Add hidden nonce (honeypot) field to filter bot autofills on subs page

knadh · Apr 21, 2021 · fe61e89 · fe61e89
1 parent 97d297e
commit fe61e89
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/cmd/public.go b/cmd/public.go
@@ -302,6 +302,14 @@ func handleSubscriptionForm(c echo.Context) error {
 		return err
 	}
 
+	// If there's a nonce value, a bot could've filled the form.
+	if c.FormValue("nonce") != "" {
+		return c.Render(http.StatusOK, tplMessage,
+			makeMsgTpl(app.i18n.T("public.errorTitle"), "",
+				app.i18n.T("public.invalidFeature")))
+
+	}
+
 	if len(req.SubListUUIDs) == 0 {
 		return c.Render(http.StatusBadRequest, tplMessage,
 			makeMsgTpl(app.i18n.T("public.errorTitle"), "",

diff --git a/static/public/static/style.css b/static/public/static/style.css
@@ -274,6 +274,9 @@ input[type="text"], input[type="email"], select {
 .form .lists {
   margin-top: 45px;
 }
+  .form .nonce {
+    display: none;
+  }
 
 .footer {
   text-align: center;

diff --git a/static/public/templates/subscription-form.html b/static/public/templates/subscription-form.html
@@ -8,6 +8,8 @@ <h2>{{ L.T "public.subTitle" }}</h2>
             <p>
                 <label>{{ L.T "subscribers.email" }}</label>
                 <input name="email" required="true" type="email" placeholder="{{ L.T "subscribers.email" }}" autofocus="true" >
+
+                <input name="nonce" class="nonce" value="" />
             </p>
             <p>
                 <label>{{ L.T "public.subName" }}</label>