invisible_captcha 0.8.0 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03aab9758bfbaf12adb3913f5b37c8423d269c2e
-  data.tar.gz: 18e136fc292c192126f7c08d5d60286a4c86ba6b
+  metadata.gz: 6667c856fdf4fb2ae0147d0d2d3d0531f8fab862
+  data.tar.gz: 7d2dadae6a9010c3614166343221fc0064fe9bc2
 SHA512:
-  metadata.gz: c60cc1997f5748fef444f1eea60aa3a47b42ee6de60dffa8f320e346608e224594f4252efbe19d7df80edaf8c137729df4357162cb27f2e8b6c7fa1327aed94f
-  data.tar.gz: b5b62112cf6ea24aab60e66f589a0756d06e7337c7564e43cdea6a838023334c43e22cba5e486c3c8b1278fe1ef4829a5c925fea3e4917ba919677bd10710049
+  metadata.gz: a76b88b892d95a1d72fcf5f2bffb2165c0608554feab107ca5a61e25db4a6b2e4eb3349ecba9b7e0c817d2766c23bb6ebd6723fa20717f8b3518ea38583ebab8
+  data.tar.gz: b15a66cfab3ec429aaafcdcd310e66f178cf17ab1375d58f0f0454b75b00059600295d5b54df404630ba8ceb0d596a84b6f688312bdeb2c04e696d7d211ddf04

data/.gitignore

@@ -1,6 +1,10 @@
 .bundle
 pkg
 .rvmrc
+.ruby-version
+.ruby-gemset
 Gemfile.lock
+*.gemfile.lock
 spec/dummy/log/*.log
-spec/dummy/tmp/
+spec/dummy/tmp/
+.byebug_history

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.travis.yml

@@ -1,5 +1,16 @@
 language: ruby
+
+cache: bundler
+
+sudo: false
+
 rvm:
+  - 2.3.0
+  - 2.2
   - 2.1
-  - 2.0
-  - 1.9.3
+  - 1.9.3
+
+gemfile:
+  - gemfiles/rails_4.2.gemfile
+  - gemfiles/rails_4.1.gemfile
+  - gemfiles/rails_3.2.gemfile

data/Appraisals

@@ -0,0 +1,11 @@
+appraise "rails-4.2" do
+  gem "rails", "~> 4.2.0"
+end
+
+appraise "rails-4.1" do
+  gem "rails", "~> 4.1.0"
+end
+
+appraise "rails-3.2" do
+  gem "rails", "~> 3.2.0"
+end

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright 2012-2015 Marc Anguera Insa
+Copyright 2012-2016 Marc Anguera Insa
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -2,11 +2,13 @@
 
 [![Gem Version](https://badge.fury.io/rb/invisible_captcha.svg)](http://badge.fury.io/rb/invisible_captcha) [![Build Status](https://travis-ci.org/markets/invisible_captcha.svg)](https://travis-ci.org/markets/invisible_captcha)
 
-Simple and flexible spam protection solution for Rails applications. Based on the `honeypot` strategy to provide a better user experience.
+> Simple and flexible spam protection solution for Rails applications.
+
+It is based on the `honeypot` strategy to provide a better user experience. It also provides a time-sensitive form submission.
 
 **Background**
 
-The strategy is based on adding an input field into the form that:
+The strategy is about adding an input field into the form that:
 
 * shouldn't be visible by the real users
 * should be left empty by the real users
@@ -14,6 +16,8 @@ The strategy is based on adding an input field into the form that:
 
 ## Installation
 
+Invisible Captcha is tested against Rails `>= 3.2` and Ruby `>= 1.9.3`.
+
 Add this line to you Gemfile:
 
 ```
@@ -28,15 +32,13 @@ $ gem install invisible_captcha
 
 ## Usage
 
-There are different ways to implement, at Controller level or Model level:
-
-### Controller style
-
 View code:
 
 ```erb
-<%= form_tag(create_topic_path) do |f| %>
-  <%= invisible_captcha %>
+<%= form_for(@topic) do |f| %>
+  <%= f.invisible_captcha :subtitle %>
+  <!-- or -->
+  <%= invisible_captcha :subtitle, :topic %>
 <% end %>
 ```
 
@@ -44,67 +46,36 @@ Controller code:
 
 ```ruby
 class TopicsController < ApplicationController
-  invisible_captcha only: [:create, :update]
+  invisible_captcha only: [:create, :update], honeypot: :subtitle
 end
 ```
 
-This method will act as a `before_filter` that triggers when spam is detected (honeypot field has some value). By default it responds with no content (only headers: `head(200)`). But you are able to define your own callback by passing a method to the `on_spam` option:
+This method will act as a `before_filter` that triggers when spam is detected (honeypot field has some value). By default it responds with no content (only headers: `head(200)`). This is a good default, since the bot will surely read the response code and will think that it has achieved to submit the form properly. But, anyway, you are able to define your own callback by passing a method to the `on_spam` option:
 
 ```ruby
-invisible_captcha only: [:create, :update], on_spam: :your_on_spam_callback_method
+class TopicsController < ApplicationController
+  invisible_captcha only: [:create, :update], on_spam: :your_spam_callback_method
 
-private
+  private
 
-def your_on_spam_callback_method
-  redirect_to root_path
+  def your_spam_callback_method
+    redirect_to root_path
+  end
 end
 ```
 
-[Check here a complete list of allowed options.](#controller-method-options)
-
-### Controller style (resource oriented):
-
-In your form:
-
-```erb
-<%= form_for(@topic) do |f| %>
-  <%= f.invisible_captcha :subtitle %>
-  <!-- or -->
-  <%= invisible_captcha :subtitle, :topic %>
-<% end %>
-```
-
-In your controller:
-
-```ruby
-invisible_captcha only: [:create, :update], honeypot: :subtitle
-```
-
-### Model style
-
-View code:
+Note that isn't mandatory to specify a `honeypot` attribute (nor in the view, nor in the controller). In this case, the engine will take a random field from `InvisibleCaptcha.honeypots`. So, if you're integrating it following this path, in your form:
 
 ```erb
-<%= form_for(@topic) do |f| %>
-  <%= f.invisible_captcha :subtitle %>
+<%= form_tag(new_contact_path) do |f| %>
+  <%= invisible_captcha %>
 <% end %>
 ```
 
-Model code:
+In you controller:
 
-```ruby
-class Topic < ActiveRecord::Base
-  attr_accessor :subtitle # define a virtual attribute, the honeypot
-  validates :subtitle, :invisible_captcha => true
-end
 ```
-
-If you are using [strong_parameters](https://github.com/rails/strong_parameters) (by default in Rails 4), don't forget to keep the honeypot attribute into the params hash:
-
-```ruby
-def topic_params
-  params.require(:topic).permit(:subtitle)
-end
+invisible_captcha only: [:new_contact]
 ```
 
 ## Options and customization
@@ -115,19 +86,24 @@ This section contains a description of all plugin options and customizations.
 
 You can customize:
 
-* `sentence_for_humans`: text for real users if input field was visible.
-* `error_message`: error message thrown by model validation (only model implementation).
-* `honeypots`: collection of default honeypots, used by the view helper, called with no args, to generate the honeypot field name
+* `sentence_for_humans`: text for real users if input field was visible. By default, it uses I18n (see below).
+* `honeypots`: collection of default honeypots. Used by the view helper, called with no args, to generate a random honeypot field name.
 * `visual_honeypots`: make honeypots visible, also useful to test/debug your implementation.
+* `timestamp_threshold`: fastest time (in seconds) to expect a human to submit the form (see [original article by Yoav Aner](http://blog.gingerlime.com/2012/simple-detection-of-comment-spam-in-rails/) outlining the idea). By default, 4 seconds. **NOTE:** It's recommended to deactivate the autocomplete feature to avoid false positives (`autocomplete="off"`).
+* `timestamp_enabled`: option to disable the time threshold check at application level. Could be useful, for example, on some testing scenarios. By default, true.
+* `timestamp_error_message`: flash error message thrown when form submitted quicker than the `timestamp_threshold` value. It uses I18n by default.
 
 To change these defaults, add the following to an initializer (recommended `config/initializers/invisible_captcha.rb`):
 
 ```ruby
 InvisibleCaptcha.setup do |config|
-  config.sentence_for_humans = 'If you are a human, ignore this field'
-  config.error_message       = 'You are a robot!'
-  config.honeypots          += 'fake_resource_title'
+  config.honeypots           << 'another_fake_attribute'
   config.visual_honeypots    = false
+  config.timestamp_threshold = 4
+  config.timestamp_enabled   = true
+  # Leave these unset if you want to use I18n (see below)
+  # config.sentence_for_humans     = 'If you are a human, ignore this field'
+  # config.timestamp_error_message = 'Sorry, that was too quick! Please resubmit.'
 end
 ```
 
@@ -140,6 +116,8 @@ The `invisible_captcha` method accepts some options:
 * `honeypot`: name of honeypot.
 * `scope`: name of scope, ie: 'topic[subtitle]' -> 'topic' is the scope.
 * `on_spam`: custom callback to be called on spam detection.
+* `on_timestamp_spam`: custom callback to be called when form submitted too quickly. The default action redirects to `:back` printing a warning in `flash[:error]`.
+* `timestamp_threshold`: custom threshold per controller/action. Overrides the global value for `InvisibleCaptcha.timestamp_threshold`.
 
 ### View helpers options:
 
@@ -153,26 +131,47 @@ Using the view/form helper you can override some defaults for the given instance
 <% end %>
 ```
 
+### I18n
+
+`invisible_captcha` tries to use I18n when it's available by default. The keys it looks for are the following:
+
+```yaml
+en:
+  invisible_captcha:
+    sentence_for_humans: "If you are human, ignore this field"
+    timestamp_error_message: "Sorry, that was too quick! Please resubmit."
+```
+
+You can override the english ones in your own i18n config files as well as add new ones for other locales.
+
+If you intend to use I18n with `invisible_captcha`, you _must not_ set `sentence_for_humans` or `timestamp_error_message` to strings in the setup phase.
+
 ## Contribute
 
 Any kind of idea, feedback or bug report are welcome! Open an [issue](https://github.com/markets/invisible_captcha/issues) or send a [pull request](https://github.com/markets/invisible_captcha/pulls).
 
 ## Development
 
-Clone/fork this repository and start to hack.
+Clone/fork this repository, start to hack on it and send a pull request.
+
+Run the test suite:
+
+```
+$ bundle exec rspec
+```
 
-Run test suite:
+Run the test suite against all supported versions:
 
 ```
-$ rspec
+$ bundle exec appraisal rake
 ```
 
 Start a sample Rails app ([source code](spec/dummy)) with `InvisibleCaptcha` integrated:
 
 ```
-$ rake web # PORT=4000 (default: 3000)
+$ bundle exec rake web # PORT=4000 (default: 3000)
 ```
 
 ## License
 
-Copyright (c) 2012-2015 Marc Anguera. Invisible Captcha is released under the [MIT](LICENSE) License.
+Copyright (c) 2012-2016 Marc Anguera. Invisible Captcha is released under the [MIT](LICENSE) License.

data/gemfiles/rails_3.2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 3.2.0"
+
+gemspec :path => "../"

data/gemfiles/rails_4.1.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 4.1.0"
+
+gemspec :path => "../"

data/gemfiles/rails_4.2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 4.2.0"
+
+gemspec :path => "../"

data/invisible_captcha.gemspec

@@ -6,8 +6,8 @@ Gem::Specification.new do |spec|
   spec.version       = InvisibleCaptcha::VERSION
   spec.authors       = ["Marc Anguera Insa"]
   spec.email         = ["srmarc.ai@gmail.com"]
-  spec.description   = %q{Simple spam protection for Rails applications using honeypot strategy for better user experience.}
-  spec.summary       = %q{Simple honeypot protection for RoR apps}
+  spec.description   = "Unobtrusive, flexible and simple spam protection for Rails applications using honeypot strategy for better user experience."
+  spec.summary       = "Simple honeypot protection for RoR apps"
   spec.homepage      = "https://github.com/markets/invisible_captcha"
   spec.license       = "MIT"
 
@@ -19,5 +19,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'rails'
 
   spec.add_development_dependency 'rspec-rails', '~> 3.1'
+  spec.add_development_dependency 'appraisal'
+  spec.add_development_dependency 'test-unit', '~> 3.0'
+  spec.add_development_dependency 'mime-types', '< 3.0'
 end
 

data/lib/invisible_captcha/controller_ext.rb

@@ -9,11 +9,21 @@ module InvisibleCaptcha
     end
 
     def detect_spam(options = {})
-      if invisible_captcha?(options)
+      if invisible_captcha_timestamp?(options)
+        on_timestamp_spam_action(options)
+      elsif invisible_captcha?(options)
         on_spam_action(options)
       end
     end
 
+    def on_timestamp_spam_action(options = {})
+      if action = options[:on_timestamp_spam]
+        send(action)
+      else
+        redirect_to :back, flash: { error: InvisibleCaptcha.timestamp_error_message }
+      end
+    end
+
     def on_spam_action(options = {})
       if action = options[:on_spam]
         send(action)
@@ -26,6 +36,29 @@ module InvisibleCaptcha
       head(200)
     end
 
+    def invisible_captcha_timestamp?(options = {})
+      unless InvisibleCaptcha.timestamp_enabled
+        return false
+      end
+
+      timestamp = session[:invisible_captcha_timestamp]
+
+      # Consider as spam if timestamp not in session, cause that means the form was not fetched at all
+      unless timestamp
+        logger.warn("Potential spam detected for IP #{request.env['REMOTE_ADDR']}. Invisible Captcha timestamp not found in session.")
+        return true
+      end
+
+      time_to_submit = Time.zone.now - DateTime.iso8601(timestamp)
+
+      # Consider as spam if form submitted too quickly
+      if time_to_submit < (options[:timestamp_threshold] || InvisibleCaptcha.timestamp_threshold)
+        logger.warn("Potential spam detected for IP #{request.env['REMOTE_ADDR']}. Invisible Captcha timestamp threshold not reached (took #{time_to_submit.to_i}s).")
+        return true
+      end
+      false
+    end
+
     def invisible_captcha?(options = {})
       honeypot = options[:honeypot]
       scope    = options[:scope] || controller_name.singularize
@@ -45,4 +78,4 @@ module InvisibleCaptcha
       false
     end
   end
-end
+end

data/lib/invisible_captcha/railtie.rb

@@ -10,8 +10,6 @@ module InvisibleCaptcha
         include InvisibleCaptcha::ViewHelpers
         ActionView::Helpers::FormBuilder.send :include, InvisibleCaptcha::FormHelpers
       end
-
-      ActiveModel::Validations::InvisibleCaptchaValidator = InvisibleCaptcha::InvisibleCaptchaValidator
     end
   end
-end
+end

data/lib/invisible_captcha/version.rb

@@ -1,3 +1,3 @@
 module InvisibleCaptcha
-  VERSION = "0.8.0"
+  VERSION = "0.9.1"
 end

data/lib/invisible_captcha/view_helpers.rb

@@ -6,6 +6,9 @@ module InvisibleCaptcha
     # @param scope [Symbol] name of honeypot scope, ie: topic => input name: topic[subtitle]
     # @return [String] the generated html
     def invisible_captcha(honeypot = nil, scope = nil, options = {})
+      if InvisibleCaptcha.timestamp_enabled
+        session[:invisible_captcha_timestamp] ||= Time.zone.now.iso8601
+      end
       build_invisible_captcha(honeypot, scope, options)
     end
 
@@ -29,7 +32,7 @@ module InvisibleCaptcha
     end
 
     def generate_html_id(honeypot, scope = nil)
-      "#{scope || honeypot}_#{Time.now.to_i}"
+      "#{scope || honeypot}_#{Time.zone.now.to_i}"
     end
 
     def visibility_css(container_id, options)
@@ -60,4 +63,4 @@ module InvisibleCaptcha
       end
     end
   end
-end
+end

data/lib/invisible_captcha.rb

@@ -2,27 +2,54 @@ require 'invisible_captcha/version'
 require 'invisible_captcha/controller_ext'
 require 'invisible_captcha/view_helpers'
 require 'invisible_captcha/form_helpers'
-require 'invisible_captcha/validator'
 require 'invisible_captcha/railtie'
 
 module InvisibleCaptcha
   class << self
-    attr_accessor :sentence_for_humans, :error_message, :honeypots, :visual_honeypots
+    attr_writer :sentence_for_humans,
+                :timestamp_error_message,
+                :error_message
+
+    attr_accessor :honeypots,
+                  :timestamp_threshold,
+                  :timestamp_enabled,
+                  :visual_honeypots
 
     def init!
       # Default sentence for real users if text field was visible
-      self.sentence_for_humans = 'If you are a human, ignore this field'
+      self.sentence_for_humans = -> { I18n.t('invisible_captcha.sentence_for_humans', default: 'If you are a human, ignore this field') }
 
       # Default error message for validator
-      self.error_message = 'You are a robot!'
+      self.error_message = -> { I18n.t('invisible_captcha.error_message', default: 'You are a robot!') }
 
       # Default fake fields for controller based workflow
       self.honeypots = ['foo_id', 'bar_id', 'baz_id']
 
+      # Fastest time (in seconds) to expect a human to submit the form
+      self.timestamp_threshold = 4
+
+      # Timestamp check enabled by default
+      self.timestamp_enabled = true
+
+      # Default error message for validator when form submitted too quickly
+      self.timestamp_error_message = -> { I18n.t('invisible_captcha.timestamp_error_message', default: 'Sorry, that was too quick! Please resubmit.') }
+
       # Make honeypots visibles
       self.visual_honeypots = false
     end
 
+    def sentence_for_humans
+      call_lambda_or_return(@sentence_for_humans)
+    end
+
+    def error_message
+      call_lambda_or_return(@error_message)
+    end
+
+    def timestamp_error_message
+      call_lambda_or_return(@timestamp_error_message)
+    end
+
     def setup
       yield(self) if block_given?
     end
@@ -30,7 +57,13 @@ module InvisibleCaptcha
     def get_honeypot
       honeypots.sample
     end
+
+    private
+
+    def call_lambda_or_return(obj)
+      obj.respond_to?(:call) ? obj.call : obj
+    end
   end
 end
 
-InvisibleCaptcha.init!
+InvisibleCaptcha.init!

data/spec/controllers_spec.rb

@@ -3,23 +3,96 @@ require 'spec_helper'
 describe InvisibleCaptcha::ControllerExt, type: :controller do
   render_views
 
-  before { @controller = TopicsController.new }
+  before do
+    @controller = TopicsController.new
+    InvisibleCaptcha.timestamp_threshold = 1
+    InvisibleCaptcha.timestamp_enabled = true
+  end
 
-  it 'with spam' do
-    post :create, topic: { subtitle: 'foo' }
+  context 'without invisible_captcha_timestamp in session' do
+    it 'fails like if it was submitted too fast' do
+      request.env['HTTP_REFERER'] = 'http://test.host/topics'
+      post :create, topic: { title: 'foo' }
 
-    expect(response.body).to be_blank
+      expect(response).to redirect_to :back
+      expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
+    end
   end
 
-  it 'with no spam' do
-    post :create, topic: { title: 'foo' }
+  context 'without invisible_captcha_timestamp in session and timestamp_enabled=false' do
+    it 'does not fail like if it was submitted too fast' do
+      request.env['HTTP_REFERER'] = 'http://test.host/topics'
+      InvisibleCaptcha.timestamp_enabled = false
+      post :create, topic: { title: 'foo' }
+
+      expect(flash[:error]).not_to be_present
+      expect(response.body).to be_present
+    end
+  end
+
+  context 'submission timestamp_threshold' do
+    before do
+      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+    end
+
+    it 'fails if submission before timestamp_threshold' do
+      request.env['HTTP_REFERER'] = 'http://test.host/topics'
+      post :create, topic: { title: 'foo' }
+
+      expect(response).to redirect_to :back
+      expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
+    end
+
+    it 'allow custom on_timestamp_spam callback' do
+      put :update, id: 1, topic: { title: 'bar' }
+
+      expect(response).to redirect_to(root_path)
+    end
+
+    context 'successful submissions' do
+      it 'passes if submission on or after timestamp_threshold' do
+        sleep InvisibleCaptcha.timestamp_threshold
 
-    expect(response.body).to be_present
+        post :create, topic: { title: 'foo' }
+
+        expect(flash[:error]).not_to be_present
+        expect(response.body).to be_present
+      end
+
+      it 'allow to set a custom timestamp_threshold per action' do
+        sleep 2 # custom threshold
+
+        post :publish, id: 1
+
+        expect(flash[:error]).not_to be_present
+        expect(response.body).to be_present
+      end
+    end
   end
 
-  it 'allow custom on_spam callback' do
-    put :update, id: 1, topic: { subtitle: 'foo' }
+  context 'honeypot attribute' do
+    before do
+      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+      # Wait for valid submission
+      sleep InvisibleCaptcha.timestamp_threshold
+    end
+
+    it 'fails with spam' do
+      post :create, topic: { subtitle: 'foo' }
+
+      expect(response.body).to be_blank
+    end
+
+    it 'passes with no spam' do
+      post :create, topic: { title: 'foo' }
+
+      expect(response.body).to be_present
+    end
+
+    it 'allow custom on_spam callback' do
+      put :update, id: 1, topic: { subtitle: 'foo' }
 
-    expect(response.body).to redirect_to(new_topic_path)
+      expect(response.body).to redirect_to(new_topic_path)
+    end
   end
-end
+end

data/spec/dummy/app/controllers/topics_controller.rb

@@ -1,6 +1,9 @@
 class TopicsController < ApplicationController
   invisible_captcha honeypot: :subtitle, only: :create
-  invisible_captcha honeypot: :subtitle, only: :update, on_spam: :custom_callback
+  invisible_captcha honeypot: :subtitle, only: :update,
+                              on_spam: :custom_callback,
+                              on_timestamp_spam: :custom_timestamp_callback
+  invisible_captcha honeypot: :subtitle, only: :publish, timestamp_threshold: 2
 
   def new
     @topic = Topic.new
@@ -19,9 +22,17 @@ class TopicsController < ApplicationController
   def update
   end
 
+  def publish
+    redirect_to new_topic_path
+  end
+
   private
 
   def custom_callback
     redirect_to new_topic_path
   end
+
+  def custom_timestamp_callback
+    redirect_to root_path
+  end
 end

data/spec/dummy/app/models/topic.rb

@@ -5,7 +5,6 @@ class Topic
   attr_accessor :title, :body, :subtitle
 
   validates :title, presence: true
-  validates :subtitle, invisible_captcha: true
 
   def initialize(attributes = {})
     attributes.each do |name, value|

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application', __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run