summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2021-04-20 21:59:17 +0200
committerDaniel Friesel <derf@finalrewind.org>2021-04-20 21:59:17 +0200
commitaad2a53459860539dde463e7952636c7ddd3a629 (patch)
tree376d036fc07285989af79c32e9d0c969f2b4c254
parentaabf3104b12b0182a25c70d0807b9d525a548551 (diff)
attempt to prevent registration spam1.19.11
-rw-r--r--lib/Travelynx/Controller/Account.pm14
-rw-r--r--templates/register.html.ep1
2 files changed, 15 insertions, 0 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index ba6b3cd..b6e97e3 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -1,4 +1,5 @@
package Travelynx::Controller::Account;
+
# Copyright (C) 2020 Daniel Friesel
#
# SPDX-License-Identifier: AGPL-3.0-or-later
@@ -62,6 +63,7 @@ sub registration_form {
sub register {
my ($self) = @_;
+ my $dt = $self->req->param('dt');
my $user = $self->req->param('user');
my $email = $self->req->param('email');
my $password = $self->req->param('password');
@@ -118,6 +120,18 @@ sub register {
return;
}
+ if ( not $dt
+ or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 6 )
+ {
+ # a human user should take at least five seconds to fill out the form.
+ # Throw a CSRF error at presumed spammers.
+ $self->render(
+ 'register',
+ invalid => 'csrf',
+ );
+ return;
+ }
+
my $token = make_token();
my $pw_hash = hash_password($password);
my $db = $self->pg->db;
diff --git a/templates/register.html.ep b/templates/register.html.ep
index 1983e92..c27b591 100644
--- a/templates/register.html.ep
+++ b/templates/register.html.ep
@@ -3,6 +3,7 @@
% }
%= form_for '/register' => (method => 'POST') => begin
%= csrf_field
+ %= hidden_field dt => DateTime->now(time_zone => 'Europe/Berlin')->epoch
<div class="row">
<div class="input-field col l6 m12 s12">
<i class="material-icons prefix">account_circle</i>