Add a honeypot field to some forms

ObserverOfTime · ObserverOfTime · commit c6b022cc4360 · 2023-12-02T00:18:04.000+02:00
diff --git a/.env.example b/.env.example
@@ -93,6 +93,9 @@ CACHE_URL=""
 # The default e-mail address of your site.
 EMAIL_ADDRESS="<user>@${DOMAIN}"
 
+# The name and email address of the site's admin.
+ADMIN="<name>,${EMAIL_ADDRESS}"
+
 # The time zone of your server. You can find it with this command:
 # timedatectl | awk '/Time zone/{print $3}'
 TIME_ZONE=UTC
diff --git a/MangAdventure/settings.py b/MangAdventure/settings.py
@@ -7,6 +7,7 @@
 import re
 from importlib.util import find_spec
 from pathlib import Path
+from urllib.parse import urlsplit
 
 from yaenv import Env
 
@@ -27,8 +28,7 @@
 #: See :setting:`ALLOWED_HOSTS`.
 ALLOWED_HOSTS = env.list('ALLOWED_HOSTS', [
     '127.0.0.1', '0.0.0.0', 'localhost', '[::1]',
-    # From https://stackoverflow.com/questions/9626535/#36609868
-    env['DOMAIN'].split('//')[-1].split('/')[0].split('?')[0]
+    urlsplit(env['DOMAIN']).hostname
 ])
 
 #: | A boolean that turns debug mode on/off. See :setting:`DEBUG`.
@@ -40,6 +40,9 @@
 #: | **SECURITY WARNING: this must be kept secret!**
 SECRET_KEY = env.secret('SECRET_KEY')
 
+#: A list of site administrators. See :setting:`ADMINS`.
+ADMINS = [tuple(env.list('ADMIN', []))] if 'ADMIN' in env else []
+
 #: The ID of the current site. See :setting:`SITE_ID`.
 SITE_ID = 1
 
@@ -167,8 +170,7 @@
     re.compile(r'^/api'),
 ]
 
-LOGS_DIR = BASE_DIR / 'logs'
-LOGS_DIR.mkdir(exist_ok=True)
+(LOGS_DIR := BASE_DIR / 'logs').mkdir(exist_ok=True)
 
 #: Logging configuration dictionary. See :setting:`LOGGING`.
 LOGGING = {
@@ -183,11 +185,11 @@
         'verbose': {
             'format': '{levelname} {asctime} {pathname}'
                       ' {funcName}:{lineno} {message}',
-            'style': '{',
+            'style': '{'
         },
         'simple': {
             'format': '{asctime} {module} {funcName} {message}',
-            'style': '{',
+            'style': '{'
         },
     },
     'handlers': {
@@ -196,13 +198,13 @@
             'class': 'logging.FileHandler',
             'filters': ['require_debug_true'],
             'filename': LOGS_DIR / 'debug.log',
-            'formatter': 'verbose',
+            'formatter': 'verbose'
         },
         'error': {
             'level': 'ERROR',
             'class': 'logging.FileHandler',
             'filename': LOGS_DIR / 'errors.log',
-            'formatter': 'simple',
+            'formatter': 'simple'
         },
         'query': {
             'level': 'DEBUG',
@@ -338,6 +340,13 @@
 #: See :auth:`ACCOUNT_EMAIL_VERIFICATION <configuration.html>`.
 ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
 
+#: Override some of the builtin forms.
+#: See :auth:`ACCOUNT_FORMS <configuration.html>`.
+ACCOUNT_FORMS = {
+    'signup': 'users.forms.RegistrationForm',
+    'reset_password': 'users.forms.PasswordResetForm'
+}
+
 #: The social account adapter class to use.
 #: See :auth:`SOCIALACCOUNT_ADAPTER <configuration.html>`.
 SOCIALACCOUNT_ADAPTER = 'users.adapters.SocialAccountAdapter'
diff --git a/MangAdventure/templates/account/password_reset.html b/MangAdventure/templates/account/password_reset.html
@@ -15,10 +15,11 @@ <h1 class="text-shadow alter-fg">Password Reset</h1>
     <form method="POST" action="{% url 'account_reset_password' %}">
       {% csrf_token %}
       {% for item in form %}
-        <div class="field">
-          <label for="{{ item.name }}">{{ item.label }}</label>
-          <input type="{{ item.field.widget.input_type }}" class="input" name="{{ item.name }}"
-                 id="{{ item.name }}" placeholder="{{ item.field.widget.attrs.placeholder }}" required>
+        <div class="field{% if item.name == 'email2' %} no-display{% endif %}">
+          <input type="{{ item.field.widget.input_type }}" class="input"
+                 name="{{ item.name }}" id="{{ item.name }}"
+                 placeholder="{{ item.field.widget.attrs.placeholder }}"
+                 {% if item.field.required %}required{% endif %}>
           {% if item.errors %}
             {% for error in item.errors %}
               <p class="error">{{ error|escape }}</p>
diff --git a/MangAdventure/templates/account/signup.html b/MangAdventure/templates/account/signup.html
@@ -14,11 +14,12 @@ <h1 class="text-shadow alter-bg">Sign up</h1>
     <form method="POST" action="{% url 'account_signup' %}">
       {% csrf_token %}
       {% for item in form %}
-        <div class="field">
+        <div class="field{% if item.name == 'email2' %} no-display{% endif %}">
           <label for="{{ item.name }}">{{ item.label }}</label>
           <input type="{{ item.field.widget.input_type }}" class="input" name="{{ item.name }}"
                  id="{{ item.name }}" placeholder="{{ item.field.widget.attrs.placeholder }}"
-                 required{% if 'password' in item.name %} autocomplete="off"{% endif %}>
+                 {% if 'password' in item.name %}autocomplete="off"{% endif %}
+                 {% if item.field.required %}required{% endif %}>
           {% if item.errors %}
             {% for error in item.errors %}
               <p class="error">{{ error|escape }}</p>
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -4,6 +4,7 @@ Changelog
 v0.9.5
 ^^^^^^
 
+* Added a honeypot field to some forms
 * Added last login date to the user list
 * Removed Reddit OAuth provider
 * Reduced prefetched pages from 3 to 2
diff --git a/reader/models.py b/reader/models.py
@@ -47,7 +47,7 @@
     def capture_exception(_): pass  # noqa: E704
 
 _update_lock = Lock()
-_logger = getLogger('django.db')
+_logger = getLogger('django.db.models')
 
 
 def _cover_uploader(obj: Series, name: str) -> str:
diff --git a/users/forms.py b/users/forms.py
@@ -1,22 +1,85 @@
 """Form models for the users app."""
 
-from typing import cast
+from importlib.util import find_spec
+from typing import Optional, cast
 
 from django import forms
 from django.contrib.auth.models import User
 from django.contrib.auth.validators import UnicodeUsernameValidator
 
+from allauth.account.forms import ResetPasswordForm, SignupForm
+
 from MangAdventure.validators import FileSizeValidator
 
 from .models import UserProfile
 
+if find_spec('sentry_sdk'):  # pragma: no cover
+    from sentry_sdk import capture_message, configure_scope
+
+    def _log_honeypot(message: str, username: Optional[str], email: str):
+        with configure_scope() as scope:
+            scope.set_tag('username', username)
+            scope.set_tag('email', email)
+            capture_message(message, 'warning', scope)
+else:  # pragma: no cover
+    from django.core.mail import mail_admins
+
+    def _log_honeypot(message: str, username: Optional[str], email: str):
+        body = f'Username: {username or "N/A"}\nE-mail: {email}'
+        mail_admins(message, body, fail_silently=True)
+
+
+class RegistrationForm(SignupForm):  # pragma: no cover
+    """Registration form with a honeypot field."""
+    email2 = forms.EmailField(
+        label='Email (again)',
+        required=False,
+        widget=forms.EmailInput(
+            attrs={
+                'placeholder': 'Email address confirmation'
+            }
+        )
+    )
+
+    def clean(self):
+        result = super().clean()
+        if self.cleaned_data.get('email2'):
+            msg = 'Possible spam bot detected'
+            username = self.cleaned_data['username']
+            email = self.cleaned_data['email']
+            _log_honeypot(msg, username, email)
+            raise forms.ValidationError('Nope!')
+        return result
+
+
+class PasswordResetForm(ResetPasswordForm):  # pragma: no cover
+    """Password reset form with a honeypot field."""
+    email2 = forms.EmailField(
+        label='Email (again)',
+        required=False,
+        widget=forms.EmailInput(
+            attrs={
+                'placeholder': 'Email address confirmation'
+            }
+        )
+    )
+
+    def clean(self):
+        result = super().clean()
+        if self.cleaned_data.get('email2'):
+            msg = 'Possible spam bot detected'
+            email = self.cleaned_data['email']
+            _log_honeypot(msg, None, email)
+            raise forms.ValidationError('Nope!')
+        return result
+
 
 class UserProfileForm(forms.ModelForm):
     """Form used for editing a :class:`~users.models.UserProfile` model."""
     #: The user's e-mail address.
     email = forms.EmailField(
         max_length=254, min_length=5, label='E-mail',
-        widget=forms.TextInput(attrs={
+        widget=forms.EmailInput(attrs={
             'placeholder': 'E-mail address'
         })
     )
@@ -166,4 +229,4 @@ class Meta:
         )
 
 
-__all__ = ['UserProfileForm']
+__all__ = ['RegistrationForm', 'PasswordResetForm', 'UserProfileForm']
