Add invisible captcha for registration and newsletter forms

Extracts a module for using the invisible captcha view helper with
Phlex. Since the helper makes uses of "concat" and "session" I also had
to use the Phlex Rails macro convention for registering access to those
helper methods.

We also need to deal with invisible captcha for specs; currently
disabling timing and spinner checks.

We also need to deal with the gem for wasm because we reference it in an
initializer.

Author: rossta

Gemfile

@@ -35,6 +35,7 @@ gem "rouge", group: [:default, :wasm] # Pure Ruby syntaix highlighter [https://g
 gem "sitepress-rails", group: [:default, :wasm] # Static site generator for Rails [https://sitepress.cc/getting-started/rails]
 gem "phlex-rails", group: [:default, :wasm] # An object-oriented alternative to ActionView for Ruby on Rails. [https://github.com/phlex-ruby/phlex-rails]
 gem "commonmarker", require: false
+gem "invisible_captcha", group: [:default, :wasm] # Unobtrusive and flexible spam protection for Rails apps [https://github.com/markets/invisible_captcha]
 
 gem "bootsnap", require: false # Reduces boot times through caching; required in config/boot.rb [https://github.com/Shopify/bootsnap]
 

Gemfile.lock

@@ -237,6 +237,8 @@ GEM
     inline_svg (1.9.0)
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
+    invisible_captcha (2.3.0)
+      rails (>= 5.2)
     io-console (0.7.2)
     irb (1.13.1)
       rdoc (>= 4.0.0)
@@ -562,6 +564,7 @@ DEPENDENCIES
   fog-aws
   honeybadger
   inline_svg
+  invisible_captcha
   js
   letter_opener
   litestream

app/controllers/users/newsletter_subscriptions_controller.rb

@@ -1,4 +1,6 @@
 class Users::NewsletterSubscriptionsController < ApplicationController
+  invisible_captcha only: [:create]
+
   # TODO: Implement singular resource index action for logged in user
   # before_action :authenticate_user!, only: [:index]
 

app/controllers/users/registrations_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Users::RegistrationsController < ApplicationController
+  invisible_captcha only: [:create]
+
   before_action :feature_enabled!
   before_action :redirect_if_authenticated, only: [:create, :new]
   before_action :authenticate_user!, only: [:edit, :update, :destroy]

app/views/components/concerns/has_invisible_captcha.rb

@@ -0,0 +1,19 @@
+module Concerns::HasInvisibleCaptcha
+  extend ActiveSupport::Concern
+
+  included do
+    # The following modules are needed to make Phlex components work with invisible_captcha
+    include InvisibleCaptcha::ViewHelpers
+    include Phlex::Rails::Helpers::ContentTag
+    include Phlex::Rails::Helpers::Request
+    include Phlex::Rails::Helpers::LabelTag
+    include Phlex::Rails::Helpers::TextFieldTag
+    include Phlex::Rails::Helpers::HiddenFieldTag
+
+    extend Phlex::Rails::HelperMacros
+    # @!method session(...)
+    register_value_helper :session
+    # @!method concat(...)
+    register_value_helper :concat
+  end
+end

app/views/users/newsletter_subscriptions/form.rb

@@ -4,18 +4,21 @@ class Users::NewsletterSubscriptions::Form < ApplicationComponent
   include Phlex::Rails::Helpers::Object
   include Phlex::Rails::Helpers::Routes
 
+  include Concerns::HasInvisibleCaptcha
+
   def initialize(newsletter_subscription:)
     @newsletter_subscription = newsletter_subscription
   end
 
   def view_template
     form_with model: @newsletter_subscription.subscriber, url: form_url, class: "lg:w-1/2" do |f|
+      invisible_captcha
       div(class: "flex flex-row items-center mt-2") do
         div(class: "flex-grow mr-2") do
           whitespace
           plain f.email_field :email,
             type: :email,
-            autocomplete: "email",
+            autocomplete: "off",
             placeholder: "[email protected]",
             class:
               "flex-1 rounded bg-white/5 py-1.5 pl-3 sm:leading-6 focus-ring focus:ring-0 ring-1 ring-inset ring-white/10 w-full lg:min-w-[36ch] "

app/views/users/registrations/new_view.rb

@@ -1,4 +1,6 @@
 class Users::Registrations::NewView < ApplicationView
+  include Concerns::HasInvisibleCaptcha
+
   def initialize(user:)
     @user = user
   end
@@ -7,34 +9,33 @@ def view_template
     render Layouts::FrontDoorForm.new(title: "Create a new account") do |layout|
       layout.form_with model: @user,
         url: users_registration_path do |form|
-        if form.object.errors.any?
-          ul do
-            form.object.errors.full_messages.each do |message|
-              li { message }
-            end
-          end
-        end
+        invisible_captcha
         fieldset do
           layout.form_label form, :email, "Email address"
           layout.form_field form, :email_field, :email,
-            autocomplete: "email",
+            autocomplete: "off",
             required: true
         end
         fieldset do
           layout.form_label form, :password
           layout.form_field form, :password_field, :password,
             type: "password",
-            autocomplete: "current-password",
+            autocomplete: "off",
             required: true
         end
         fieldset do
           layout.form_label form, :password_confirmation
           layout.form_field form, :password_field, :password_confirmation,
             type: "password",
-            autocomplete: "current-password",
+            autocomplete: "off",
             required: true
         end
         layout.form_button form, "Sign up"
+        if form.object.errors.any?
+          div(class: "bg-error callout") do
+            plain form.object.errors.full_messages.join(". ")
+          end
+        end
       end
     end
   end

config/application_wasm.rb

@@ -28,6 +28,7 @@
 require "sitepress-rails"
 require "phlex-rails"
 require "inline_svg"
+require "invisible_captcha"
 
 module Joy
   class Application < Rails::Application

config/initializers/invisible_captcha.rb

@@ -0,0 +1,11 @@
+require "invisible_captcha"
+
+InvisibleCaptcha.setup do |config|
+  # We need to deal with invisible captcha for specs
+  # https://github.com/markets/invisible_captcha?tab=readme-ov-file#testing-your-controllers
+  if Rails.env.test?
+    config.timestamp_enabled = false
+    config.spinner_enabled = false
+    config.honeypots = ["my_honeypot_field"]
+  end
+end