From aad2a53459860539dde463e7952636c7ddd3a629 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Tue, 20 Apr 2021 21:59:17 +0200
Subject: attempt to prevent registration spam

---
 lib/Travelynx/Controller/Account.pm | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'lib/Travelynx/Controller/Account.pm')

diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm
index ba6b3cd..b6e97e3 100644
--- a/lib/Travelynx/Controller/Account.pm
+++ b/lib/Travelynx/Controller/Account.pm
@@ -1,4 +1,5 @@
 package Travelynx::Controller::Account;
+
 # Copyright (C) 2020 Daniel Friesel
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -62,6 +63,7 @@ sub registration_form {
 
 sub register {
 	my ($self)    = @_;
+	my $dt        = $self->req->param('dt');
 	my $user      = $self->req->param('user');
 	my $email     = $self->req->param('email');
 	my $password  = $self->req->param('password');
@@ -118,6 +120,18 @@ sub register {
 		return;
 	}
 
+	if ( not $dt
+		or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 6 )
+	{
+		# a human user should take at least five seconds to fill out the form.
+		# Throw a CSRF error at presumed spammers.
+		$self->render(
+			'register',
+			invalid => 'csrf',
+		);
+		return;
+	}
+
 	my $token   = make_token();
 	my $pw_hash = hash_password($password);
 	my $db      = $self->pg->db;
-- 
cgit v1.2.3