attempt to prevent registration spam1.19.11

author: Daniel Friesel <derf@finalrewind.org> 2021-04-20 21:59:17 +0200
committer: Daniel Friesel <derf@finalrewind.org> 2021-04-20 21:59:17 +0200
commit: aad2a53459860539dde463e7952636c7ddd3a629 (patch)
tree: 376d036fc07285989af79c32e9d0c969f2b4c254 /lib
parent: aabf3104b12b0182a25c70d0807b9d525a548551 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index ba6b3cd..b6e97e3 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -1,4 +1,5 @@
 package Travelynx::Controller::Account;
+
 # Copyright (C) 2020 Daniel Friesel
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -62,6 +63,7 @@ sub registration_form {
 
 sub register {
 	my ($self)    = @_;
+	my $dt        = $self->req->param('dt');
 	my $user      = $self->req->param('user');
 	my $email     = $self->req->param('email');
 	my $password  = $self->req->param('password');
@@ -118,6 +120,18 @@ sub register {
 		return;
 	}
 
+	if ( not $dt
+		or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 6 )
+	{
+		# a human user should take at least five seconds to fill out the form.
+		# Throw a CSRF error at presumed spammers.
+		$self->render(
+			'register',
+			invalid => 'csrf',
+		);
+		return;
+	}
+
 	my $token   = make_token();
 	my $pw_hash = hash_password($password);
 	my $db      = $self->pg->db;
author	Daniel Friesel <derf@finalrewind.org>	2021-04-20 21:59:17 +0200
committer	Daniel Friesel <derf@finalrewind.org>	2021-04-20 21:59:17 +0200
commit	aad2a53459860539dde463e7952636c7ddd3a629 (patch)
tree	376d036fc07285989af79c32e9d0c969f2b4c254 /lib
parent	aabf3104b12b0182a25c70d0807b9d525a548551 (diff)