negative_captcha 0.2.beta

data/LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2008 Erik Peterson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of 
+this software and associated documentation files (the "Software"), to deal in 
+the Software without restriction, including without limitation the rights to 
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 
+the Software, and to permit persons to whom the Software is furnished to do so, 
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all 
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.textile

@@ -0,0 +1,150 @@
+h1. Negative Captcha
+
+h2. What is a Negative Captcha?
+
+A negative captcha has the exact same purpose as your run-of-the-mill image captcha: To keep bots from submitting forms.  Image ("positive") captchas do this by implementing a step which only humans can do, but bots cannot: read jumbled characters from an image.  But this is bad.  It creates usability problems, it hurts conversion rates, and it confuses the shit out of lots of people.  Why not do it the other way around? Negative captchas create a form that has tasks that only bots can perform, but humans cannot.  This has the exact same effect, with (anecdotally) a much lower false positive identification rate when compared with positive captchas.  All of this comes without making humans go through any extra trouble to submit the form.  It really is win-win.
+  
+h2. How does it work?
+  
+In a negative captcha form there are two main parts and three ancillary parts.  I'll explain them thusly.
+
+h3. Honeypots
+
+Honeypots are form fields which look exactly like real form fields.  Bots will see them and fill them out.  Humans cannot see them and thusly will not fill them out.  They are hidden indirectly- usually by positioning them off to the left of the browser. They look kind of like this:
+
+<pre>
+  <code>
+    <div style="position: absolute; left: -2000px;"><input type="text" name="name"  value="" /></div>
+  </code>
+</pre>
+  
+h3. Real fields
+
+These fields are the ones humans will see, will subsequently fill out, and that you'll pull your real form data out of.  The form name will be hashed so that bots will not know what it is.  They look kind of like this:
+
+<pre>
+  <code>
+    <input type="text" name="685966bd3a1975667b4777cc56188c7e" />
+  </code>
+</pre>
+
+h4. Timestamp
+
+This is a field that is used in the hash key to make the hash different on every GET request, and to prevent replayability.
+
+h4. Spinner
+
+This is a rotating key that is used in the hash method to prevent replayability.  I'm not sold on its usefulness.
+
+h4. Secret key
+
+This is simply some key that is used in the hashing method to prevent bots from backing out the name of the field from the hashed field name.
+    
+h2. How does Negative Captcha work?
+  
+h3. Installation
+
+h4. Rails 3
+
+You can let bundler install Negative Captcha by adding this line to your application’s Gemfile:
+
+<pre>
+  <code>
+    gem 'negative-captcha', :git => 'git://github.com/stefants/negative-captcha.git'
+  </code>
+</pre>
+
+And then execute:
+
+<pre>
+  <code>
+    bundle install
+  </code>
+</pre>
+
+h3. Controller Hooks
+    
+Place this before filter at the top of the controller you are protecting:
+
+<pre>
+  <code>
+    before_filter :setup_negative_captcha, :only => [:new, :create]
+  </code>
+</pre>  
+
+In the same controller include the following private method:
+
+<pre>
+  <code>
+    private
+      def setup_negative_captcha
+        @captcha = NegativeCaptcha.new(
+          :secret => NEGATIVE_CAPTCHA_SECRET, #A secret key entered in environment.rb.  'rake secret' will give you a good one.
+          :spinner => request.remote_ip, 
+          :fields => [:name, :email, :body], #Whatever fields are in your form 
+          :params => params)
+      end
+  </code>
+</pre>
+
+Modify your POST action(s) to check for the validity of the negative captcha form
+
+<pre>
+  <code>
+    def create
+      @comment = Comment.new(@captcha.values) #Decrypted params
+      if @captcha.valid? && @comment.save
+        redirect_to @comment
+      else
+        flash[:notice] = @captcha.error if @captcha.error 
+        render :action => 'new'
+      end
+    end
+  </code>
+</pre>
+
+h3. Form Example
+
+Modify your form to include the honeypots and other fields.  You can probably leave any select, radio, and check box fields alone.  The text field/text area helpers should be sufficient.
+
+<pre>
+  <code>
+    <% form_tag comments_path do -%>
+      <%= raw negative_captcha(@captcha) %>
+        <ul class="contact_us">
+          <li>
+            <%= negative_label_tag(@captcha, :name, 'Name:') %>
+            <%= negative_text_field_tag @captcha, :name %>
+          </li>
+          <li>
+            <%= negative_label_tag(@captcha, :email, 'Email:') %>
+            <%= negative_text_field_tag @captcha, :email %>
+          </li>
+          <li>
+            <%= negative_label_tag(@captcha, :body, 'Your Comment:') %>
+            <%= negative_text_area_tag @captcha, :body %>
+          </li>
+          <li>
+            <%= submit_tag %>
+          </li>
+        </ul>
+      <% end -%>
+  </code>
+</pre>
+
+h3. Test and enjoy!
+  
+h2. Possible Gotchas and other concerns
+
+* It is still possible for someone to write a bot to exploit a single site by closely examining the DOM.  This means that if you are Yahoo, Google or Facebook, negative captchas will not be a complete solution.  But if you have a small application, negative captchas will likely be a very, very good solution for you.  There are no easy work-arounds to this quite yet.  Let me know if you have one.
+* I'm not a genius.  It is possible that a bot can figure out the hashed values and determine which forms are which.  I don't know how, but I think they might be able to.  I welcome people who have thought this out more thoroughly to criticize this method and help me find solutions.  I like this idea a lot and want it to succeed.
+
+h2. Credit
+
+The idea of a negative captcha is not mine.  It originates (I think) from Damien Katz of CouchDB. I (Erik Peterson) wrote the plugin.  Calvin Yu wrote the original class which I refactored quite a bit and made into the plugin.
+
+We did this while working on "Skribit":http://skribit.com/, an Atlanta startup (if you have a blog, please check us out at "http://skribit.com/":http://skribit.com/)
+
+If you have any questions, concerns or have found any bugs, please email me at erik@skribit.com
+
+If you'd like to help improve or refactor this plugin, please create a fork on Github and let me know about it.  "http://github.com/subwindow/negative-captcha":http://github.com/subwindow/negative-captcha

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rake'
+require 'rake/testtask'
+require 'rdoc/task'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Tests negative-captcha.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generates documentation for negative-captcha.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'NegativeCaptcha'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README.textile')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+

data/lib/negative_captcha/form_builder.rb

@@ -0,0 +1,66 @@
+module ActionView
+  module Helpers
+    class FormBuilder
+      def negative_text_field(captcha, method, options = {})
+        html = @template.negative_text_field_tag(
+          captcha,
+          method,
+          options
+        ).html_safe
+
+        if @object.errors[method].present?
+          html = "<div class='fieldWithErrors'>#{html}</div>"
+        end
+
+        html.html_safe
+      end
+
+      def negative_text_area(captcha, method, options = {})
+        html = @template.negative_text_area_tag(
+          captcha,
+          method,
+          options
+        ).html_safe
+
+        if @object.errors[method].present?
+          html = "<div class='fieldWithErrors'>#{html}</div>"
+        end
+
+        html.html_safe
+      end
+
+      def negative_hidden_field(captcha, method, options = {})
+        @template.negative_hidden_field_tag(captcha, method, options).html_safe
+      end
+
+      def negative_password_field(captcha, method, options = {})
+        html = @template.negative_password_field_tag(
+          captcha,
+          method,
+          options
+        ).html_safe
+
+        if @object.errors[method].present?
+          html = "<div class='fieldWithErrors'>#{html}</div>" 
+        end
+
+        html.html_safe
+      end
+
+      def negative_label(captcha, method, name, options = {})
+        html = @template.negative_label_tag(
+          captcha,
+          method,
+          name,
+          options
+        ).html_safe
+
+        if @object.errors[method].present?
+          html = "<div class='fieldWithErrors'>#{html}</div>" 
+        end
+
+        html.html_safe
+      end
+    end
+  end
+end

data/lib/negative_captcha/view_helpers.rb

@@ -0,0 +1,62 @@
+module NegativeCaptchaViewHelpers
+  extend ActiveSupport::Concern
+
+  included do
+  end
+
+  def negative_captcha(captcha)
+    [
+      hidden_field_tag('timestamp', captcha.timestamp),
+      hidden_field_tag('spinner', captcha.spinner),
+    ].join
+  end
+
+  def negative_text_field_tag(negative_captcha, field, options={})
+    text_field_tag(
+      negative_captcha.fields[field],
+      negative_captcha.values[field],
+      options
+    ) +
+      content_tag('div', :style => 'position: absolute; left: -2000px;') do
+      text_field_tag(field, '', :tabindex => '999', :autocomplete => 'off')
+    end
+  end
+
+  def negative_text_area_tag(negative_captcha, field, options={})
+    text_area_tag(
+      negative_captcha.fields[field],
+      negative_captcha.values[field],
+      options
+    ) +
+      content_tag('div', :style => 'position: absolute; left: -2000px;') do
+      text_area_tag(field, '', :tabindex => '999', :autocomplete => 'off')
+    end
+  end
+
+  def negative_hidden_field_tag(negative_captcha, field, options={})
+    hidden_field_tag(
+      negative_captcha.fields[field],
+      negative_captcha.values[field],
+      options
+    ) +
+      "<div style='position: absolute; left: -2000px;'>" +
+      hidden_field_tag(field, '', :tabindex => '999') +
+      "</div>"
+  end
+
+  def negative_password_field_tag(negative_captcha, field, options={})
+    password_field_tag(
+      negative_captcha.fields[field],
+      negative_captcha.values[field],
+      options) +
+      "<div style='position: absolute; left: -2000px;'>" +
+      password_field_tag(field, '', :tabindex => '999') +
+      "</div>"
+  end
+
+  def negative_label_tag(negative_captcha, field, name, options={})
+    label_tag(negative_captcha.fields[field], name, options)
+  end
+
+  #TODO: Select, check_box, etc
+end

data/lib/negative_captcha.rb

@@ -0,0 +1,82 @@
+require 'digest/md5'
+
+class NegativeCaptcha
+  attr_accessor :fields,
+    :values,
+    :secret,
+    :spinner,
+    :message,
+    :timestamp,
+    :error
+
+  def initialize(opts)
+    self.secret = opts[:secret] ||
+      Digest::MD5.hexdigest("this_is_a_secret_key")
+
+    if opts.has_key?(:params)
+      self.timestamp = opts[:params][:timestamp] || Time.now.to_i
+    else
+      self.timestamp = Time.now.to_i
+    end
+
+    self.spinner = Digest::MD5.hexdigest(
+      ([timestamp, secret] + Array(opts[:spinner])).join('-')
+    )
+
+    self.message = opts[:message] || <<-MESSAGE
+Please try again.
+This usually happens because an automated script attempted to submit this form.
+    MESSAGE
+
+    self.fields = opts[:fields].inject({}) do |hash, field_name|
+      hash[field_name] = Digest::MD5.hexdigest(
+        [field_name, spinner, secret].join('-')
+      )
+
+      hash
+    end
+
+    self.values = {}
+    self.error = "No params provided"
+
+    if opts[:params] && (opts[:params][:spinner] || opts[:params][:timestamp])
+      process(opts[:params])
+    end
+  end
+
+  def [](name)
+    fields[name]
+  end
+
+  def valid?
+    error.nil? || error == "" || error.empty?
+  end
+
+  def process(params)
+    timestamp_age = (Time.now.to_i - params[:timestamp].to_i).abs
+
+    if params[:timestamp].nil? || timestamp_age > 86400
+      self.error = "Error: Invalid timestamp.  #{message}"
+    elsif params[:spinner] != spinner
+      self.error = "Error: Invalid spinner.  #{message}"
+    elsif fields.keys.detect {|name| params[name] && params[name].length > 0}
+      self.error = <<-ERROR
+Error: Hidden form fields were submitted that should not have been. #{message}
+      ERROR
+
+      false
+    else
+      self.error = ""
+
+      fields.each do |name, encrypted_name|
+        self.values[name] = params[encrypted_name]
+      end
+    end
+  end
+end
+
+
+require 'negative_captcha/view_helpers'
+ActiveRecord::Base.send :include, NegativeCaptchaViewHelpers
+
+require "negative_captcha/form_builder"

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification
+name: negative_captcha
+version: !ruby/object:Gem::Version
+  version: 0.2.beta
+  prerelease: 4
+platform: ruby
+authors:
+- Erik Peterson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-05-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+description: A library to make creating negative captchas less painful
+email:
+- erik@subwindow.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.textile
+- Rakefile
+- lib/negative_captcha.rb
+- lib/negative_captcha/form_builder.rb
+- lib/negative_captcha/view_helpers.rb
+homepage: http://github.com/subwindow/negative-captcha
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib/
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: A library to make creating negative captchas less painful
+test_files: []