New Spinner, IP based, validation check #89
Conversation
|
@yoshie902a I finally took a little bit different approach. More or less, now this is ready I'd say. I'll test this branch a bit more before merging an pushing a new release. To test this branch: |
|
@markets @yoshie902a I think the documentation here could be improved. I'd offer to help, but I'm not certain what "IP based 🔍 spinner validation" is, and the google results I'm seeing aren't really useful 😕 Is there a less-jargony term than "spinner", or some external resource we can link to that explains what this term means in the context of spam prevention? Or a quick one/two sentence explanation that could be added to the README? Looking at the code, the "spinner" appears to be a hash that ensures the IP address that requested the form and the IP address that submitted the form are the same? |
| - `visual_honeypots`: make honeypots visible, also useful to test/debug your implementation. | ||
| - `timestamp_threshold`: fastest time (in seconds) to expect a human to submit the form (see [original article by Yoav Aner](https://blog.gingerlime.com/2012/simple-detection-of-comment-spam-in-rails/) outlining the idea). By default, 4 seconds. **NOTE:** It's recommended to deactivate the autocomplete feature to avoid false positives (`autocomplete="off"`). | ||
| - `timestamp_enabled`: option to disable the time threshold check at application level. Could be useful, for example, on some testing scenarios. By default, true. | ||
| - `timestamp_error_message`: flash error message thrown when form submitted quicker than the `timestamp_threshold` value. It uses I18n by default. | ||
| - `injectable_styles`: if enabled, you should call anywhere in your layout the following helper `<%= invisible_captcha_styles %>`. This allows you to inject styles, for example, in `<head>`. False by default, styles are injected inline with the honeypot. | ||
| - `spinner_enabled`: option to disable the IP spinner validation. | ||
| - `secret`: customize the secret key to encode some internal values. By default, it reads the environment variable `ENV['INVISIBLE_CAPTCHA_SECRET']` and fallbacks to random value. Be careful, if you are running multiple Rails instances behind a load balancer, use always the same value via the environment variable. |
There was a problem hiding this comment.
This is probably worth adding to the Changelog, since my understanding is that after an upgrade things may not work properly in multiple-instance environments unless this ENV is set?
Closes #84
Supersedes #85