omines / antispam-bundle Goto Github PK

First of all, nice bundle! The docs are beautiful!

I have my own home grown honeypot/short submit system that I'm going to switch to this bundle.

Recently, we have been getting hammered by spam that gets past these two protections so I've implemented a rate limiting system: "can only submit a valid form once per minute and 5 times per hour"

Thought it could be a nice feature for this bundle.

bin/console antispam:stats
Show summaries of spam per day, most seen URLs in content, most effective measures

bin/console antispam:quarantine
Browse the quarantine for a given timespan.

Instead of validation errors - even "stealth" ones, I think there should be a way to make it look like the form was submitted successfully. I'm not yet sure how this could work. Maybe an option to throw an exception that can be listened to and converted into/redirected to a "thank you for submitting page"

Ref: https://blog.stefanolaru.com/how-to-make-the-honeypot-field-more-effective (specifically this)

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

We should add the ResetInterface to AntiSpam to ensure long running processes (ie frankenphp, roadrunner), reset this value after each request.

As I suggested in the recipe PR, I think for most of your application's tests, you'd want antispam disabled.

# config/packages/antispam.yaml

when@test:
    antispam:
        profiles:
            default:
                passive: true

In my app, I wanted to have just a single test that ensured the antispam system (short submit specifically) was working. This was my solution:

# config/packages/antispam.yaml

when@test:
    antispam:
        profiles:
            default:
                passive: '%env(not:default::ENABLE_ANTISPAM)%' # Disable antispam for tests unless ENABLE_ANTISPAM=1

Then, at the beginning of the test you want antispam enabled, add the following:

/**
 * @test
 */
public function antispam_short_submit(): void
{
    $_ENV['ENABLE_ANTISPAM'] = '1';

    // create client, submit form and ensure spam was detected
}

You also need to unset this environment variable in the test case's tearDown method to ensure subsequent tests do not have this environment variable set:

protected function tearDown(): void
{
    unset($_ENV['ENABLE_ANTISPAM']);
}

Of course, I may have missed an easier way to achieve this.

Anyway, I don't think we should set this as the default in the recipe as it's a bit tricky to reason about. I was thinking maybe a little note in the docs somewhere?

Hello :)

Thank you for your bundle, very useful!

Just one suggestion, could you make the min value of the timer feature a float instead of a int to allow values below 1?

Because on my case for urlr.me, I would prefer a value like 0.3 or 0.4 to make sure we don't prevent a human from quickly reducing his link.

What do you think?

I'm not sure I completely understand passive mode. My thought was it didn't fail the validation but logged the "failure". This doesn't seem to be working - it still fails the form validation.

I've read in a few places that bots understand display: none and know not to fill this field. This is an interesting article that shows an alternative: https://blog.stefanolaru.com/how-to-make-the-honeypot-field-more-effective

I mean, if a bot can understand display: none, they can likely determine it isn't in the viewport but... maybe it's just something that can help filter out the less advanced bots? I also feel it's better in a separate css style sheet - maybe this could be an option (add a generic class to this widget)?

I think there should be an option for a SpamDetectedException be thrown. This enables an app to catch this and add their own fake success system globally. For instance, catch this exception in an exception listener, then redirect to homepage with a "thank you" flash to imply the form was processed correctly.

My thinking (at least for profiles), is a config like this:

antispam:
  profiles:
    default:
      throw: true

Or maybe a mode option as this option isn't compatible with passive mode:

antispam:
  profiles:
    default:
      mode: exception # one of "exception", "passive", "error"

When using version 0.1.5 Symfony throws two errors:

1. In YamlFileLoader.php line 42:

The file "***/vendor/omines/antispam-bundle/translations/antispam+intl-icu.fr.yaml" does not contain valid YAML: Unexpected characters near "a pas pu être traité. Veuillez nous contacter si le problème persiste.'" at line 2 (near "stealthed: 'Le formulaire soumis n'a pas pu être traité. Veuillez nous contacter si le problème

2. In Parser.php line 757:

Unexpected characters near "a pas pu être traité. Veuillez nous contacter si le problème persiste.'" at line 2 (near "stealthed: 'Le formulaire soumis n'a pas pu être traité. Veuillez nous contacter s i le problème persiste.'").

Unfortunately, I can't see what the problem is, but something seems to be wrong there.

I think it would be nice to have a LoggingSubscriber that listens to the ValidatorViolationEvent and log errors. This could be enabled/disabled via the bundle config:

antispam:
    logging:
        enabled: true
        level: notice

If interested, I can work on this.