FEATURE: improve honeypot and challenge logic

This feature amends it so instead of using one challenge and honeypot statically per site we have a rotating honeypot and challenge value which changes every hour. This means you must grab a fresh copy of honeypot and challenge value once an hour or account registration will be rejected. We also now cycle the value of the challenge when after successful account registration forcing an extra call to hp.json between account registrations Client has been made aware of these changes. Additionally this contains a JavaScript workaround for: https://bugs.chromium.org/p/chromium/issues/detail?id=987293 This is client side code that is specific to Chrome user agent and swaps a PASSWORD type honeypot with a TEXT type honeypot.
2025-02-25 18:55:32 -06:00 · 2019-10-16 16:53:31 +11:00
parent 645faa847b
commit d5d8db7fa8
5 changed files with 198 additions and 98 deletions
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -5,6 +5,41 @@ require 'rails_helper'
 describe UsersController do
  let(:user) { Fabricate(:user) }

+  describe "#full account registration flow" do
+    it "will correctly handle honeypot and challenge" do
+
+      get '/u/hp.json'
+      expect(response.status).to eq(200)
+
+      json = JSON.parse(response.body)
+
+      params = {
+        email: 'jane@jane.com',
+        name: 'jane',
+        username: 'jane',
+        password_confirmation: json['value'],
+        challenge: json['challenge'].reverse,
+        password: SecureRandom.hex
+      }
+
+      secure_session = SecureSession.new(session["secure_session_id"])
+
+      expect(secure_session[UsersController::HONEYPOT_KEY]).to eq(json["value"])
+      expect(secure_session[UsersController::CHALLENGE_KEY]).to eq(json["challenge"])
+
+      post '/u.json', params: params
+
+      expect(response.status).to eq(200)
+
+      jane = User.find_by(username: 'jane')
+
+      expect(jane.email).to eq('jane@jane.com')
+
+      expect(secure_session[UsersController::HONEYPOT_KEY]).to eq(nil)
+      expect(secure_session[UsersController::CHALLENGE_KEY]).to eq(nil)
+    end
+  end
+
  describe '#perform_account_activation' do
    let(:token) do
      return @token if @token.present?
@@ -1020,22 +1055,15 @@ describe UsersController do

    shared_examples 'honeypot fails' do
      it 'should not create a new user' do
+        User.any_instance.expects(:enqueue_welcome_message).never
+
        expect {
          post "/u.json", params: create_params
        }.to_not change { User.count }
-        expect(response.status).to eq(200)
-      end

-      it 'should not send an email' do
-        User.any_instance.expects(:enqueue_welcome_message).never
-        post "/u.json", params: create_params
        expect(response.status).to eq(200)
-      end

-      it 'should say it was successful' do
-        post "/u.json", params: create_params
        json = JSON::parse(response.body)
-        expect(response.status).to eq(200)
        expect(json["success"]).to eq(true)

        # should not change the session
@@ -3361,7 +3389,6 @@ describe UsersController do
        end

        it 'succeeds on correct password' do
-          session = {}
          ApplicationController.any_instance.stubs(:secure_session).returns("confirmed-password-#{user.id}" => "true")
          post "/users/create_second_factor_totp.json"