Honeypot fields and logic (#48)

Co-authored-by: Rocket <[email protected]>

Author: SammySteiner

app-rails/app/controllers/users/passwords_controller.rb

@@ -9,7 +9,8 @@ def forgot
 
   def send_reset_password_instructions
     email = params[:users_forgot_password_form][:email]
-    @form = Users::ForgotPasswordForm.new(email: email)
+    spam_trap = params[:users_forgot_password_form][:spam_trap]
+    @form = Users::ForgotPasswordForm.new(email: email, spam_trap: spam_trap)
 
     if @form.invalid?
       flash.now[:errors] = @form.errors.full_messages
@@ -59,6 +60,6 @@ def auth_service
     end
 
     def reset_password_params
-      params.require(:users_reset_password_form).permit(:email, :code, :password)
+      params.require(:users_reset_password_form).permit(:email, :code, :password, :spam_trap)
     end
 end

app-rails/app/controllers/users/registrations_controller.rb

@@ -77,7 +77,7 @@ def auth_service
     end
 
     def registration_params
-      params.require(:users_registration_form).permit(:email, :password, :password_confirmation, :role)
+      params.require(:users_registration_form).permit(:email, :password, :password_confirmation, :role, :spam_trap)
     end
 
     def verify_account_params

app-rails/app/controllers/users/sessions_controller.rb

@@ -94,7 +94,7 @@ def auth_service
     def new_session_params
       # If :users_new_session_form is renamed, make sure to also update it in
       # cognito_authenticatable.rb otherwise login will not work.
-      params.require(:users_new_session_form).permit(:email, :password)
+      params.require(:users_new_session_form).permit(:email, :password, :spam_trap)
     end
 
     # This is similar to the default Devise SessionController implementation

app-rails/app/forms/users/forgot_password_form.rb

@@ -1,7 +1,9 @@
 class Users::ForgotPasswordForm
   include ActiveModel::Model
 
-  attr_accessor :email
+  attr_accessor :email, :spam_trap
 
   validates :email, format: { with: URI::MailTo::EMAIL_REGEXP }
+
+  validates :spam_trap, absence: true
 end

app-rails/app/forms/users/new_session_form.rb

@@ -3,8 +3,10 @@
 class Users::NewSessionForm
   include ActiveModel::Model
 
-  attr_accessor :email, :password
+  attr_accessor :email, :password, :spam_trap
 
   validates :email, :password, presence: true
   validates :email, format: { with: URI::MailTo::EMAIL_REGEXP }, if: -> { email.present? }
+
+  validates :spam_trap, absence: true
 end

app-rails/app/forms/users/registration_form.rb

@@ -3,10 +3,12 @@
 class Users::RegistrationForm
   include ActiveModel::Model
 
-  attr_accessor :email, :password, :password_confirmation, :role
+  attr_accessor :email, :password, :password_confirmation, :role, :spam_trap
 
   validates :email, :password, :role, presence: true
   validates :email, format: { with: URI::MailTo::EMAIL_REGEXP }, if: -> { email.present? }
 
   validates :password, confirmation: true, if: -> { password.present? }
+
+  validates :spam_trap, absence: true
 end

app-rails/app/forms/users/reset_password_form.rb

@@ -3,9 +3,11 @@
 class Users::ResetPasswordForm
   include ActiveModel::Model
 
-  attr_accessor :email, :password, :code
+  attr_accessor :email, :password, :code, :spam_trap
 
   validates :email, :password, :code, presence: true
   validates :email, format: { with: URI::MailTo::EMAIL_REGEXP }, if: -> { email.present? }
   validates :code, length: { is: 6 }, if: -> { code.present? }
+
+  validates :spam_trap, absence: true
 end

app-rails/app/helpers/uswds_form_builder.rb

@@ -78,6 +78,16 @@ def submit(value = nil, options = {})
     super(value, options)
   end
 
+  def honeypot_field
+    spam_trap_classes = "opacity-0 position-absolute z-bottom top-0 left-0 height-0 width-0"
+    label_text = "Do not fill in this field. It is an anti-spam measure."
+
+    @template.content_tag(:div, class: "usa-form-group #{spam_trap_classes}") do
+      label(:spam_trap, label_text, { tabindex: -1, class: "usa-label #{spam_trap_classes}" }) +
+      @template.text_field(@object_name, :spam_trap, { autocomplete: "false", tabindex: -1, class: "usa-input #{spam_trap_classes}" })
+    end
+  end
+
   ########################################
   # Custom helpers
   ########################################

app-rails/app/views/users/passwords/forgot.html.erb

@@ -5,6 +5,7 @@
 
 <%= us_form_with model: @form, url: users_forgot_password_path, local: true do |f| %>
   <%= f.email_field :email, { autocomplete: "username" } %>
+  <%= f.honeypot_field %>
 
   <%= f.submit t(".submit") %>
 <% end %>

app-rails/app/views/users/passwords/reset.html.erb

@@ -12,6 +12,7 @@
 <h1><%= t(".title") %></h1>
 
 <%= us_form_with model: @form, url: users_reset_password_path, local: true do |f| %>
+  <%= f.honeypot_field %>
   <%= f.text_field :code, { autocomplete: "off", label: t('.code'), width: "md" } %>
 
   <%= f.email_field :email, { autocomplete: "username" } %>