fast_submission_protection 0.1.0

data/CHANGELOG

@@ -0,0 +1,13 @@
+= 0.1.0
+  * Renamed to fast_submission_protection
+  * Raise an error to handle fast submission
+  * better design for starting and finishing submission from within different controllers
+
+= 0.0.3
+  * Docfix
+
+= 0.0.2
+  * Adds #reject_fast_create which has some minimal default behaviour, encourages users to override
+
+= 0.0.1
+  * Initial Release

data/MIT-LICENSE

@@ -0,0 +1,25 @@
+Copyright 2012 Ian White
+
+This plugin was developed by Ian White (http://github.com/ianwhite)
+and Nicholas Rutherford (http://github.com/nruth) while working at
+Distinctive Doors (http://distinctivedoors.co.uk) who have kindly
+agreed to release this under the MIT-LICENSE.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,76 @@
+# FastSubmissionProtection
+
+*This is experimental and the API is currently subject to sudden and massive change!*
+
+[![Build Status](https://secure.travis-ci.org/i2w/fast_submission_protection.png?branch=master)](http://travis-ci.org/i2w/timed_spam_rejection)
+
+ActionController plugin that facilitates rejecting spam based on how long the form submission took.
+
+This plugin was developed by [Ian White](http://github.com/ianwhite) and [Nicholas Rutherford](http://github.com/nruth) while working at [Distinctive Doors](http://distinctivedoors.co.uk) who have kindly agreed to release this under the MIT-LICENSE.
+
+## Installation
+
+In your Gemfile:
+
+    gem 'fast_submission_protection'
+
+## Example Usage
+
+    class FeedbackController < ApplicationController
+      protect_from_fast_submission # default delay is 5 seconds, protects create from fast submission
+    end
+
+    class CommentsController < ApplicationController
+      # protects a Comment#update from happening too quickly, and rescues with custom behaviour
+      protect_from_fast_submission :delay => 10, :start => [:edit, :update], :finish => [:update], :rescue => false
+      
+      rescue_from FastSubmissionProtection::SubmissionTooFastError, :with => lambda {|c| c.redirect_to :edit, :alert => 'Don't comment in anger!' }
+    end
+    
+See `FastSubmissionProtection::Controller#protect_from_fast_submission` for more details.
+
+## Filters
+
+You can start and finish the timed submission in different controllers, just set up the filters manually:
+
+    class WelcomeController < ApplicationController
+      before_filter FastSubmissionProtection::StartFilter.new('abused_form'), :only => :feedback_form
+    end
+    
+    class FeedbackController < ApplicationController
+      before_filter FastSubmissionProtection::FinishFilter.new('abused_form'), :only => :feedback
+    end
+    
+## Instance methods
+
+You can start and finish at any point within a controller
+
+    start_timed_submission 'abused_form'
+    finish_timed_submission 'abused_form', 20 # raises FastSubmissionProtection::SubmissionTooFastError if the above line was < 20 seconds ago
+    
+Other methods, like reset timer, and clear timer are available on the timer object
+
+    submission_timer('abused_form') # => a FastSubmissionProtection::SubmissionTimer
+
+## Rescue
+
+if you include FastSubmissionProtection::Rescue, the error is rescued with an error page with HTTP status 420 (enhance your calm).
+This is included by default when you specify `protect_from_fast_submission`.
+
+The default error page resides in 'views/fast_submission_protection/error'.  Simply add this page to your views directory to use a custom page.
+
+Another option is to do something like put a message in the flash, and re-render the new page.  Simply rescue_from FastSubmissionProtection::SubmissionTimer.
+
+## Development
+
+Grab the project, use the last known good set of deps, and run the specs:
+
+    git clone http://github.com/i2w/fast_submission_protection
+    cd fast_submission_protection
+    cp Gemfile.lock.development Gemfile.lock
+    bundle
+    rake
+
+## License
+
+This project uses the MIT-LICENSE.

data/Rakefile

@@ -0,0 +1,33 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'TimedSpamRejection'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md', 'CHANGELOG', 'MIT-LICENSE')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+desc "Run the specs with simplecov"
+task :simplecov => [:simplecov_env, :spec]
+task :simplecov_env do ENV['SIMPLECOV'] = '1' end
+
+task :default => :spec

data/app/views/fast_submission_protection/error.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Enhance your calm (420)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <div class="dialog">
+    <h1>The request you made was too fast.</h1>
+    <p>Click your browser's back button to return to the previous page, wait 5 seconds, and try the request again.</p>
+    <p>This is an anti-spam measure.</p>
+  </div>
+</body>
+</html>

data/lib/fast_submission_protection/controller.rb

@@ -0,0 +1,113 @@
+module FastSubmissionProtection
+  module Controller
+    extend ActiveSupport::Concern
+    
+    module ClassMethods
+      # protects a create action from fast_submission
+      #
+      # This checks the time taken between the form being rendered (by new, or failed create), and
+      # the form being posted to the create action.  If it is less than the specified time, an
+      # error is raised, which is rescued with a basic 420 error page (enhance your calm) which 
+      # invites the user to click their back button, wait 5 seconds, and try again.
+      #
+      # Options:
+      #   * :name:    The name of the submission (default "#{controller_name}_create")
+      #   * :delay:   The time to wait (default 5 seconds)
+      #   * :start:   List of actions when the timer should be started (default [:new, :create])
+      #   * :finish:  List of actions when the timer should be finished (default [:create])
+      #   * :rescue:  Rescue SubmissionTooFast error with a 420.html error page (default true)
+      # 
+      # If your submission starts in one controller and finishes in another, you can start the 
+      # timer wherever you like, as follows
+      #
+      #   # At the class level, ie specifying a filter where the submission ends
+      #   before_filter FastSubmissionProtection::FinishFilter.new('abused_form_post'), :only => [:create]
+      #   # and where the submission starts
+      #   before_filter FastSubmissionProtection::StartFilter.new('abused_form_post'), :only => [:new]
+      #   
+      #   # At the instance level, wherever you want, perhaps in an action
+      #   start_timed_submission('often_abused_form_post') # to start
+      #   
+      #   # later, somewhere else
+      #   finish_timed_submission('often_abused_form_post') # to finsih, raises SubmissionTooFastError if too fast
+      def protect_from_fast_submission options = {}
+        delay  = options[:delay]
+        start  = options[:start] || [:new, :create]
+        finish = options[:finish] || [:create]
+        name   = options[:name] || "#{controller_name}_#{Array(finish).join('_')}"
+
+        include Rescue unless options[:rescue] == false || self < Rescue
+
+        before_filter FinishFilter.new(name, delay), :only => finish
+        before_filter StartFilter.new(name), :only => start
+      end
+    end
+    
+    included do
+      hide_action :start_timed_submission, :finish_timed_submission
+    end
+    
+    def start_timed_submission name
+      submission_timer(name).start
+    end
+    
+    def finish_timed_submission name, delay = nil
+      if protect_from_fast_submission?
+        timer = submission_timer(name, delay)
+        if timer.too_fast?
+          logger.warn "WARNING: timed submission too fast" if logger
+          timer.restart
+          raise SubmissionTooFastError.new(name, delay)
+        else
+          timer.clear
+        end
+      end
+    end
+    
+  protected
+    def submission_timer name, delay = nil
+      SubmissionTimer.new timed_submission_storage, name, delay
+    end
+
+    def protect_from_fast_submission?
+      request.post? || request.put?
+    end
+    
+    def timed_submission_storage
+      session[:_fsp] ||= {}
+    end
+  end
+  
+  class StartFilter < Struct.new(:name)
+    def filter controller
+      controller.start_timed_submission name
+    end
+  end
+  
+  class FinishFilter < Struct.new(:name, :delay)
+    def filter controller
+      controller.finish_timed_submission name, delay
+    end
+  end
+  
+  class FastSubmissionProtection::SubmissionTooFastError < RuntimeError
+    def initialize name, delay
+      @name, @delay = name, delay
+    end
+    
+    attr_reader :name, :delay
+  end
+
+  module Rescue
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from FastSubmissionProtection::SubmissionTooFastError, :with => :render_fast_submission_protection_error
+    end
+
+  protected
+    def render_fast_submission_protection_error
+      render :template => 'fast_submission_protection/error', :layout => false, :status => 420
+    end
+  end
+end

data/lib/fast_submission_protection/engine.rb

@@ -0,0 +1,8 @@
+module FastSubmissionProtection
+  class Engine < Rails::Engine
+  end
+end
+
+ActiveSupport.on_load(:action_controller) do
+  include FastSubmissionProtection::Controller
+end

data/lib/fast_submission_protection/submission_timer.rb

@@ -0,0 +1,30 @@
+module FastSubmissionProtection
+  class SubmissionTimer
+    class_attribute :delay, :clock
+    self.delay = 5
+    self.clock = Time
+    
+    def initialize storage, key, delay = nil, clock = nil
+      @storage, @key = storage, key
+      @delay = delay || self.class.delay
+      @clock = clock || self.class.clock
+    end
+    
+    def too_fast?
+      started = @storage[@key]
+      !started || (started + @delay > @clock.now)
+    end
+      
+    def start
+      @storage[@key] ||= @clock.now
+    end
+    
+    def restart
+      @storage[@key] = @clock.now
+    end
+    
+    def clear
+      @storage.delete @key
+    end
+  end
+end

data/lib/fast_submission_protection/version.rb

@@ -0,0 +1,3 @@
+module FastSubmissionProtection
+  VERSION = "0.1.0"
+end

data/lib/fast_submission_protection.rb

@@ -0,0 +1,4 @@
+require 'fast_submission_protection/submission_timer'
+require 'fast_submission_protection/controller'
+require 'fast_submission_protection/engine'
+require 'fast_submission_protection/version'

data/spec/controllers/controller_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+
+module FastSubmissionProtection
+  class Application < Rails::Application
+    config.i18n.default_locale = :en
+  end
+end
+
+class ApplicationController < ActionController::Base
+  include Rails.application.routes.url_helpers
+end
+
+describe 'A controller with protect_from_fast_submission' do
+  controller do
+    protect_from_fast_submission :name => 'test', :rescue => false
+    
+    def new
+      render_new
+    end
+  
+    def create
+      if params[:create_failed]
+        render_new
+      else
+        created
+        render_create
+      end
+    end
+    
+    def index
+      render :nothing => true
+    end
+    
+    def render_new
+      render :nothing => true
+    end
+    
+    def render_create
+      render :nothing => true
+    end
+    
+    def created
+    end
+  end
+  
+  context 'post :create' do
+    subject { do_post }
+    
+    def do_post *args
+      post :create, *args
+    end
+    
+    # The only thing we're stubbing in this integration spec is the time
+    let(:clock) { double :now => Time.now }
+    before do FastSubmissionProtection::SubmissionTimer.clock = clock end
+    
+    def seconds_pass amount
+      now = clock.now + amount.seconds
+      clock.stub(:now).and_return now
+    end
+    
+    shared_examples_for 'a spammy form posting' do
+      it do expect{ subject }.to raise_error FastSubmissionProtection::SubmissionTooFastError end
+      
+      it 'should not execute create' do
+        controller.should_not_receive(:created)
+      end
+    end
+    
+    shared_examples_for 'a non spammy form posting' do
+      it 'should execute :create' do
+        controller.should_receive(:created)
+        subject
+      end
+    end
+    
+    context 'when get :new is not the previous action' do
+      it_should_behave_like 'a spammy form posting'
+    end
+    
+    context 'after get :new' do
+      before do
+        get :new
+      end
+      
+      context 'when enough time has passed' do
+        before do seconds_pass(6) end
+
+        it_should_behave_like 'a non spammy form posting'
+        
+        context 'but the create fails for another reason, and new is rendered' do
+          before do
+            do_post :create_failed => true
+          end
+            
+          context 'and enough time passes' do
+            before do seconds_pass(6) end
+            
+            it_should_behave_like 'a non spammy form posting'  
+          end
+        end
+      end
+      
+      context 'and another action is requested in the meantime' do
+        before do
+          get :index
+        end
+
+        context 'and enough time has passed' do
+          before do seconds_pass(6) end
+
+          it_should_behave_like 'a non spammy form posting'
+        end
+      end
+      
+      context 'when not enough time has passed' do
+        before do seconds_pass(4) end
+        
+        it_should_behave_like 'a spammy form posting'
+        
+        context 'and not enough time passes again' do
+          before do
+            do_post rescue FastSubmissionProtection::SubmissionTooFastError
+            seconds_pass(4)
+          end
+          
+          it_should_behave_like 'a spammy form posting'
+          
+          context 'but then enough time passes' do
+            before do
+              do_post rescue FastSubmissionProtection::SubmissionTooFastError
+              seconds_pass(6)
+            end
+            
+            it_should_behave_like 'a non spammy form posting'
+            
+            context 'but then I post again immediately' do
+              before do
+                do_post rescue FastSubmissionProtection::SubmissionTooFastError
+                seconds_pass(1)
+              end
+              
+              it_should_behave_like 'a spammy form posting'
+            end
+          end
+        end
+      end
+    end 
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+if ENV['SIMPLECOV']
+  require 'simplecov'
+  SimpleCov.start do
+    add_filter "_spec.rb"
+  end
+end
+
+require 'rails/all'
+require 'rspec/rails'
+require 'fast_submission_protection'

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: fast_submission_protection
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Ian White
+- Nicholas Rutherford
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-04-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &70112464848300 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70112464848300
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: &70112464847440 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: *70112464847440
+description: Reject form submissions based on the time taken to submit them. Version
+  0.1.0
+email:
+- ian@i2wdev.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/views/fast_submission_protection/error.html
+- lib/fast_submission_protection/controller.rb
+- lib/fast_submission_protection/engine.rb
+- lib/fast_submission_protection/submission_timer.rb
+- lib/fast_submission_protection/version.rb
+- lib/fast_submission_protection.rb
+- MIT-LICENSE
+- Rakefile
+- README.md
+- CHANGELOG
+- spec/controllers/controller_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/i2w/timed_spam_rejection
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3131108100916053125
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3131108100916053125
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Reject form submissions based on the time taken to submit them
+test_files:
+- spec/controllers/controller_spec.rb
+- spec/spec_helper.rb