invisible_captcha 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d931568dd6707074ae2b5f48f6a5552283d482a4d87f27b1c72852dfce3d9cb
-  data.tar.gz: 4e78f33d0a7c4be1a774de1e98e55d7fd2f7ff84e1a407d66a565c6e99779fa9
+  metadata.gz: 86acfe71e903568702c63c261bfd32a066dbc947d1c2fa2b4956178a7de591db
+  data.tar.gz: a9a8768c5bcfb9a7656e0638dde4bf40e169719385bf947dace7fa4d34f03656
 SHA512:
-  metadata.gz: 3fbe8b6755bbc31fb26fbf9d71f01b7c9dbe919feaaaf12f78f86f7e53e93bb9f04f52c83469ea59840714908d834abf84625a542e7f55de2b7f0cd1d877986c
-  data.tar.gz: 380701e4ddf138445faafb293ed94fe368d58eb7d995d44b3f871362550d5c2bb27d537d00c04cdf89501bc951ab227d3fe7c721389ba1f163327f4d8093ced4
+  metadata.gz: ec1ed1b9f7bef2e753f7b736dbce8124b5cd4c699e4075cbd15fdade99e6f332025e3088f0754315b18f8bde48b7e883c3470f840a535a3631f2e5c659c415df
+  data.tar.gz: 3698ed54f31c8f87730dcd92e14c2076e10aaa98a14a765e7d3be8bfd0e259385572b5d3252b8328fb4a539634bb8e086270b2e7e34117ab76a15ab4f42c095b

data/.travis.yml

@@ -2,26 +2,17 @@ language: ruby
 cache: bundler
 rvm:
   - ruby-head
+  - 3.0.0
+  - 2.7.2
   - 2.6.5
-  - 2.5.7
-  - 2.4.9
-  - 2.3.8
+  - 2.5.8
 gemfile:
+  - gemfiles/rails_6.1.gemfile
   - gemfiles/rails_6.0.gemfile
   - gemfiles/rails_5.2.gemfile
-  - gemfiles/rails_5.1.gemfile
-  - gemfiles/rails_5.0.gemfile
-  - gemfiles/rails_4.2.gemfile
-before_install:
-  # Rails 4.x requires Bundler version < 2.0.
-  - "find /home/travis/.rvm/rubies -wholename '*default/bundler-*.gemspec' -delete"
-  - rvm @global do gem uninstall bundler -a -x
-  - rvm @global do yes | gem install bundler -v '< 2'
 matrix:
   exclude:
-    - rvm: 2.4.9
-      gemfile: gemfiles/rails_6.0.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails_6.0.gemfile
+    - rvm: 3.0.0
+      gemfile: gemfiles/rails_5.2.gemfile
   allow_failures:
     - rvm: ruby-head

data/Appraisals

@@ -1,3 +1,7 @@
+appraise "rails-6.1" do
+  gem "rails", "~> 6.1.0"
+end
+
 appraise "rails-6.0" do
   gem "rails", "~> 6.0.0"
 end
@@ -5,15 +9,3 @@ end
 appraise "rails-5.2" do
   gem "rails", "~> 5.2.0"
 end
-
-appraise "rails-5.1" do
-  gem "rails", "~> 5.1.0"
-end
-
-appraise "rails-5.0" do
-  gem "rails", "~> 5.0.0"
-end
-
-appraise "rails-4.2" do
-  gem "rails", "~> 4.2.0"
-end

data/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.0.0]
+
+- New spinner, IP based, validation check (#89)
+- Drop official support for unmaintained Rails versions: 5.1, 5.0 and 4.2 (#86)
+- Drop official support for EOL Rubies: 2.4 and 2.3 (#86)
+
 ## [1.1.0]
 
 - New option `prepend: true` for the controller macro (#77)
@@ -119,6 +125,7 @@ All notable changes to this project will be documented in this file.
 
 - First version of controller filters
 
+[2.0.0]: https://github.com/markets/invisible_captcha/compare/v1.1.0...v2.0.0
 [1.1.0]: https://github.com/markets/invisible_captcha/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/markets/invisible_captcha/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/markets/invisible_captcha/compare/v0.13.0...v1.0.0

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright 2012-2019 Marc Anguera Insa
+Copyright 2012-2021 Marc Anguera Insa
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,9 +1,9 @@
 # Invisible Captcha
 
 [![Gem](https://img.shields.io/gem/v/invisible_captcha.svg?style=flat-square)](https://rubygems.org/gems/invisible_captcha)
-[![Build Status](https://travis-ci.org/markets/invisible_captcha.svg)](https://travis-ci.org/markets/invisible_captcha)
+[![Build Status](https://travis-ci.com/markets/invisible_captcha.svg?branch=master)](https://travis-ci.com/markets/invisible_captcha)
 
-> Simple and flexible spam protection solution for Rails applications.
+> Complete and flexible spam protection solution for Rails applications.
 
 Invisible Captcha provides different techniques to protect your application against spambots.
 
@@ -15,11 +15,13 @@ Essentially, the strategy consists on adding an input field :honey_pot: into the
 - should be left empty by the real users
 - will most likely be filled by spam bots
 
-It also comes with a time-sensitive :hourglass: form submission.
+It also comes with:
+- a time-sensitive :hourglass: form submission
+- an IP based :mag: spinner validation
 
 ## Installation
 
-Invisible Captcha is tested against Rails `>= 4.2` and Ruby `>= 2.3`.
+Invisible Captcha is tested against Rails `>= 5.2` and Ruby `>= 2.5`.
 
 Add this line to your Gemfile and then execute `bundle install`:
 
@@ -104,12 +106,14 @@ This section contains a description of all plugin options and customizations.
 You can customize:
 
 - `sentence_for_humans`: text for real users if input field was visible. By default, it uses I18n (see below).
-- `honeypots`: collection of default honeypots. Used by the view helper, called with no args, to generate a random honeypot field name. By default, a random collection is already generated. As the random collection is stored in memory, it will not work if are running multiple Rails instances behind a load balancer. See [Multiple Rails instances](#multiple-rails-instances).
+- `honeypots`: collection of default honeypots. Used by the view helper, called with no args, to generate a random honeypot field name. By default, a random collection is already generated. As the random collection is stored in memory, it will not work if you are running multiple Rails instances behind a load balancer. See [Multiple Rails instances](#multiple-rails-instances).
 - `visual_honeypots`: make honeypots visible, also useful to test/debug your implementation.
 - `timestamp_threshold`: fastest time (in seconds) to expect a human to submit the form (see [original article by Yoav Aner](https://blog.gingerlime.com/2012/simple-detection-of-comment-spam-in-rails/) outlining the idea). By default, 4 seconds. **NOTE:** It's recommended to deactivate the autocomplete feature to avoid false positives (`autocomplete="off"`).
 - `timestamp_enabled`: option to disable the time threshold check at application level. Could be useful, for example, on some testing scenarios. By default, true.
 - `timestamp_error_message`: flash error message thrown when form submitted quicker than the `timestamp_threshold` value. It uses I18n by default.
 - `injectable_styles`: if enabled, you should call anywhere in your layout the following helper `<%= invisible_captcha_styles %>`. This allows you to inject styles, for example, in `<head>`. False by default, styles are injected inline with the honeypot.
+- `spinner_enabled`: option to disable the IP spinner validation.
+- `secret`: customize the secret key to encode some internal values. By default, it reads the environment variable `ENV['INVISIBLE_CAPTCHA_SECRET']` and fallbacks to random value. Be careful, if you are running multiple Rails instances behind a load balancer, use always the same value via the environment variable.
 
 To change these defaults, add the following to an initializer (recommended `config/initializers/invisible_captcha.rb`):
 
@@ -117,9 +121,10 @@ To change these defaults, add the following to an initializer (recommended `conf
 InvisibleCaptcha.setup do |config|
   # config.honeypots           << ['more', 'fake', 'attribute', 'names']
   # config.visual_honeypots    = false
-  # config.timestamp_threshold = 4
+  # config.timestamp_threshold = 2
   # config.timestamp_enabled   = true
   # config.injectable_styles   = false
+  # config.spinner_enabled     = true
 
   # Leave these unset if you want to use I18n (see below)
   # config.sentence_for_humans     = 'If you are a human, ignore this field'
@@ -141,6 +146,8 @@ InvisibleCaptcha.setup do |config|
 end
 ```
 
+Be careful also with the `secret` setting. Since it will be stored in-memory, if you are running this setup, the best idea is to provide the environment variable (`ENV['INVISIBLE_CAPTCHA_SECRET']`) from your infrastructure.
+
 ### Controller method options:
 
 The `invisible_captcha` method accepts some options:
@@ -148,7 +155,7 @@ The `invisible_captcha` method accepts some options:
 - `only`: apply to given controller actions.
 - `except`: exclude to given controller actions.
 - `honeypot`: name of custom honeypot.
-- `scope`: name of scope, ie: 'topic[subtitle]' -> 'topic' is the scope.
+- `scope`: name of scope, ie: 'topic[subtitle]' -> 'topic' is the scope. By default, it's inferred from the `controller_name`.
 - `on_spam`: custom callback to be called on spam detection.
 - `timestamp_enabled`: enable/disable this technique at action level.
 - `on_timestamp_spam`: custom callback to be called when form submitted too quickly. The default action redirects to `:back` printing a warning in `flash[:error]`.
@@ -190,8 +197,8 @@ To set up a global event handler, [subscribe](https://guides.rubyonrails.org/act
 # config/initializers/invisible_captcha.rb
 
 ActiveSupport::Notifications.subscribe('invisible_captcha.spam_detected') do |*args, data|
-  AwesomeLogger.warn(data[:message], data)  # Log to an external logging service.
-  SpamRequest.create(data)                  # Record the blocked request in your database.
+  AwesomeLogger.warn(data[:message], data) # Log to an external logging service.
+  SpamRequest.create(data)                 # Record the blocked request in your database.
 end
 ```
 
@@ -245,8 +252,6 @@ And in your view helper, you need to pass `nonce: true` to the `invisible_captch
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-Note that Content Security Policy only works on Rails 5.2 and up.
-
 ### I18n
 
 `invisible_captcha` tries to use I18n when it's available by default. The keys it looks for are the following:
@@ -309,7 +314,7 @@ $ bundle exec appraisal rspec
 Run specs against specific version:
 
 ```
-$ bundle exec appraisal rails-5.2 rspec
+$ bundle exec appraisal rails-6.0 rspec
 ```
 
 ### Demo

data/gemfiles/{rails_4.2.gemfile → rails_6.1.gemfile}

@@ -2,6 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 4.2.0"
+gem "rails", "~> 6.1.0"
 
 gemspec path: "../"

data/invisible_captcha.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |spec|
   spec.version       = InvisibleCaptcha::VERSION
   spec.authors       = ["Marc Anguera Insa"]
   spec.email         = ["srmarc.ai@gmail.com"]
-  spec.description   = "Unobtrusive, flexible and simple spam protection for Rails applications using honeypot strategy for better user experience."
-  spec.summary       = "Simple honeypot protection for RoR apps"
+  spec.description   = "Unobtrusive, flexible and complete spam protection for Rails applications using honeypot strategy for better user experience."
+  spec.summary       = "Honeypot spam protection for Rails"
   spec.homepage      = "https://github.com/markets/invisible_captcha"
   spec.license       = "MIT"
 
@@ -15,8 +15,8 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'rails', '>= 4.2'
+  spec.add_dependency 'rails', '>= 5.0'
 
-  spec.add_development_dependency 'rspec-rails', '~> 3.1'
+  spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'appraisal'
 end

data/lib/invisible_captcha.rb

@@ -15,7 +15,9 @@ module InvisibleCaptcha
                   :timestamp_threshold,
                   :timestamp_enabled,
                   :visual_honeypots,
-                  :injectable_styles
+                  :injectable_styles,
+                  :spinner_enabled,
+                  :secret
 
     def init!
       # Default sentence for real users if text field was visible
@@ -33,9 +35,15 @@ module InvisibleCaptcha
       # Make honeypots visibles
       self.visual_honeypots = false
 
-      # If enabled, you should call anywhere in of your layout the following helper, to inject the honeypot styles:
-      #  <%= invisible_captcha_styles %>
+      # If enabled, you should call anywhere in your layout the following helper, to inject the honeypot styles:
+      # <%= invisible_captcha_styles %>
       self.injectable_styles = false
+
+      # Spinner check enabled by default
+      self.spinner_enabled = true
+
+      # A secret key to encode some internal values
+      self.secret = ENV['INVISIBLE_CAPTCHA_SECRET'] || SecureRandom.hex(64)
     end
 
     def sentence_for_humans
@@ -70,6 +78,10 @@ module InvisibleCaptcha
       ].sample
     end
 
+    def encode(value)
+      Digest::MD5.hexdigest("#{self.secret}-#{value}")
+    end
+
     private
 
     def call_lambda_or_return(obj)

data/lib/invisible_captcha/controller_ext.rb

@@ -21,7 +21,7 @@ module InvisibleCaptcha
     def detect_spam(options = {})
       if timestamp_spam?(options)
         on_timestamp_spam(options)
-      elsif honeypot_spam?(options)
+      elsif honeypot_spam?(options) || spinner_spam?
         on_spam(options)
       end
     end
@@ -30,11 +30,7 @@ module InvisibleCaptcha
       if action = options[:on_timestamp_spam]
         send(action)
       else
-        if respond_to?(:redirect_back)
-          redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
-        else
-          redirect_to :back, flash: { error: InvisibleCaptcha.timestamp_error_message }
-        end
+        redirect_back(fallback_location: root_path, flash: { error: InvisibleCaptcha.timestamp_error_message })
       end
     end
 
@@ -55,15 +51,15 @@ module InvisibleCaptcha
 
       return false unless enabled
 
-      @invisible_captcha_timestamp ||= session.delete(:invisible_captcha_timestamp)
+      timestamp = session.delete(:invisible_captcha_timestamp)
 
       # Consider as spam if timestamp not in session, cause that means the form was not fetched at all
-      unless @invisible_captcha_timestamp
+      unless timestamp
         warn_spam("Invisible Captcha timestamp not found in session.")
         return true
       end
 
-      time_to_submit = Time.zone.now - DateTime.iso8601(@invisible_captcha_timestamp)
+      time_to_submit = Time.zone.now - DateTime.iso8601(timestamp)
       threshold = options[:timestamp_threshold] || InvisibleCaptcha.timestamp_threshold
 
       # Consider as spam if form submitted too quickly
@@ -72,7 +68,16 @@ module InvisibleCaptcha
         return true
       end
 
-      return false
+      false
+    end
+
+    def spinner_spam?
+      if InvisibleCaptcha.spinner_enabled && params[:spinner] != session[:invisible_captcha_spinner]
+        warn_spam("Invisible Captcha spinner value mismatch")
+        return true
+      end
+
+      false
     end
 
     def honeypot_spam?(options = {})
@@ -83,7 +88,7 @@ module InvisibleCaptcha
         # If honeypot is defined for this controller-action, search for:
         # - honeypot: params[:subtitle]
         # - honeypot with scope: params[:topic][:subtitle]
-        if params[honeypot].present? || (params[scope] && params[scope][honeypot].present?)
+        if params[honeypot].present? || params.dig(scope, honeypot).present?
           warn_spam("Invisible Captcha honeypot param '#{honeypot}' was present.")
           return true
         else

data/lib/invisible_captcha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module InvisibleCaptcha
-  VERSION = "1.1.0"
+  VERSION = "2.0.0"
 end

data/lib/invisible_captcha/view_helpers.rb

@@ -10,9 +10,17 @@ module InvisibleCaptcha
     #
     # @return [String] the generated html
     def invisible_captcha(honeypot = nil, scope = nil, options = {})
-      if InvisibleCaptcha.timestamp_enabled
+      @captcha_ocurrences = 0 unless defined?(@captcha_ocurrences)
+      @captcha_ocurrences += 1
+
+      if InvisibleCaptcha.timestamp_enabled || InvisibleCaptcha.spinner_enabled
         session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
       end
+
+      if InvisibleCaptcha.spinner_enabled && @captcha_ocurrences == 1
+        session[:invisible_captcha_spinner] = InvisibleCaptcha.encode("#{session[:invisible_captcha_timestamp]}-#{current_request.remote_ip}")
+      end
+
       build_invisible_captcha(honeypot, scope, options)
     end
 
@@ -24,6 +32,10 @@ module InvisibleCaptcha
 
     private
 
+    def current_request
+      @request ||= request
+    end
+
     def build_invisible_captcha(honeypot = nil, scope = nil, options = {})
       if honeypot.is_a?(Hash)
         options = honeypot
@@ -44,6 +56,9 @@ module InvisibleCaptcha
         concat styles unless InvisibleCaptcha.injectable_styles
         concat label_tag(build_label_name(honeypot, scope), label)
         concat text_field_tag(build_input_name(honeypot, scope), nil, default_honeypot_options.merge(options))
+        if InvisibleCaptcha.spinner_enabled
+          concat hidden_field_tag("spinner", session[:invisible_captcha_spinner])
+        end
       end
     end
 
@@ -56,11 +71,7 @@ module InvisibleCaptcha
 
       return if visible
 
-      nonce = if Rails.version >= '5.2'
-                content_security_policy_nonce if options[:nonce]
-              else
-                nil
-              end
+      nonce = content_security_policy_nonce if options[:nonce]
 
       content_tag(:style, media: 'screen', nonce: nonce) do
         ".#{css_class} {#{InvisibleCaptcha.css_strategy}}"

data/spec/controllers_spec.rb

@@ -3,39 +3,25 @@
 RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
   render_views
 
-  def switchable_post(action, params = {})
-    if Rails.version > '5'
-      post action, params: params
-    else
-      post action, params
-    end
-  end
-
-  def switchable_put(action, params = {})
-    if Rails.version > '5'
-      put action, params: params
-    else
-      put action, params
-    end
-  end
-
   before(:each) do
     @controller = TopicsController.new
     request.env['HTTP_REFERER'] = 'http://test.host/topics'
+
     InvisibleCaptcha.init!
     InvisibleCaptcha.timestamp_threshold = 1
+    InvisibleCaptcha.spinner_enabled = false
   end
 
   context 'without invisible_captcha_timestamp in session' do
     it 'fails like if it was submitted too fast' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(response).to redirect_to 'http://test.host/topics'
       expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
     end
 
     it 'passes if disabled at action level' do
-      switchable_post :copy, topic: { title: 'foo' }
+      post :copy, params: { topic: { title: 'foo' } }
 
       expect(flash[:error]).not_to be_present
       expect(response.body).to be_present
@@ -43,7 +29,8 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
 
     it 'passes if disabled at app level' do
       InvisibleCaptcha.timestamp_enabled = false
-      switchable_post :create, topic: { title: 'foo' }
+
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(flash[:error]).not_to be_present
       expect(response.body).to be_present
@@ -56,7 +43,7 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
     end
 
     it 'fails if submission before timestamp_threshold' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create, params: { topic: { title: 'foo' } }
 
       expect(response).to redirect_to 'http://test.host/topics'
       expect(flash[:error]).to eq(InvisibleCaptcha.timestamp_error_message)
@@ -66,7 +53,7 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
     end
 
     it 'allows a custom on_timestamp_spam callback' do
-      switchable_put :update, id: 1, topic: { title: 'bar' }
+      put :update, params: { id: 1, topic: { title: 'bar' } }
 
       expect(response.status).to eq(204)
     end
@@ -79,7 +66,7 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
         end
       end
 
-      expect { switchable_put :update, id: 1, topic: { title: 'bar' } }
+      expect { put :update, params: { id: 1, topic: { title: 'bar' } } }
         .to change { session[:invisible_captcha_timestamp] }
         .to be_present
     end
@@ -88,10 +75,12 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
       it 'passes if submission on or after timestamp_threshold' do
         sleep InvisibleCaptcha.timestamp_threshold
 
-        switchable_post :create, topic: {
-          title: 'foobar',
-          author: 'author',
-          body: 'body that passes validation'
+        post :create, params: {
+          topic: {
+            title: 'foobar',
+            author: 'author',
+            body: 'body that passes validation'
+          }
         }
 
         expect(flash[:error]).not_to be_present
@@ -104,7 +93,7 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
       it 'allow to set a custom timestamp_threshold per action' do
         sleep 2 # custom threshold
 
-        switchable_post :publish, id: 1
+        post :publish, params: { id: 1 }
 
         expect(flash[:error]).not_to be_present
         expect(response.body).to be_present
@@ -115,30 +104,31 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
   context 'honeypot attribute' do
     before(:each) do
       session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+
       # Wait for valid submission
       sleep InvisibleCaptcha.timestamp_threshold
     end
 
     it 'fails with spam' do
-      switchable_post :create, topic: { subtitle: 'foo' }
+      post :create,  params: { topic: { subtitle: 'foo' } }
 
       expect(response.body).to be_blank
     end
 
     it 'passes with no spam' do
-      switchable_post :create, topic: { title: 'foo' }
+      post :create,  params: { topic: { title: 'foo' } }
 
       expect(response.body).to be_present
     end
 
     it 'allow a custom on_spam callback' do
-      switchable_put :update, id: 1, topic: { subtitle: 'foo' }
+      put :update,  params: { id: 1, topic: { subtitle: 'foo' } }
 
       expect(response.body).to redirect_to(new_topic_path)
     end
 
     it 'honeypot is removed from params if you use a custom honeypot' do
-      switchable_post :create, topic: { title: 'foo', subtitle: '' }
+      post :create,  params: { topic: { title: 'foo', subtitle: '' } }
 
       expect(flash[:error]).not_to be_present
       expect(@controller.params[:topic].key?(:subtitle)).to eq(false)
@@ -155,31 +145,49 @@ RSpec.describe InvisibleCaptcha::ControllerExt, type: :controller do
         subscriber
       end
 
-      after  { ActiveSupport::Notifications.unsubscribe(subscriber) }
+      after { ActiveSupport::Notifications.unsubscribe(subscriber) }
 
       it 'dispatches an `invisible_captcha.spam_detected` event' do
-        # Skip the `with` matcher for Rails < 5 due to issues comparing arguments passed to / recived by the dummy event handler.
-        # https://github.com/markets/invisible_captcha/pull/62#issuecomment-552218501
-        if Rails.version > '5'
-          expect(dummy_handler).to receive(:handle_event).once.with(
-            message: "Invisible Captcha honeypot param 'subtitle' was present.",
-            remote_ip: '0.0.0.0',
-            user_agent: 'Rails Testing',
+        expect(dummy_handler).to receive(:handle_event).once.with(
+          message: "Invisible Captcha honeypot param 'subtitle' was present.",
+          remote_ip: '0.0.0.0',
+          user_agent: 'Rails Testing',
+          controller: 'topics',
+          action: 'create',
+          url: 'http://test.host/topics',
+          params: {
+            topic: { subtitle: "foo"},
             controller: 'topics',
-            action: 'create',
-            url: 'http://test.host/topics',
-            params: {
-              topic: { subtitle: "foo"},
-              controller: 'topics',
-              action: 'create'
-            }
-          )
-        else
-          expect(dummy_handler).to receive(:handle_event).once
-        end
+            action: 'create'
+          }
+        )
 
-        switchable_post :create, topic: { subtitle: 'foo' }
+        post :create, params: { topic: { subtitle: 'foo' } }
       end
     end
   end
+
+  context 'spinner attribute' do
+    before(:each) do
+      InvisibleCaptcha.spinner_enabled = true
+      InvisibleCaptcha.secret = 'secret'
+      session[:invisible_captcha_timestamp] = Time.zone.now.iso8601
+      session[:invisible_captcha_spinner] = '32ab649161f9f6faeeb323746de1a25d'
+
+      # Wait for valid submission
+      sleep InvisibleCaptcha.timestamp_threshold
+    end
+
+    it 'fails with no spam, but mismatch of spinner' do
+      post :create,  params: { topic: { title: 'foo' }, spinner: 'mismatch' }
+
+      expect(response.body).to be_blank
+    end
+
+    it 'passes with no spam and spinner match' do
+      post :create,  params: { topic: { title: 'foo' }, spinner: '32ab649161f9f6faeeb323746de1a25d' }
+
+      expect(response.body).to be_present
+    end
+  end
 end

data/spec/dummy/config/environments/test.rb

@@ -14,13 +14,8 @@ Dummy::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  if Rails.version >= "5.0.0"
-    config.public_file_server.enabled = true
-    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
-  else
-    config.serve_static_files = true
-    config.static_cache_control = "public, max-age=3600"
-  end
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true

data/spec/spec_helper.rb

@@ -7,9 +7,7 @@ require 'rspec/rails'
 require 'invisible_captcha'
 
 RSpec.configure do |config|
-  if Rails.version >= '5.2'
-    config.include ActionDispatch::ContentSecurityPolicy::Request, type: :helper
-  end
+  config.include ActionDispatch::ContentSecurityPolicy::Request, type: :helper
   config.disable_monkey_patching!
   config.order = :random
   config.expect_with :rspec
@@ -17,17 +15,3 @@ RSpec.configure do |config|
     mocks.verify_partial_doubles = true
   end
 end
-
-# Rails 4.2 call `initialize` inside `recycle!`. However Ruby 2.6 doesn't allow calling `initialize` twice.
-# More info: https://github.com/rails/rails/issues/34790
-if RUBY_VERSION >= "2.6.0" && Rails.version < "5"
-  module ActionController
-    class TestResponse < ActionDispatch::TestResponse
-      def recycle!
-        @mon_mutex_owner_object_id = nil
-        @mon_mutex = nil
-        initialize
-      end
-    end
-  end
-end

data/spec/view_helpers_spec.rb

@@ -2,12 +2,8 @@
 
 RSpec.describe InvisibleCaptcha::ViewHelpers, type: :helper do
   before(:each) do
-    allow(Time.zone).to receive(:now).and_return(Time.zone.parse('Feb 19 1986'))
     allow(InvisibleCaptcha).to receive(:css_strategy).and_return("display:none;")
-
-    if Rails.version >= '5.2'
-      allow_any_instance_of(ActionDispatch::ContentSecurityPolicy::Request).to receive(:content_security_policy_nonce).and_return('123')
-    end
+    allow_any_instance_of(ActionDispatch::ContentSecurityPolicy::Request).to receive(:content_security_policy_nonce).and_return('123')
 
     # to test content_for and provide
     @view_flow = ActionView::OutputFlow.new
@@ -32,10 +28,8 @@ RSpec.describe InvisibleCaptcha::ViewHelpers, type: :helper do
     expect(invisible_captcha(:subtitle, :topic, { class: 'foo_class' })).to match(/class="foo_class"/)
   end
 
-  if Rails.version >= '5.2'
-    it 'with CSP nonce' do
-      expect(invisible_captcha(:subtitle, :topic, { nonce: true })).to match(/nonce="123"/)
-    end
+  it 'with CSP nonce' do
+    expect(invisible_captcha(:subtitle, :topic, { nonce: true })).to match(/nonce="123"/)
   end
 
   it 'generated html + styles' do
@@ -64,6 +58,18 @@ RSpec.describe InvisibleCaptcha::ViewHelpers, type: :helper do
     end
   end
 
+  context "should have spinner field" do
+    it 'that exists by default, spinner_enabled is true' do
+      InvisibleCaptcha.spinner_enabled = true
+      expect(invisible_captcha).to match(/spinner/)
+    end
+
+    it 'that does not exist if spinner_enabled is false' do
+      InvisibleCaptcha.spinner_enabled = false
+      expect(invisible_captcha).not_to match(/spinner/)
+    end
+  end
+
   it 'should set spam timestamp' do
     invisible_captcha
     expect(session[:invisible_captcha_timestamp]).to eq(Time.zone.now.iso8601)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: invisible_captcha
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Marc Anguera Insa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-01 00:00:00.000000000 Z
+date: 2021-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -52,7 +52,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Unobtrusive, flexible and simple spam protection for Rails applications
+description: Unobtrusive, flexible and complete spam protection for Rails applications
   using honeypot strategy for better user experience.
 email:
 - srmarc.ai@gmail.com
@@ -69,11 +69,9 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- gemfiles/rails_4.2.gemfile
-- gemfiles/rails_5.0.gemfile
-- gemfiles/rails_5.1.gemfile
 - gemfiles/rails_5.2.gemfile
 - gemfiles/rails_6.0.gemfile
+- gemfiles/rails_6.1.gemfile
 - invisible_captcha.gemspec
 - lib/invisible_captcha.rb
 - lib/invisible_captcha/controller_ext.rb
@@ -147,7 +145,7 @@ requirements: []
 rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: Simple honeypot protection for RoR apps
+summary: Honeypot spam protection for Rails
 test_files:
 - spec/controllers_spec.rb
 - spec/dummy/README.md

data/gemfiles/rails_5.0.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "rails", "~> 5.0.0"
-
-gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -1,7 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "rails", "~> 5.1.0"
-
-gemspec path: "../"