From 14a75a557ab68f6459810d7aee7dda6323e895b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6nke=20Ludwig?= Date: Thu, 12 Dec 2024 12:43:39 +0100 Subject: [PATCH 1/2] Upgrade dependencies. --- dub.selections.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/dub.selections.json b/dub.selections.json index fe59155..b857050 100644 --- a/dub.selections.json +++ b/dub.selections.json @@ -3,23 +3,23 @@ "versions": { "botan": "1.12.18", "botan-math": "1.0.3", - "diet-ng": "1.8.1", - "eventcore": "0.9.30", + "diet-ng": "1.8.2", + "eventcore": "0.9.35", "libasync": "0.8.6", "libevent": "2.0.2+2.0.16", "memutils": "1.0.10", - "mir-linux-kernel": "1.0.1", - "openssl": "3.3.3", + "mir-linux-kernel": "1.2.1", + "openssl": "3.3.4", "openssl-static": "1.0.5+3.0.8", "silly": "1.1.1", "stdx-allocator": "2.77.5", "taggedalgebraic": "0.11.23", "vibe-container": "1.3.1", - "vibe-core": "2.8.4", - "vibe-d": "0.10.0", - "vibe-http": "1.1.0", - "vibe-inet": "1.0.0", - "vibe-serialization": "1.0.3", - "vibe-stream": "1.1.0" + "vibe-core": "2.9.6", + "vibe-d": "0.10.1", + "vibe-http": "1.1.2", + "vibe-inet": "1.0.1", + "vibe-serialization": "1.0.6", + "vibe-stream": "1.1.1" } } From 4442b90a67aa94e119903eb367e8f230618940fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6nke=20Ludwig?= Date: Thu, 12 Dec 2024 12:45:49 +0100 Subject: [PATCH 2/2] Avoid form spam for the registration form. Uses the same mechanism as vibenews for post spam. --- source/userman/web.d | 21 +++++++++++++++++++-- views/userman.register.dt | 5 ++++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/source/userman/web.d b/source/userman/web.d index 910b303..419004f 100644 --- a/source/userman/web.d +++ b/source/userman/web.d @@ -262,13 +262,24 @@ class UserManWebInterface { SessionVar!(string, "userFullName") m_sessUserFullName; SessionVar!(string, "userID") m_sessUserID; UserManAPISettings m_settings; + size_t m_postEpoch; } this(UserManAPI api, string prefix = "/") { + import core.time : hours; + import std.random : unpredictableSeed; + import vibe.core.core : setTimer; + m_api = api; m_settings = api.settings; m_prefix = prefix; + + // Invalidates pending forms every 2 to 4 hours, just making sure it + // always starts with a random number, no need to be cryptographically + // secure, this is just to make it a little more difficult for spammers + m_postEpoch = unpredictableSeed(); + setTimer(2.hours, { m_postEpoch++; }, true); } deprecated this(UserManController controller, string prefix = "/") @@ -319,12 +330,15 @@ class UserManWebInterface { { string error = _error; auto settings = m_settings; - render!("userman.register.dt", error, settings); + auto postEpoch = m_postEpoch; + render!("userman.register.dt", error, settings, postEpoch); } @noAuth @errorDisplay!getRegister - void postRegister(ValidEmail email, Nullable!string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation) + void postRegister(ValidEmail email, Nullable!string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation, string check) { + import std.conv : to; + string username; if (m_settings.useUserNames) { enforce(!name.isNull, "Missing user name field."); @@ -335,6 +349,9 @@ class UserManWebInterface { username = name.get; } else username = email; + if (check != "a3fb"~m_postEpoch.to!string && check != "a3fb"~(m_postEpoch-1).to!string) + throw new Exception("Form expired"); + m_api.users.register(email, username, fullName, password); if (m_settings.requireActivation) { diff --git a/views/userman.register.dt b/views/userman.register.dt index 658f304..a33de99 100644 --- a/views/userman.register.dt +++ b/views/userman.register.dt @@ -35,4 +35,7 @@ block userman.content label(for="passwordConfirmation") Password confirmation: td input(type="password", name="passwordConfirmation") - button(type="submit") Register account \ No newline at end of file + input#fc(type="hidden", name="check", value="3fb") + button(type="submit") Register account + + script var fc=document.getElementById("fc");fc.setAttribute("value","a"+fc.getAttribute("value")+"#{postEpoch}");