spam_protect 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +18 -5
- data/lib/spam_protect/version.rb +1 -1
- data/lib/spam_protect/view_helpers.rb +14 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d101c1fa1655923be2915a246c7d892fe8e91bd3abd7b3e97530e23a4a6d427f
|
|
4
|
+
data.tar.gz: a683fea849f5b8c439fbbedb23a781df713ab01c4e4baf6797e5a997b69b4989
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 07a3893f6100fc8f28c6adf2976539fce30be6b8fb96a6285156c5bf351b79a8e7c9ecbd1798431483bc0a1411ce8b5c8944e136bcbef96acc51c06f9a9e8593
|
|
7
|
+
data.tar.gz: 3ea0a101bb740b8d076e2b5c60201adc495bed51665d35d3afd2a42f72d0f79901885ad3f6ad8ff9541ebf4c8c6b3416c06e04cf466c0393e67a80db97fcc61a
|
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# spam_protect
|
|
2
2
|
|
|
3
|
-
A lightweight Ruby gem to help reduce spam in Rails applications.
|
|
3
|
+
A lightweight Ruby gem to help reduce spam in Rails applications without relying on CAPTCHAs or third-party services. It uses a combination of honeypot fields, timestamp tokens, and optional JavaScript checks to identify and block automated spam submissions.
|
|
4
4
|
|
|
5
5
|
## Installation
|
|
6
6
|
|
|
@@ -11,12 +11,14 @@ gem 'spam_protect'
|
|
|
11
11
|
```
|
|
12
12
|
|
|
13
13
|
And then execute:
|
|
14
|
-
|
|
15
|
-
|
|
14
|
+
```bash
|
|
15
|
+
bundle install
|
|
16
|
+
```
|
|
16
17
|
|
|
17
18
|
Then add the initializer to your Rails application:
|
|
18
|
-
|
|
19
|
-
|
|
19
|
+
```bash
|
|
20
|
+
bin/rails generate spam_protect:install
|
|
21
|
+
```
|
|
20
22
|
|
|
21
23
|
## Usage
|
|
22
24
|
|
|
@@ -62,6 +64,17 @@ class CommentsController < ApplicationController
|
|
|
62
64
|
end
|
|
63
65
|
end
|
|
64
66
|
```
|
|
67
|
+
## How it works
|
|
68
|
+
|
|
69
|
+
The gem uses a honeypot field and a timestamp token to detect spam submissions:
|
|
70
|
+
|
|
71
|
+
1. **Honeypot field**: A hidden field that should remain empty. If a bot fills it out, the submission is flagged as spam. Bots often fill out all fields, including hidden ones, while human users do not see them.
|
|
72
|
+
2. **Timestamp token**: A hidden field containing an encrypted timestamp of when the form was rendered. If the form is submitted too quickly (e.g., within a few seconds), it is likely a bot submission. This is encrypted to prevent tampering.
|
|
73
|
+
3. **JavaScript check**: Optionally (using `config.require_js = true`), a JavaScript snippet can be included that sets a flag when the page is fully loaded. If the form is submitted without this flag being set, it indicates that JavaScript was not executed, which is common behavior for bots.
|
|
74
|
+
|
|
75
|
+
These combined techniques help to effectively reduce spam submissions in web forms. We highly recommend also analysing the message contents (if available) for spammy keywords or patterns as an additional layer of protection.
|
|
76
|
+
|
|
77
|
+
If you want to take this a step further, consider comibing this gem with a Fail2Ban setup to block IPs that repeatedly trigger spam protections.
|
|
65
78
|
|
|
66
79
|
## Configuration
|
|
67
80
|
|
data/lib/spam_protect/version.rb
CHANGED
|
@@ -2,7 +2,18 @@
|
|
|
2
2
|
|
|
3
3
|
module SpamProtect
|
|
4
4
|
module ViewHelpers
|
|
5
|
-
|
|
5
|
+
# Renders an inline <script> that sets the spam_protect_token cookie.
|
|
6
|
+
#
|
|
7
|
+
# @param nonce [String, nil] CSP nonce to include on the script tag.
|
|
8
|
+
# Pass `content_security_policy_nonce` if using Rails CSP features.
|
|
9
|
+
#
|
|
10
|
+
# @example Without nonce
|
|
11
|
+
# <%= spam_protect_javascript_tag %>
|
|
12
|
+
#
|
|
13
|
+
# @example With CSP nonce
|
|
14
|
+
# <%= spam_protect_javascript_tag(nonce: content_security_policy_nonce) %>
|
|
15
|
+
#
|
|
16
|
+
def spam_protect_javascript_tag(nonce: nil)
|
|
6
17
|
payload = Encryption::Payload.generate
|
|
7
18
|
token = Encryption.encrypt(payload.to_h)
|
|
8
19
|
|
|
@@ -13,7 +24,8 @@ module SpamProtect
|
|
|
13
24
|
})();
|
|
14
25
|
JS
|
|
15
26
|
|
|
16
|
-
%(
|
|
27
|
+
nonce_attr = nonce ? %( nonce="#{ERB::Util.html_escape(nonce)}") : ""
|
|
28
|
+
%(<script#{nonce_attr}>#{js}</script>).html_safe
|
|
17
29
|
end
|
|
18
30
|
end
|
|
19
31
|
end
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spam_protect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Full Fat Software
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-
|
|
10
|
+
date: 2025-12-03 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: rspec
|