Add spam protection to signup form #215
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I'd like to use this in a subsequent commit to mock a call to
Cloudflare's turnstile API.
When I added this gem some of the existing feature specs started to
fail with an error message from Webmock like:
Unregistered request: GET http://127.0.0.1:51768/__identify__
Apparently[1] this request comes from Capybara when it is running
feature specs with JS enabled, so I've configured Webmock to allow
connections to localhost.
[1] https://stackoverflow.com/questions/44999698/what-is-the-identify-route-that-capybara-looks-for
In the Postmark activity I've noticed a lot of "verify your email" messages being sent and not actioned. Many of these are bouncing, which hurts our email deliverability. Anecdotally more legitimate emails from jam.coop are going to spam than before. To mitigate this I've added a Cloudflare Turnstile[1] "captcha" to the registration form to hopefully prevent these non-genuine signups (which I assume are from scripts) from occuring. I decided to use the rails-cloudflare-turnstile[2] gem to do the heavy lifting here, primarily to avoid having to write the code that makes the verfication request to the cloudflare API[3]. I've mostly followed the setup instructions for that gem with a couple of changes: 1. I've disabled the gem-provided mock in favour of using Cloudflare's development/testing tokens so that we can see the real capture locally. 2. Because we use turbo I've had to do ensure that the cloudflare script is always loaded and reloaded when the signup page is visited or re-rendered after a validation error. Setting `data-turbo=false` on the signup form ensures that it is submitted without turbo and therefore releads the cloudflare JS widget on re-render. Including the cloudflare script with the `data-turbo-track` and `data-turbo-temporary` options ensures that it is reloaded if the user navigates away from signup and back again. I've also set the two new ENV variables using the credentials provided by Cloudflare[4]. [1] https://developers.cloudflare.com/turnstile/ [2] https://github.com/instrumentl/rails-cloudflare-turnstile [3] https://github.com/instrumentl/rails-cloudflare-turnstile/blob/main/lib/rails_cloudflare_turnstile/controller_helpers.rb [4] https://dash.cloudflare.com/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the Postmark activity I've noticed a lot of "verify your email"
messages being sent and not actioned. Many of these are bouncing,
which hurts our email deliverability. Anecdotally more legitimate
emails from jam.coop are going to spam than before.
To mitigate this I've added a Cloudflare Turnstile[1] "captcha" to the
registration form to hopefully prevent these non-genuine
signups (which I assume are from scripts) from occuring.
I decided to use the rails-cloudflare-turnstile[2] gem to do the heavy
lifting here, primarily to avoid having to write the code that makes
the verfication request to the cloudflare API[3].
I've mostly followed the setup instructions for that gem with a couple
of changes:
development/testing tokens so that we can see the real capture
locally.
script is always loaded and reloaded when the signup page is visited
or re-rendered after a validation error. Setting
data-turbo=falseonthe signup form ensures that it is submitted without turbo and
therefore releads the cloudflare JS widget on re-render. Including the
cloudflare script with the
data-turbo-trackanddata-turbo-temporaryoptions ensures that it is reloaded if the usernavigates away from signup and back again.
I've also set the two new ENV variables using the credentials provided
by Cloudflare[4].
[1] https://developers.cloudflare.com/turnstile/
[2] https://github.com/instrumentl/rails-cloudflare-turnstile
[3] https://github.com/instrumentl/rails-cloudflare-turnstile/blob/main/lib/rails_cloudflare_turnstile/controller_helpers.rb
[4] https://dash.cloudflare.com/