spam_question = 'ActsAsTextcaptcha >> no API key (or questions) set and/or the textcaptcha service is currently unavailable (answer ok to bypass)'
-            self.spam_answers  = 'ok'
+          if question && answers
+            assign_textcaptcha(question, answers)
           end
         end
       end
@@ -113,58 +79,72 @@ module ActsAsTextcaptcha
 
       private
 
-      def show_deprecation_warning
-        warning_message = "
-[warning] ** ActsAsTextcaptcha - gem versions prior to v4.0.0 are VUNERABLE TO SPAM CHECK BY-PASSING, please upgrade gem to v4.0.0 (or higher) **
-[warning] ** ActsAsTextcaptcha - see here for details: https://github.com/matthutchinson/acts_as_textcaptcha/issues/15 **\n"
-        Rails.logger.warn warning_message
-      rescue
-        puts warning_message
+      def textcaptcha_config_questions
+        if textcaptcha_config[:questions]
+          random_question = textcaptcha_config[:questions][rand(textcaptcha_config[:questions].size)].symbolize_keys!
+          [random_question[:question], (random_question[:answers] || '').split(',').map!{ |answer| safe_md5(answer) }]
+        end
       end
 
-      def parse_textcaptcha_xml(xml)
-        if defined?(ActiveSupport::XmlMini)
-          parsed_xml = ActiveSupport::XmlMini.parse(xml)['captcha']
-          self.spam_question = parsed_xml['question']['__content__']
-          if parsed_xml['answer'].is_a?(Array)
-            self.spam_answers = encrypt_answers(parsed_xml['answer'].collect { |a| a['__content__'] })
+
+      # check textcaptcha, if incorrect, regenerate a new textcaptcha
+      def validate_textcaptcha
+        valid_answers = textcaptcha_cache.read(textcaptcha_key) || []
+        reset_textcaptcha
+        if valid_answers.include?(safe_md5(textcaptcha_answer))
+          # answer was valid, mutate the key again
+          self.textcaptcha_key = textcaptcha_random_key
+          textcaptcha_cache.write(textcaptcha_key, valid_answers, textcaptcha_cache_options)
+          true
+        else
+          if valid_answers.empty?
+            # took too long to answer
+            errors.add(:textcaptcha_answer, :expired, :message => 'was not submitted quickly enough, try another question instead')
           else
-            self.spam_answers = encrypt_answers([parsed_xml['answer']['__content__']])
+            # incorrect answer
+            errors.add(:textcaptcha_answer, :incorrect, :message => 'is incorrect, try another question instead')
           end
-        else
-          parsed_xml         = XML::Parser.string(xml).parse
-          self.spam_question = parsed_xml.find('/captcha/question')[0].inner_xml
-          self.spam_answers  = encrypt_answers(parsed_xml.find('/captcha/answer').map(&:inner_xml))
+          textcaptcha
+          false
         end
       end
 
-      def validate_spam_answer
-        (spam_answer && spam_answers) ? spam_answers.split('-').include?(encrypt_answer(md5_answer(spam_answer))) : false
+      def reset_textcaptcha
+        if textcaptcha_key
+          textcaptcha_cache.delete(textcaptcha_key)
+          self.textcaptcha_key = nil
+        end
       end
 
-      def validate_textcaptcha
-        # only spam check on new/unsaved records (ie. no spam check on updates/edits)
-        if !respond_to?('new_record?') || new_record?
-          if !skip_textcaptcha && perform_textcaptcha? && !validate_spam_answer
-            errors.add(:spam_answer, :incorrect_answer, :message => "is incorrect, try another question instead")
-            # regenerate question
-            textcaptcha
-            return false
-          end
-        end
-        true
+      def assign_textcaptcha(question, answers)
+        self.textcaptcha_question = question
+        self.textcaptcha_key      = textcaptcha_random_key
+        textcaptcha_cache.write(textcaptcha_key, answers, textcaptcha_cache_options)
+      end
+
+      # strip whitespace pass through mb_chars (a multibyte
+      # safe proxy for string methods) then downcase
+      def safe_md5(answer)
+        Digest::MD5.hexdigest(answer.to_s.strip.mb_chars.downcase)
       end
 
-      def encrypt_answers(answers)
-        answers.map { |answer| encrypt_answer(answer) }.join('-')
+      # a random cache key, time based and random
+      def textcaptcha_random_key
+        safe_md5(Time.now.to_i + rand(1_000_000))
       end
 
-      def encrypt_answer(answer)
-        BCrypt::Engine.hash_secret(answer, textcaptcha_config[:bcrypt_salt], (textcaptcha_config[:bcrypt_cost].to_i || 10))
+      def textcaptcha_cache_options
+        if textcaptcha_config[:cache_expiry_minutes]
+          { :expires_in => textcaptcha_config[:cache_expiry_minutes].to_f.minutes }
+        else
+          {}
+        end
       end
 
-      def md5_answer(answer)
-        Digest::MD5.hexdigest(answer.to_s.strip.mb_chars.downcase)
+      # cache is used to persist textcaptcha questions and answers
+      # between requests
+      def textcaptcha_cache
+        @@textcaptcha_cache ||= TextcaptchaCache.new
       end
     end
   end