Unverified Commit 8d7bf6e8 authored by Birte Kristina Friesel's avatar Birte Kristina Friesel
Browse files

Randomize registration URL; more lenient registration timing checks. 

Apparently, there are botnets whose sole purpose is to flood the mailboxes of
individual users by signing them up for as many online services as possible.
And neither CSRF validation nor timing checks nor blocking TOR exits really
helped, they only reduced the issue somewhat.

Randomized registration URLs seem to work (for now).
parent ca4b40c3

lib/Travelynx.pm

+6 −2
Original line number Diff line number Diff line
@@ -94,6 +94,8 @@ sub startup { 
	chomp $self->config->{version};

	$self->defaults( version => $self->config->{version} // 'UNKNOWN' );



	$self->config->{registration}{link} = '/register/' . 10 + int( rand(70) );



	$self->plugin(

		authentication => {

			autoload_user => 1,
@@ -3234,8 +3236,10 @@ sub startup { 
	}



	if ( not $self->config->{registration}{disabled} ) {

		$r->get('/register')->to('account#registration_form');

		$r->post('/register')->to('account#register');

		$r->get( $self->config->{registration}{link} )

		  ->to('account#registration_form')

		  ->name('registration_form');

		$r->post( $self->config->{registration}{link} )->to('account#register');

	}



	my $authed_r = $r->under(

lib/Travelynx/Controller/Account.pm

+1 −1
Original line number Diff line number Diff line
@@ -345,7 +345,7 @@ sub register { 
	}



	if ( not $dt

		or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 10 )

		or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 3 )

	{

		# a human user should take at least ten seconds to fill out the form.

		# Throw a CSRF error at presumed spammers.

templates/landingpage.html.ep

+1 −1
Original line number Diff line number Diff line
@@ -143,7 +143,7 @@ 
		</div>

		<div class="col s10 m10 l6 center-align">

			% if (not app->config->{registration}{disabled}) {

				<a href="/register" class="waves-effect waves-light btn"><i class="material-icons left" aria-hidden="true">add</i><%= L('button.register') %></a>

				<a href="<%= $self->url_for('registration_form') %>" class="waves-effect waves-light btn"><i class="material-icons left" aria-hidden="true">add</i><%= L('button.register') %></a>

			% }

			<a href="/login" class="waves-effect waves-light btn"><i class="material-icons left" aria-hidden="true">account_circle</i><%= L('button.login') %></a>

		</div>

templates/register.html.ep

+1 −1
Original line number Diff line number Diff line 
% if (my $invalid = stash('invalid')) {

	%= include '_invalid_input', invalid => $invalid

% }

%= form_for '/register' => (method => 'POST') => begin

%= form_for $self->url_for => (method => 'POST') => begin

	%= csrf_field

	%= hidden_field dt => DateTime->now(time_zone => 'Europe/Berlin')->epoch

	<div class="row">