Merge pull request #140 from WebDevStudios/feature/60-comment-spam-protection

Feature/60 comment spam protection

Author: Greg Rickaby

api/frontend/wp/comments/mutationAddComment.js

@@ -18,6 +18,7 @@ const mutationAddComment = gql`
       postId: $postId,
       content: $content
     ) @rest(type: "Comments", path: "${wpDataEndpoints.postComment}?{args}") {
+      success
       comment {
         ${commentsFields}
       }

api/wordpress/_global/postCommentToPost.js

@@ -36,6 +36,7 @@ export default async function postCommentToPost(
   // Set up return object.
   const response = {
     apolloClient,
+    success: false,
     comment: null
   }
 
@@ -61,6 +62,7 @@ export default async function postCommentToPost(
         return null
       }
 
+      response.success = data.createComment.success
       response.comment = data.createComment.comment
     })
     .catch((error) => {

api/wordpress/comments/mutationCommentToPost.js

@@ -19,6 +19,7 @@ const mutationCommentToPost = gql`
         content: $content
       }
     ) {
+      success
       comment {
         ${commentsFields}
       }

pages/api/wp/postComment.js

@@ -12,6 +12,15 @@ export default async function postComment(req, res) {
     // Retrieve props from request query params.
     const {author, authorEmail, authorUrl, postId, content} = req.query
 
+    // Basic check to see if the referer matches the host.
+    // This is trivially easy to bypass, but it's a first step.
+    if (
+      !req.headers.referer ||
+      !req.headers.referer.includes(req.headers.host)
+    ) {
+      throw new Error('Unauthorized access')
+    }
+
     const commentResponse = await postCommentToPost(
       author,
       authorEmail,