omines / antispam-bundle Goto Github PK
View Code? Open in Web Editor NEWThe Swiss Army Knife of battling form spam in your Symfony application!
Home Page: https://omines.github.io/antispam-bundle/
License: MIT License
The Swiss Army Knife of battling form spam in your Symfony application!
Home Page: https://omines.github.io/antispam-bundle/
License: MIT License
Hello :)
Thank you for your bundle, very useful!
Just one suggestion, could you make the min
value of the timer
feature a float
instead of a int
to allow values below 1?
Because on my case for urlr.me, I would prefer a value like 0.3 or 0.4 to make sure we don't prevent a human from quickly reducing his link.
What do you think?
I think there should be an option for a SpamDetectedException
be thrown. This enables an app to catch this and add their own fake success system globally. For instance, catch this exception in an exception listener, then redirect to homepage with a "thank you" flash to imply the form was processed correctly.
My thinking (at least for profiles), is a config like this:
antispam:
profiles:
default:
throw: true
Or maybe a mode option as this option isn't compatible with passive mode:
antispam:
profiles:
default:
mode: exception # one of "exception", "passive", "error"
Instead of validation errors - even "stealth" ones, I think there should be a way to make it look like the form was submitted successfully. I'm not yet sure how this could work. Maybe an option to throw an exception that can be listened to and converted into/redirected to a "thank you for submitting page"
Ref: https://blog.stefanolaru.com/how-to-make-the-honeypot-field-more-effective (specifically this)
bin/console antispam:stats
Show summaries of spam per day, most seen URLs in content, most effective measures
bin/console antispam:quarantine
Browse the quarantine for a given timespan.
As I suggested in the recipe PR, I think for most of your application's tests, you'd want antispam disabled.
# config/packages/antispam.yaml
when@test:
antispam:
profiles:
default:
passive: true
In my app, I wanted to have just a single test that ensured the antispam system (short submit specifically) was working. This was my solution:
# config/packages/antispam.yaml
when@test:
antispam:
profiles:
default:
passive: '%env(not:default::ENABLE_ANTISPAM)%' # Disable antispam for tests unless ENABLE_ANTISPAM=1
Then, at the beginning of the test you want antispam enabled, add the following:
/**
* @test
*/
public function antispam_short_submit(): void
{
$_ENV['ENABLE_ANTISPAM'] = '1';
// create client, submit form and ensure spam was detected
}
You also need to unset this environment variable in the test case's tearDown method to ensure subsequent tests do not have this environment variable set:
protected function tearDown(): void
{
unset($_ENV['ENABLE_ANTISPAM']);
}
Of course, I may have missed an easier way to achieve this.
Anyway, I don't think we should set this as the default in the recipe as it's a bit tricky to reason about. I was thinking maybe a little note in the docs somewhere?
I've read in a few places that bots understand display: none
and know not to fill this field. This is an interesting article that shows an alternative: https://blog.stefanolaru.com/how-to-make-the-honeypot-field-more-effective
I mean, if a bot can understand display: none
, they can likely determine it isn't in the viewport but... maybe it's just something that can help filter out the less advanced bots? I also feel it's better in a separate css style sheet - maybe this could be an option (add a generic class to this widget)?
I'm not sure I completely understand passive mode. My thought was it didn't fail the validation but logged the "failure". This doesn't seem to be working - it still fails the form validation.
We should add the ResetInterface
to AntiSpam
to ensure long running processes (ie frankenphp, roadrunner), reset this value after each request.
When using version 0.1.5
Symfony throws two errors:
1. In YamlFileLoader.php line 42:
The file "***/vendor/omines/antispam-bundle/translations/antispam+intl-icu.fr.yaml" does not contain valid YAML: Unexpected characters near "a pas pu être traité. Veuillez nous contacter si le problème persiste.'" at line 2 (near "stealthed: 'Le formulaire soumis n'a pas pu être traité. Veuillez nous contacter si le problème
2. In Parser.php line 757:
Unexpected characters near "a pas pu être traité. Veuillez nous contacter si le problème persiste.'" at line 2 (near "stealthed: 'Le formulaire soumis n'a pas pu être traité. Veuillez nous contacter s i le problème persiste.'").
Unfortunately, I can't see what the problem is, but something seems to be wrong there.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
composer.json
php >=8.1
psr/log ^3.0
symfony/clock ^6.3|^7.0
symfony/form ^6.3|^7.0
symfony/framework-bundle ^6.3|^7.0
symfony/translation ^6.3|^7.0
symfony/twig-bridge ^6.3|^7.0
symfony/validator ^6.3|^7.0
symfony/yaml ^6.3|^7.0
ekino/phpstan-banned-code ^1.0
friendsofphp/php-cs-fixer ^3.59.3
infection/infection ^0.29.5
phpstan/extension-installer ^1.4.1
phpstan/phpstan ^1.11.5
phpstan/phpstan-phpunit ^1.4.0
phpstan/phpstan-symfony ^1.4.4
phpunit/phpunit ^10.5.15 || ^11.2.2
symfony/browser-kit ^6.3|^7.1.1
symfony/css-selector ^6.3|^7.1.1
symfony/debug-bundle ^6.3|^7.1.1
symfony/dotenv ^6.3|^7.1.1
symfony/monolog-bundle ^3.10
symfony/routing ^6.3|^7.1.1
symfony/runtime ^6.3|^7.1.1
symfony/twig-bundle ^6.3|^7.1.1
symfony/web-profiler-bundle ^6.3|^7.1.1
.github/workflows/ci.yaml
actions/checkout v4
shivammathur/setup-php v2
codecov/codecov-action v4
.github/workflows/docs.yaml
actions/checkout v4
actions/setup-python v5
actions/cache v4
.github/workflows/psalm.yml
actions/checkout v4
github/codeql-action v3
I think it would be nice to have a LoggingSubscriber
that listens to the ValidatorViolationEvent
and log errors. This could be enabled/disabled via the bundle config:
antispam:
logging:
enabled: true
level: notice
If interested, I can work on this.
We are currently trying the bundle with symfony 7 and are getting the following deprecaction notice:
Method "Symfony\Component\HttpKernel\Bundle\Bundle::build()" might add "void" as a native return type declaration in the future. Do the same in child class "Omines\AntiSpamBundle\AntiSpamBundle" now to avoid errors or add an explicit @return annotation to suppress this message.
Just to let you know.
First of all, nice bundle! The docs are beautiful!
I have my own home grown honeypot/short submit system that I'm going to switch to this bundle.
Recently, we have been getting hammered by spam that gets past these two protections so I've implemented a rate limiting system: "can only submit a valid form once per minute and 5 times per hour"
Thought it could be a nice feature for this bundle.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.