invisible_captcha 0.10.0 → 2.0.0

data/lib/invisible_captcha/controller_ext.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module InvisibleCaptcha
   module ControllerExt
     module ClassMethods
       def invisible_captcha(options = {})
-        if respond_to?(:before_action)
-          before_action(options) do
+        if options.key?(:prepend)
+          prepend_before_action(options) do
             detect_spam(options)
           end
         else
-          before_filter(options) do
+          before_action(options) do
             detect_spam(options)
           end
         end
@@ -19,7 +21,7 @@ module InvisibleCaptcha
     def detect_spam(options = {})
       if timestamp_spam?(options)
         on_timestamp_spam(options)
-      elsif honeypot_spam?(options)
+      elsif honeypot_spam?(options) || spinner_spam?
         on_spam(options)
       end
     end
@@ -28,11 +30,7 @@ module InvisibleCaptcha
       if action = options[:on_timestamp_spam]
         send(action)
       else
-        if respond_to?(:redirect_back)
-          redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
-        else
-          redirect_to :back, flash: { error: InvisibleCaptcha.timestamp_error_message }
-        end
+        redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
       end
     end
 
@@ -53,11 +51,11 @@ module InvisibleCaptcha
 
       return false unless enabled
 
-      timestamp = session[:invisible_captcha_timestamp]
+      timestamp = session.delete(:invisible_captcha_timestamp)
 
       # Consider as spam if timestamp not in session, cause that means the form was not fetched at all
       unless timestamp
-        logger.warn("Potential spam detected for IP #{request.env['REMOTE_ADDR']}. Invisible Captcha timestamp not found in session.")
+        warn_spam("Invisible Captcha timestamp not found in session.")
         return true
       end
 
@@ -66,7 +64,16 @@ module InvisibleCaptcha
 
       # Consider as spam if form submitted too quickly
       if time_to_submit < threshold
-        logger.warn("Potential spam detected for IP #{request.env['REMOTE_ADDR']}. Invisible Captcha timestamp threshold not reached (took #{time_to_submit.to_i}s).")
+        warn_spam("Invisible Captcha timestamp threshold not reached (took #{time_to_submit.to_i}s).")
+        return true
+      end
+
+      false
+    end
+
+    def spinner_spam?
+      if InvisibleCaptcha.spinner_enabled && params[:spinner] != session[:invisible_captcha_spinner]
+        warn_spam("Invisible Captcha spinner value mismatch")
         return true
       end
 
@@ -81,7 +88,8 @@ module InvisibleCaptcha
         # If honeypot is defined for this controller-action, search for:
         # - honeypot: params[:subtitle]
         # - honeypot with scope: params[:topic][:subtitle]
-        if params[honeypot].present? || (params[scope] && params[scope][honeypot].present?)
+        if params[honeypot].present? || params.dig(scope, honeypot).present?
+          warn_spam("Invisible Captcha honeypot param '#{honeypot}' was present.")
           return true
         else
           # No honeypot spam detected, remove honeypot from params to avoid UnpermittedParameters exceptions
@@ -90,11 +98,29 @@ module InvisibleCaptcha
         end
       else
         InvisibleCaptcha.honeypots.each do |default_honeypot|
-          return true if params[default_honeypot].present?
+          if params[default_honeypot].present?
+            warn_spam("Invisible Captcha honeypot param '#{default_honeypot}' was present.")
+            return true
+          end
         end
       end
 
       false
     end
+
+    def warn_spam(message)
+      logger.warn("Potential spam detected for IP #{request.remote_ip}. #{message}")
+
+      ActiveSupport::Notifications.instrument(
+        'invisible_captcha.spam_detected',
+        message: message,
+        remote_ip: request.remote_ip,
+        user_agent: request.user_agent,
+        controller: params[:controller],
+        action: params[:action],
+        url: request.url,
+        params: request.filtered_parameters
+      )
+    end
   end
 end

data/lib/invisible_captcha/form_helpers.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module InvisibleCaptcha
   module FormHelpers
     def invisible_captcha(honeypot, options = {})
       @template.invisible_captcha(honeypot, self.object_name, options)
     end
   end
-end
+end

data/lib/invisible_captcha/railtie.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module InvisibleCaptcha
   class Railtie < Rails::Railtie
     initializer 'invisible_captcha.rails_integration' do

data/lib/invisible_captcha/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module InvisibleCaptcha
-  VERSION = "0.10.0"
+  VERSION = "2.0.0"
 end

data/lib/invisible_captcha/view_helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module InvisibleCaptcha
   module ViewHelpers
     # Builds the honeypot html
@@ -8,9 +10,17 @@ module InvisibleCaptcha
     #
     # @return [String] the generated html
     def invisible_captcha(honeypot = nil, scope = nil, options = {})
-      if InvisibleCaptcha.timestamp_enabled
+      @captcha_ocurrences = 0 unless defined?(@captcha_ocurrences)
+      @captcha_ocurrences += 1
+
+      if InvisibleCaptcha.timestamp_enabled || InvisibleCaptcha.spinner_enabled
         session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
       end
+
+      if InvisibleCaptcha.spinner_enabled && @captcha_ocurrences == 1
+        session[:invisible_captcha_spinner] = InvisibleCaptcha.encode("#{session[:invisible_captcha_timestamp]}-#{current_request.remote_ip}")
+      end
+
       build_invisible_captcha(honeypot, scope, options)
     end
 
@@ -22,6 +32,10 @@ module InvisibleCaptcha
 
     private
 
+    def current_request
+      @request ||= request
+    end
+
     def build_invisible_captcha(honeypot = nil, scope = nil, options = {})
       if honeypot.is_a?(Hash)
         options = honeypot
@@ -41,7 +55,10 @@ module InvisibleCaptcha
       content_tag(:div, class: css_class) do
         concat styles unless InvisibleCaptcha.injectable_styles
         concat label_tag(build_label_name(honeypot, scope), label)
-        concat text_field_tag(build_text_field_name(honeypot, scope), nil, options.merge(tabindex: -1))
+        concat text_field_tag(build_input_name(honeypot, scope), nil, default_honeypot_options.merge(options))
+        if InvisibleCaptcha.spinner_enabled
+          concat hidden_field_tag("spinner", session[:invisible_captcha_spinner])
+        end
       end
     end
 
@@ -54,7 +71,9 @@ module InvisibleCaptcha
 
       return if visible
 
-      content_tag(:style, media: 'screen') do
+      nonce = content_security_policy_nonce if options[:nonce]
+
+      content_tag(:style, media: 'screen', nonce: nonce) do
         ".#{css_class} {#{InvisibleCaptcha.css_strategy}}"
       end
     end
@@ -67,12 +86,16 @@ module InvisibleCaptcha
       end
     end
 
-    def build_text_field_name(honeypot, scope = nil)
+    def build_input_name(honeypot, scope = nil)
       if scope.present?
         "#{scope}[#{honeypot}]"
       else
         honeypot
       end
     end
+
+    def default_honeypot_options
+      { autocomplete: 'off', tabindex: -1 }
+    end
   end
 end

data/lib/invisible_captcha.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'invisible_captcha/version'
 require 'invisible_captcha/controller_ext'
 require 'invisible_captcha/view_helpers'
@@ -13,7 +15,9 @@ module InvisibleCaptcha
                   :timestamp_threshold,
                   :timestamp_enabled,
                   :visual_honeypots,
-                  :injectable_styles
+                  :injectable_styles,
+                  :spinner_enabled,
+                  :secret
 
     def init!
       # Default sentence for real users if text field was visible
@@ -31,9 +35,15 @@ module InvisibleCaptcha
       # Make honeypots visibles
       self.visual_honeypots = false
 
-      # If enabled, you should call anywhere in of your layout the following helper, to inject the honeypot styles:
-      #  <%= invisible_captcha_styles %>
+      # If enabled, you should call anywhere in your layout the following helper, to inject the honeypot styles:
+      # <%= invisible_captcha_styles %>
       self.injectable_styles = false
+
+      # Spinner check enabled by default
+      self.spinner_enabled = true
+
+      # A secret key to encode some internal values
+      self.secret = ENV['INVISIBLE_CAPTCHA_SECRET'] || SecureRandom.hex(64)
     end
 
     def sentence_for_humans
@@ -68,6 +78,10 @@ module InvisibleCaptcha
       ].sample
     end
 
+    def encode(value)
+      Digest::MD5.hexdigest("#{self.secret}-#{value}")
+    end
+
     private
 
     def call_lambda_or_return(obj)

data/spec/controllers_spec.rb

@@ -1,41 +1,27 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-describe InvisibleCaptcha::ControllerExt, type: :controller do
+RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
   render_views
 
-  def switchable_post(action, params = {})
-    if ::Rails::VERSION::STRING > '5'
-      post action, params: params
-    else
-      post action, params
-    end
-  end
-
-  def switchable_put(action, params = {})
-    if ::Rails::VERSION::STRING > '5'
-      put action, params: params
-    else
-      put action, params
-    end
-  end
-
   before(:each) do
     @controller = TopicsController.new
     request.env['HTTP_REFERER'] = 'http://test.host/topics'
+
     InvisibleCaptcha.init!
     InvisibleCaptcha.timestamp_threshold = 1
+    InvisibleCaptcha.spinner_enabled = false
   end
 
   context 'without invisible_captcha_timestamp in session' do
     it 'fails like if it was submitted too fast' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(response).to redirect_to 'http://test.host/topics'
       expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
     end
 
     it 'passes if disabled at action level' do
-      switchable_post :copy, topic: { title: 'foo' }
+      post :copy, params: { topic: { title: 'foo' } }
 
       expect(flash[:error]).not_to be_present
       expect(response.body).to be_present
@@ -43,7 +29,8 @@ describe InvisibleCaptcha::ControllerExt, type: :controller do
 
     it 'passes if disabled at app level' do
       InvisibleCaptcha.timestamp_enabled = false
-      switchable_post :create, topic: { title: 'foo' }
+
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(flash[:error]).not_to be_present
       expect(response.body).to be_present
@@ -56,32 +43,57 @@ describe InvisibleCaptcha::ControllerExt, type: :controller do
     end
 
     it 'fails if submission before timestamp_threshold' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(response).to redirect_to 'http://test.host/topics'
       expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
+
+      # Make sure session is cleared
+      expect(session[:invisible_captcha_timestamp]).to be_nil
     end
 
-    it 'allow a custom on_timestamp_spam callback' do
-      switchable_put :update, id: 1, topic: { title: 'bar' }
+    it 'allows a custom on_timestamp_spam callback' do
+      put :update, params: { id: 1, topic: { title: 'bar' } }
 
       expect(response.status).to eq(204)
     end
 
+    it 'allows a new timestamp to be set in the on_timestamp_spam callback' do
+      @controller.singleton_class.class_eval do
+        def custom_timestamp_callback
+          session[:invisible_captcha_timestamp] = 2.seconds.from_now(Time.zone.now).iso8601
+          head(204)
+        end
+      end
+
+      expect { put :update, params: { id: 1, topic: { title: 'bar' } } }
+        .to change { session[:invisible_captcha_timestamp] }
+        .to be_present
+    end
+
     context 'successful submissions' do
       it 'passes if submission on or after timestamp_threshold' do
         sleep InvisibleCaptcha.timestamp_threshold
 
-        switchable_post :create, topic: { title: 'foo' }
+        post :create, params: {
+          topic: {
+            title: 'foobar',
+            author: 'author',
+            body: 'body that passes validation'
+          }
+        }
 
         expect(flash[:error]).not_to be_present
         expect(response.body).to be_present
+
+        # Make sure session is cleared
+        expect(session[:invisible_captcha_timestamp]).to be_nil
       end
 
       it 'allow to set a custom timestamp_threshold per action' do
         sleep 2 # custom threshold
 
-        switchable_post :publish, id: 1
+        post :publish, params: { id: 1 }
 
         expect(flash[:error]).not_to be_present
         expect(response.body).to be_present
@@ -92,33 +104,90 @@ describe InvisibleCaptcha::ControllerExt, type: :controller do
   context 'honeypot attribute' do
     before(:each) do
       session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+
       # Wait for valid submission
       sleep InvisibleCaptcha.timestamp_threshold
     end
 
     it 'fails with spam' do
-      switchable_post :create, topic: { subtitle: 'foo' }
+      post :create,  params: { topic: { subtitle: 'foo' } }
 
       expect(response.body).to be_blank
     end
 
     it 'passes with no spam' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create,  params: { topic: { title: 'foo' } }
 
       expect(response.body).to be_present
     end
 
     it 'allow a custom on_spam callback' do
-      switchable_put :update, id: 1, topic: { subtitle: 'foo' }
+      put :update,  params: { id: 1, topic: { subtitle: 'foo' } }
 
       expect(response.body).to redirect_to(new_topic_path)
     end
 
     it 'honeypot is removed from params if you use a custom honeypot' do
-      switchable_post :create, topic: { title: 'foo', subtitle: '' }
+      post :create,  params: { topic: { title: 'foo', subtitle: '' } }
 
       expect(flash[:error]).not_to be_present
       expect(@controller.params[:topic].key?(:subtitle)).to eq(false)
     end
+
+    describe 'ActiveSupport::Notifications' do
+      let(:dummy_handler) { double(handle_event: nil) }
+
+      let!(:subscriber) do
+        subscriber = ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data|
+          dummy_handler.handle_event(data)
+        end
+
+        subscriber
+      end
+
+      after { ActiveSupport::Notifications.unsubscribe(subscriber) }
+
+      it 'dispatches an `invisible_captcha.spam_detected` event' do
+        expect(dummy_handler).to receive(:handle_event).once.with(
+          message: "Invisible Captcha honeypot param 'subtitle' was present.",
+          remote_ip: '0.0.0.0',
+          user_agent: 'Rails Testing',
+          controller: 'topics',
+          action: 'create',
+          url: 'http://test.host/topics',
+          params: {
+            topic: { subtitle: "foo"},
+            controller: 'topics',
+            action: 'create'
+          }
+        )
+
+        post :create, params: { topic: { subtitle: 'foo' } }
+      end
+    end
+  end
+
+  context 'spinner attribute' do
+    before(:each) do
+      InvisibleCaptcha.spinner_enabled = true
+      InvisibleCaptcha.secret = 'secret'
+      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+      session[:invisible_captcha_spinner] = '32ab649161f9f6faeeb323746de1a25d'
+
+      # Wait for valid submission
+      sleep InvisibleCaptcha.timestamp_threshold
+    end
+
+    it 'fails with no spam, but mismatch of spinner' do
+      post :create,  params: { topic: { title: 'foo' }, spinner: 'mismatch' }
+
+      expect(response.body).to be_blank
+    end
+
+    it 'passes with no spam and spinner match' do
+      post :create,  params: { topic: { title: 'foo' }, spinner: '32ab649161f9f6faeeb323746de1a25d' }
+
+      expect(response.body).to be_present
+    end
   end
 end

data/spec/dummy/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/spec/dummy/config/environments/test.rb

@@ -14,13 +14,8 @@ Dummy::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  if Rails.version >= "5.0.0"
-    config.public_file_server.enabled = true
-    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
-  else
-    config.serve_static_files = true
-    config.static_cache_control = "public, max-age=3600"
-  end
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
@@ -39,4 +34,4 @@ Dummy::Application.configure do
 
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
-end
+end

data/spec/invisible_captcha_spec.rb

@@ -1,6 +1,6 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-describe InvisibleCaptcha do
+RSpec.describe InvisibleCaptcha do
   it 'initialize with defaults' do
     InvisibleCaptcha.init!
 

data/spec/spec_helper.rb

@@ -1,10 +1,15 @@
+# frozen_string_literal: true
+
 ENV['RAILS_ENV'] = 'test'
+
 require File.expand_path("../dummy/config/environment.rb", __FILE__)
 require 'rspec/rails'
 require 'invisible_captcha'
 
 RSpec.configure do |config|
-  config.order = 'random'
+  config.include ActionDispatch::ContentSecurityPolicy::Request, type: :helper
+  config.disable_monkey_patching!
+  config.order = :random
   config.expect_with :rspec
   config.mock_with :rspec do |mocks|
     mocks.verify_partial_doubles = true

data/spec/view_helpers_spec.rb

@@ -1,9 +1,9 @@
-require 'spec_helper'
+# frozen_string_literal: true
 
-describe InvisibleCaptcha::ViewHelpers, type: :helper do
+RSpec.describe InvisibleCaptcha::ViewHelpers, type: :helper do
   before(:each) do
-    allow(Time.zone).to receive(:now).and_return(Time.zone.parse('Feb 19 1986'))
     allow(InvisibleCaptcha).to receive(:css_strategy).and_return("display:none;")
+    allow_any_instance_of(ActionDispatch::ContentSecurityPolicy::Request).to receive(:content_security_policy_nonce).and_return('123')
 
     # to test content_for and provide
     @view_flow = ActionView::OutputFlow.new
@@ -28,10 +28,14 @@ describe InvisibleCaptcha::ViewHelpers, type: :helper do
     expect(invisible_captcha(:subtitle, :topic, { class: 'foo_class' })).to match(/class="foo_class"/)
   end
 
+  it 'with CSP nonce' do
+    expect(invisible_captcha(:subtitle, :topic, { nonce: true })).to match(/nonce="123"/)
+  end
+
   it 'generated html + styles' do
     InvisibleCaptcha.honeypots = [:foo_id]
     output = invisible_captcha.gsub("\"", "'")
-    regexp = %r{<div class='foo_id_\w*'><style.*>.foo_id_\w* {display:none;}</style><label.*>#{InvisibleCaptcha.sentence_for_humans}.*<input.*name='foo_id'.*tabindex='-1'.*</div>}
+    regexp = %r{<div class='foo_id_\w*'><style.*>.foo_id_\w* {display:none;}</style><label.*>#{InvisibleCaptcha.sentence_for_humans}</label><input (?=.*name='foo_id'.*)(?=.*autocomplete='off'.*)(?=.*tabindex='-1'.*).*/></div>}
 
     expect(output).to match(regexp)
   end
@@ -54,6 +58,18 @@ describe InvisibleCaptcha::ViewHelpers, type: :helper do
     end
   end
 
+  context "should have spinner field" do
+    it 'that exists by default, spinner_enabled is true' do
+      InvisibleCaptcha.spinner_enabled = true
+      expect(invisible_captcha).to match(/spinner/)
+    end
+
+    it 'that does not exist if spinner_enabled is false' do
+      InvisibleCaptcha.spinner_enabled = false
+      expect(invisible_captcha).not_to match(/spinner/)
+    end
+  end
+
   it 'should set spam timestamp' do
     invisible_captcha
     expect(session[:invisible_captcha_timestamp]).to eq(Time.zone.now.iso8601)
@@ -62,14 +78,14 @@ describe InvisibleCaptcha::ViewHelpers, type: :helper do
   context 'injectable_styles option' do
     it 'by default, render styles along with the honeypot' do
       expect(invisible_captcha).to match(/display:none/)
-      expect(helper.content_for(:invisible_captcha_styles)).to be_blank
+      expect(@view_flow.content[:invisible_captcha_styles]).to be_blank
     end
 
     it 'if injectable_styles is set, do not append styles inline' do
       InvisibleCaptcha.injectable_styles = true
 
       expect(invisible_captcha).not_to match(/display:none;/)
-      expect(helper.content_for(:invisible_captcha_styles)).to match(/display:none;/)
+      expect(@view_flow.content[:invisible_captcha_styles]).to match(/display:none;/)
     end
   end
 end