New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Spinner, IP based, validation check #89
Conversation
@yoshie902a I finally took a little bit different approach. More or less, now this is ready I'd say. I'll test this branch a bit more before merging an pushing a new release. To test this branch:
|
@markets @yoshie902a I think the documentation here could be improved. I'd offer to help, but I'm not certain what "IP based 🔍 spinner validation" is, and the google results I'm seeing aren't really useful 😕 Is there a less-jargony term than "spinner", or some external resource we can link to that explains what this term means in the context of spam prevention? Or a quick one/two sentence explanation that could be added to the README? Looking at the code, the "spinner" appears to be a hash that ensures the IP address that requested the form and the IP address that submitted the form are the same? |
- `visual_honeypots`: make honeypots visible, also useful to test/debug your implementation. | ||
- `timestamp_threshold`: fastest time (in seconds) to expect a human to submit the form (see [original article by Yoav Aner](https://blog.gingerlime.com/2012/simple-detection-of-comment-spam-in-rails/) outlining the idea). By default, 4 seconds. **NOTE:** It's recommended to deactivate the autocomplete feature to avoid false positives (`autocomplete="off"`). | ||
- `timestamp_enabled`: option to disable the time threshold check at application level. Could be useful, for example, on some testing scenarios. By default, true. | ||
- `timestamp_error_message`: flash error message thrown when form submitted quicker than the `timestamp_threshold` value. It uses I18n by default. | ||
- `injectable_styles`: if enabled, you should call anywhere in your layout the following helper `<%= invisible_captcha_styles %>`. This allows you to inject styles, for example, in `<head>`. False by default, styles are injected inline with the honeypot. | ||
- `spinner_enabled`: option to disable the IP spinner validation. | ||
- `secret`: customize the secret key to encode some internal values. By default, it reads the environment variable `ENV['INVISIBLE_CAPTCHA_SECRET']` and fallbacks to random value. Be careful, if you are running multiple Rails instances behind a load balancer, use always the same value via the environment variable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably worth adding to the Changelog, since my understanding is that after an upgrade things may not work properly in multiple-instance environments unless this ENV is set?
Closes #84
Supersedes #85