invisible_captcha 1.1.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d931568dd6707074ae2b5f48f6a5552283d482a4d87f27b1c72852dfce3d9cb
-  data.tar.gz: 4e78f33d0a7c4be1a774de1e98e55d7fd2f7ff84e1a407d66a565c6e99779fa9
+  metadata.gz: f15e5223696c06e82c8ab6182a4396a9e4e4bf3acd6e425296e60cc6b49cb225
+  data.tar.gz: e35b51231012ae92b236f81eb1966a16ea3c7b02862d03977bf23478d968538d
 SHA512:
-  metadata.gz: 3fbe8b6755bbc31fb26fbf9d71f01b7c9dbe919feaaaf12f78f86f7e53e93bb9f04f52c83469ea59840714908d834abf84625a542e7f55de2b7f0cd1d877986c
-  data.tar.gz: 380701e4ddf138445faafb293ed94fe368d58eb7d995d44b3f871362550d5c2bb27d537d00c04cdf89501bc951ab227d3fe7c721389ba1f163327f4d8093ced4
+  metadata.gz: ccc4299595595e513fa8f8eb472233b83fa334608b3cd4fcba3d1316b8f1819d83e7cc3d2678dce0ac954c52a4b90ecf0643424d0358cd8dd3412c4aa04ac391
+  data.tar.gz: 1fcceba58cb21d931e6d8f7f49a3a1649230628442e18f3664a80d5ac983dbec0bc5caeeda17cacc748bfbfabce93bd189f695bc0d123d4bd2ef0d94a20cdb3e

data/.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: CI
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.gemfile }}.gemfile
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.7", "3.0", "3.1", "3.2"]
+        gemfile: [rails_6.0, rails_6.1, rails_7.0]
+        exclude:
+          - ruby: "3.1"
+            gemfile: rails_6.0
+          - ruby: "3.2"
+            gemfile: rails_6.0
+        include:
+          - ruby: "2.7"
+            gemfile: rails_5.2
+          - ruby: head
+            gemfile: rails_7.0
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - run: bundle exec rspec
+        continue-on-error: ${{ endsWith(matrix.ruby, 'head') }}
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v3

data/Appraisals

@@ -1,19 +1,10 @@
-appraise "rails-6.0" do
-  gem "rails", "~> 6.0.0"
-end
-
-appraise "rails-5.2" do
-  gem "rails", "~> 5.2.0"
-end
-
-appraise "rails-5.1" do
-  gem "rails", "~> 5.1.0"
-end
-
-appraise "rails-5.0" do
-  gem "rails", "~> 5.0.0"
-end
-
-appraise "rails-4.2" do
-  gem "rails", "~> 4.2.0"
+%w(
+  7.0
+  6.1
+  6.0
+  5.2
+).each do |version|
+  appraise "rails-#{version}" do
+    gem "rails", "~> #{version}.0"
+  end
 end

data/CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.1.0]
+
+- Drop official support for EOL Rubies: 2.5 and 2.6
+- Allow random honeypots to be scoped (#117)
+
+## [2.0.0]
+
+- New spinner, IP based, validation check (#89)
+- Drop official support for unmaintained Rails versions: 5.1, 5.0 and 4.2 (#86)
+- Drop official support for EOL Rubies: 2.4 and 2.3 (#86)
+
 ## [1.1.0]
 
 - New option `prepend: true` for the controller macro (#77)
@@ -119,6 +130,8 @@ All notable changes to this project will be documented in this file.
 
 - First version of controller filters
 
+[2.1.0]: https://github.com/markets/invisible_captcha/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/markets/invisible_captcha/compare/v1.1.0...v2.0.0
 [1.1.0]: https://github.com/markets/invisible_captcha/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/markets/invisible_captcha/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/markets/invisible_captcha/compare/v0.13.0...v1.0.0

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright 2012-2019 Marc Anguera Insa
+Copyright 2012-2021 Marc Anguera Insa
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,9 +1,10 @@
 # Invisible Captcha
 
 [![Gem](https://img.shields.io/gem/v/invisible_captcha.svg?style=flat-square)](https://rubygems.org/gems/invisible_captcha)
-[![Build Status](https://travis-ci.org/markets/invisible_captcha.svg)](https://travis-ci.org/markets/invisible_captcha)
+[![Build Status](https://github.com/markets/invisible_captcha/workflows/CI/badge.svg)](https://github.com/markets/invisible_captcha/actions)
+[![codecov](https://codecov.io/gh/markets/invisible_captcha/branch/master/graph/badge.svg?token=nADSa6rbhM)](https://codecov.io/gh/markets/invisible_captcha)
 
-> Simple and flexible spam protection solution for Rails applications.
+> Complete and flexible spam protection solution for Rails applications.
 
 Invisible Captcha provides different techniques to protect your application against spambots.
 
@@ -15,11 +16,13 @@ Essentially, the strategy consists on adding an input field :honey_pot: into the
 - should be left empty by the real users
 - will most likely be filled by spam bots
 
-It also comes with a time-sensitive :hourglass: form submission.
+It also comes with:
+- a time-sensitive :hourglass: form submission
+- an IP based :mag: spinner validation
 
 ## Installation
 
-Invisible Captcha is tested against Rails `>= 4.2` and Ruby `>= 2.3`.
+Invisible Captcha is tested against Rails `>= 5.2` and Ruby `>= 2.7`.
 
 Add this line to your Gemfile and then execute `bundle install`:
 
@@ -61,6 +64,8 @@ class TopicsController < ApplicationController
 end
 ```
 
+You should _not_ name your method `on_spam`, as this will collide with an internal method of the same name.
+
 Note that it is not mandatory to specify a `honeypot` attribute (neither in the view nor in the controller). In this case, the engine will take a random field from `InvisibleCaptcha.honeypots`. So, if you're integrating it following this path, in your form:
 
 ```erb
@@ -95,6 +100,8 @@ invisible_captcha only: [:new_contact]
 
 You can place `<%= flash[:error] %>` next to `:alert` and `:notice` message types, if you have them in your `app/views/layouts/application.html.erb`.
 
+**NOTE:** This gem relies on data set by the backend, so in order to properly work, your forms should be rendered by Rails. Forms generated via JavaScript are not going to work well.
+
 ## Options and customization
 
 This section contains a description of all plugin options and customizations.
@@ -104,12 +111,14 @@ This section contains a description of all plugin options and customizations.
 You can customize:
 
 - `sentence_for_humans`: text for real users if input field was visible. By default, it uses I18n (see below).
-- `honeypots`: collection of default honeypots. Used by the view helper, called with no args, to generate a random honeypot field name. By default, a random collection is already generated. As the random collection is stored in memory, it will not work if are running multiple Rails instances behind a load balancer. See [Multiple Rails instances](#multiple-rails-instances).
+- `honeypots`: collection of default honeypots. Used by the view helper, called with no args, to generate a random honeypot field name. By default, a random collection is already generated. As the random collection is stored in memory, it will not work if you are running multiple Rails instances behind a load balancer (see [Multiple Rails instances](#multiple-rails-instances)). Beware that Chrome may ignore `autocomplete="off"`. Thus, consider not to use field names, which would be autocompleted, like for example `name`, `country`.
 - `visual_honeypots`: make honeypots visible, also useful to test/debug your implementation.
 - `timestamp_threshold`: fastest time (in seconds) to expect a human to submit the form (see [original article by Yoav Aner](https://blog.gingerlime.com/2012/simple-detection-of-comment-spam-in-rails/) outlining the idea). By default, 4 seconds. **NOTE:** It's recommended to deactivate the autocomplete feature to avoid false positives (`autocomplete="off"`).
 - `timestamp_enabled`: option to disable the time threshold check at application level. Could be useful, for example, on some testing scenarios. By default, true.
 - `timestamp_error_message`: flash error message thrown when form submitted quicker than the `timestamp_threshold` value. It uses I18n by default.
 - `injectable_styles`: if enabled, you should call anywhere in your layout the following helper `<%= invisible_captcha_styles %>`. This allows you to inject styles, for example, in `<head>`. False by default, styles are injected inline with the honeypot.
+- `spinner_enabled`: option to disable the IP spinner validation. By default, true.
+- `secret`: customize the secret key to encode some internal values. By default, it reads the environment variable `ENV['INVISIBLE_CAPTCHA_SECRET']` and fallbacks to random value. Be careful, if you are running multiple Rails instances behind a load balancer, use always the same value via the environment variable.
 
 To change these defaults, add the following to an initializer (recommended `config/initializers/invisible_captcha.rb`):
 
@@ -117,9 +126,10 @@ To change these defaults, add the following to an initializer (recommended `conf
 InvisibleCaptcha.setup do |config|
   # config.honeypots           << ['more', 'fake', 'attribute', 'names']
   # config.visual_honeypots    = false
-  # config.timestamp_threshold = 4
+  # config.timestamp_threshold = 2
   # config.timestamp_enabled   = true
   # config.injectable_styles   = false
+  # config.spinner_enabled     = true
 
   # Leave these unset if you want to use I18n (see below)
   # config.sentence_for_humans     = 'If you are a human, ignore this field'
@@ -141,6 +151,8 @@ InvisibleCaptcha.setup do |config|
 end
 ```
 
+Be careful also with the `secret` setting. Since it will be stored in-memory, if you are running this setup, the best idea is to provide the environment variable (`ENV['INVISIBLE_CAPTCHA_SECRET']`) from your infrastructure.
+
 ### Controller method options:
 
 The `invisible_captcha` method accepts some options:
@@ -148,7 +160,7 @@ The `invisible_captcha` method accepts some options:
 - `only`: apply to given controller actions.
 - `except`: exclude to given controller actions.
 - `honeypot`: name of custom honeypot.
-- `scope`: name of scope, ie: 'topic[subtitle]' -> 'topic' is the scope.
+- `scope`: name of scope, ie: 'topic[subtitle]' -> 'topic' is the scope. By default, it's inferred from the `controller_name`.
 - `on_spam`: custom callback to be called on spam detection.
 - `timestamp_enabled`: enable/disable this technique at action level.
 - `on_timestamp_spam`: custom callback to be called when form submitted too quickly. The default action redirects to `:back` printing a warning in `flash[:error]`.
@@ -190,8 +202,8 @@ To set up a global event handler, [subscribe](https://guides.rubyonrails.org/act
 # config/initializers/invisible_captcha.rb
 
 ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data|
-  AwesomeLogger.warn(data[:message], data)  # Log to an external logging service.
-  SpamRequest.create(data)                  # Record the blocked request in your database.
+  AwesomeLogger.warn(data[:message], data) # Log to an external logging service.
+  SpamRequest.create(data)                 # Record the blocked request in your database.
 end
 ```
 
@@ -199,7 +211,7 @@ The `data` passed to the subscriber is hash containing information about the req
 
 ```ruby
 {
-  message: "Invisible Captcha honeypot param 'subtitle' was present.",
+  message: "Honeypot param 'subtitle' was present.",
   remote_ip: '127.0.0.1',
   user_agent: 'Chrome 77',
   controller: 'users',
@@ -213,7 +225,7 @@ The `data` passed to the subscriber is hash containing information about the req
 }
 ```
 
-_**Note:** `params` will be filtered according to your `Rails.application.config.filter_parameters` configuration, making them (probably) safe for logging. But always double-check that you're not inadvertently logging sensitive form data, like passwords and credit cards._
+**NOTE:** `params` will be filtered according to your `Rails.application.config.filter_parameters` configuration, making them (probably) safe for logging. But always double-check that you're not inadvertently logging sensitive form data, like passwords and credit cards.
 
 ### Content Security Policy
 
@@ -240,13 +252,11 @@ And in your view helper, you need to pass `nonce: true` to the `invisible_captch
 <%= invisible_captcha nonce: true %>
 ```
 
-**WARNING:** Content Security Policy can break your site! If you already run a website with third-party scripts, styles, images, and fonts, it is highly recommended to enable CSP in report-only mode and observe warnings as they appear. Learn more at MDN:
+**NOTE:** Content Security Policy can break your site! If you already run a website with third-party scripts, styles, images, and fonts, it is highly recommended to enable CSP in report-only mode and observe warnings as they appear. Learn more at MDN:
 
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-Note that Content Security Policy only works on Rails 5.2 and up.
-
 ### I18n
 
 `invisible_captcha` tries to use I18n when it's available by default. The keys it looks for are the following:
@@ -309,7 +319,7 @@ $ bundle exec appraisal rspec
 Run specs against specific version:
 
 ```
-$ bundle exec appraisal rails-5.2 rspec
+$ bundle exec appraisal rails-6.0 rspec
 ```
 
 ### Demo

data/Rakefile

@@ -1,11 +1,6 @@
 # frozen_string_literal: true
 
 require "bundler/gem_tasks"
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:spec)
-
-task :default => :spec
 
 desc 'Start development Rails app'
 task :web do
@@ -16,4 +11,4 @@ task :web do
 
   Dir.chdir(app_path)
   exec("rails s -p #{port}")
-end
+end

data/gemfiles/{rails_4.2.gemfile → rails_6.1.gemfile}

@@ -2,6 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 4.2.0"
+gem "rails", "~> 6.1.0"
 
 gemspec path: "../"

data/gemfiles/{rails_5.0.gemfile → rails_7.0.gemfile}

@@ -2,6 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 5.0.0"
+gem "rails", "~> 7.0.0"
 
 gemspec path: "../"

data/invisible_captcha.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |spec|
   spec.version       = InvisibleCaptcha::VERSION
   spec.authors       = ["Marc Anguera Insa"]
   spec.email         = ["srmarc.ai@gmail.com"]
-  spec.description   = "Unobtrusive, flexible and simple spam protection for Rails applications using honeypot strategy for better user experience."
-  spec.summary       = "Simple honeypot protection for RoR apps"
+  spec.description   = "Unobtrusive, flexible and complete spam protection for Rails applications using honeypot strategy for better user experience."
+  spec.summary       = "Honeypot spam protection for Rails"
   spec.homepage      = "https://github.com/markets/invisible_captcha"
   spec.license       = "MIT"
 
@@ -15,8 +15,11 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'rails', '>= 4.2'
+  spec.add_dependency 'rails', '>= 5.2'
 
-  spec.add_development_dependency 'rspec-rails', '~> 3.1'
+  spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'appraisal'
+  spec.add_development_dependency 'webrick'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-cobertura'
 end

data/lib/invisible_captcha/controller_ext.rb

@@ -21,7 +21,7 @@ module InvisibleCaptcha
     def detect_spam(options = {})
       if timestamp_spam?(options)
         on_timestamp_spam(options)
-      elsif honeypot_spam?(options)
+      elsif honeypot_spam?(options) || spinner_spam?
         on_spam(options)
       end
     end
@@ -30,11 +30,7 @@ module InvisibleCaptcha
       if action = options[:on_timestamp_spam]
         send(action)
       else
-        if respond_to?(:redirect_back)
-          redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
-        else
-          redirect_to :back, flash: { error: InvisibleCaptcha.timestamp_error_message }
-        end
+        redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
       end
     end
 
@@ -55,24 +51,33 @@ module InvisibleCaptcha
 
       return false unless enabled
 
-      @invisible_captcha_timestamp ||= session.delete(:invisible_captcha_timestamp)
+      timestamp = session.delete(:invisible_captcha_timestamp)
 
       # Consider as spam if timestamp not in session, cause that means the form was not fetched at all
-      unless @invisible_captcha_timestamp
-        warn_spam("Invisible Captcha timestamp not found in session.")
+      unless timestamp
+        warn_spam("Timestamp not found in session.")
         return true
       end
 
-      time_to_submit = Time.zone.now - DateTime.iso8601(@invisible_captcha_timestamp)
+      time_to_submit = Time.zone.now - DateTime.iso8601(timestamp)
       threshold = options[:timestamp_threshold] || InvisibleCaptcha.timestamp_threshold
 
       # Consider as spam if form submitted too quickly
       if time_to_submit < threshold
-        warn_spam("Invisible Captcha timestamp threshold not reached (took #{time_to_submit.to_i}s).")
+        warn_spam("Timestamp threshold not reached (took #{time_to_submit.to_i}s).")
+        return true
+      end
+
+      false
+    end
+
+    def spinner_spam?
+      if InvisibleCaptcha.spinner_enabled && params[:spinner] != session[:invisible_captcha_spinner]
+        warn_spam("Spinner value mismatch")
         return true
       end
 
-      return false
+      false
     end
 
     def honeypot_spam?(options = {})
@@ -83,8 +88,8 @@ module InvisibleCaptcha
         # If honeypot is defined for this controller-action, search for:
         # - honeypot: params[:subtitle]
         # - honeypot with scope: params[:topic][:subtitle]
-        if params[honeypot].present? || (params[scope] && params[scope][honeypot].present?)
-          warn_spam("Invisible Captcha honeypot param '#{honeypot}' was present.")
+        if params[honeypot].present? || params.dig(scope, honeypot).present?
+          warn_spam("Honeypot param '#{honeypot}' was present.")
           return true
         else
           # No honeypot spam detected, remove honeypot from params to avoid UnpermittedParameters exceptions
@@ -93,8 +98,8 @@ module InvisibleCaptcha
         end
       else
         InvisibleCaptcha.honeypots.each do |default_honeypot|
-          if params[default_honeypot].present?
-            warn_spam("Invisible Captcha honeypot param '#{default_honeypot}' was present.")
+          if params[default_honeypot].present? || params.dig(scope, default_honeypot).present?
+            warn_spam("Honeypot param '#{scope}.#{default_honeypot}' was present.")
             return true
           end
         end
@@ -104,7 +109,9 @@ module InvisibleCaptcha
     end
 
     def warn_spam(message)
-      logger.warn("Potential spam detected for IP #{request.remote_ip}. #{message}")
+      message = "[Invisible Captcha] Potential spam detected for IP #{request.remote_ip}. #{message}"
+
+      logger.warn(message)
 
       ActiveSupport::Notifications.instrument(
         'invisible_captcha.spam_detected',

data/lib/invisible_captcha/form_helpers.rb

@@ -2,7 +2,7 @@
 
 module InvisibleCaptcha
   module FormHelpers
-    def invisible_captcha(honeypot, options = {})
+    def invisible_captcha(honeypot = nil, options = {})
       @template.invisible_captcha(honeypot, self.object_name, options)
     end
   end

data/lib/invisible_captcha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module InvisibleCaptcha
-  VERSION = "1.1.0"
+  VERSION = "2.1.0"
 end

data/lib/invisible_captcha/view_helpers.rb

@@ -10,9 +10,17 @@ module InvisibleCaptcha
     #
     # @return [String] the generated html
     def invisible_captcha(honeypot = nil, scope = nil, options = {})
-      if InvisibleCaptcha.timestamp_enabled
+      @captcha_ocurrences = 0 unless defined?(@captcha_ocurrences)
+      @captcha_ocurrences += 1
+
+      if InvisibleCaptcha.timestamp_enabled || InvisibleCaptcha.spinner_enabled
         session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
       end
+
+      if InvisibleCaptcha.spinner_enabled && @captcha_ocurrences == 1
+        session[:invisible_captcha_spinner] = InvisibleCaptcha.encode("#{session[:invisible_captcha_timestamp]}-#{current_request.remote_ip}")
+      end
+
       build_invisible_captcha(honeypot, scope, options)
     end
 
@@ -24,6 +32,10 @@ module InvisibleCaptcha
 
     private
 
+    def current_request
+      @request ||= request
+    end
+
     def build_invisible_captcha(honeypot = nil, scope = nil, options = {})
       if honeypot.is_a?(Hash)
         options = honeypot
@@ -44,6 +56,9 @@ module InvisibleCaptcha
         concat styles unless InvisibleCaptcha.injectable_styles
         concat label_tag(build_label_name(honeypot, scope), label)
         concat text_field_tag(build_input_name(honeypot, scope), nil, default_honeypot_options.merge(options))
+        if InvisibleCaptcha.spinner_enabled
+          concat hidden_field_tag("spinner", session[:invisible_captcha_spinner], id: nil)
+        end
       end
     end
 
@@ -56,11 +71,7 @@ module InvisibleCaptcha
 
       return if visible
 
-      nonce = if Rails.version >= '5.2'
-                content_security_policy_nonce if options[:nonce]
-              else
-                nil
-              end
+      nonce = content_security_policy_nonce if options[:nonce]
 
       content_tag(:style, media: 'screen', nonce: nonce) do
         ".#{css_class} {#{InvisibleCaptcha.css_strategy}}"

data/lib/invisible_captcha.rb

@@ -15,7 +15,9 @@ module InvisibleCaptcha
                   :timestamp_threshold,
                   :timestamp_enabled,
                   :visual_honeypots,
-                  :injectable_styles
+                  :injectable_styles,
+                  :spinner_enabled,
+                  :secret
 
     def init!
       # Default sentence for real users if text field was visible
@@ -33,9 +35,15 @@ module InvisibleCaptcha
       # Make honeypots visibles
       self.visual_honeypots = false
 
-      # If enabled, you should call anywhere in of your layout the following helper, to inject the honeypot styles:
-      #  <%= invisible_captcha_styles %>
+      # If enabled, you should call anywhere in your layout the following helper, to inject the honeypot styles:
+      # <%= invisible_captcha_styles %>
       self.injectable_styles = false
+
+      # Spinner check enabled by default
+      self.spinner_enabled = true
+
+      # A secret key to encode some internal values
+      self.secret = ENV['INVISIBLE_CAPTCHA_SECRET'] || SecureRandom.hex(64)
     end
 
     def sentence_for_humans
@@ -70,6 +78,10 @@ module InvisibleCaptcha
       ].sample
     end
 
+    def encode(value)
+      Digest::MD5.hexdigest("#{self.secret}-#{value}")
+    end
+
     private
 
     def call_lambda_or_return(obj)