Skip to content

feat(plugin, server): add honeypot and rate limit #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
airslice merged 1 commit into from
Oct 23, 2025
Merged

feat(plugin, server): add honeypot and rate limit #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
216 changes: 115 additions & 101 deletions plugin/src/extensions/sp_submitter/submitter/App.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,119 +53,133 @@ function App() {
</Button>
</div>
) : (
<form className="space-y-4">
<div className="space-y-2">
<Label htmlFor="title">Position *</Label>
<form className="space-y-4">
<div className="space-y-2">
<Button
type="button"
variant={isPickingLocation ? "default" : "outline"}
disabled={isUploading}
onClick={handleStartPickLocation}
>
{isPickingLocation ? "Stop picking" : "Pick on map"}
</Button>
{formData.position && (
<p className="text-sm text-green-600">
✓ Position selected:{" "}
{formData.position.coordinates[1].toFixed(6)},{" "}
{formData.position.coordinates[0].toFixed(6)}
</p>
)}
<Label htmlFor="title">Position *</Label>
<div className="space-y-2">
<Button
type="button"
variant={isPickingLocation ? "default" : "outline"}
disabled={isUploading}
onClick={handleStartPickLocation}
>
{isPickingLocation ? "Stop picking" : "Pick on map"}
</Button>
{formData.position && (
<p className="text-sm text-green-600">
✓ Position selected:{" "}
{formData.position.coordinates[1].toFixed(6)},{" "}
{formData.position.coordinates[0].toFixed(6)}
</p>
)}
</div>
</div>
</div>

<div className="space-y-2">
<Label htmlFor="title">Title *</Label>
<Input
id="title"
name="title"
value={formData.title}
onChange={handleInputChange}
placeholder="Enter title"
disabled={isPickingLocation}
required
/>
</div>
<div className="space-y-2">
<Label htmlFor="title">Title *</Label>
<Input
id="title"
name="title"
value={formData.title}
onChange={handleInputChange}
placeholder="Enter title"
disabled={isPickingLocation}
required
/>
</div>

<div className="space-y-2">
<Label>Photograph *</Label>
{formData.photoUrl && (
<div className="mb-2">
<img
src={formData.photoUrl}
alt="Uploaded photograph"
className="max-w-full h-48 object-cover rounded"
<div className="space-y-2">
<Label>Photograph *</Label>
{formData.photoUrl && (
<div className="mb-2">
<img
src={formData.photoUrl}
alt="Uploaded photograph"
className="max-w-full h-48 object-cover rounded"
/>
</div>
)}
<div className="flex items-center gap-2">
<Button
type="button"
variant="outline"
disabled={isUploading || isPickingLocation}
onClick={() =>
document.getElementById("image-upload")?.click()
}
>
{isUploading
? "Uploading..."
: formData.photoUrl
? "Change Image"
: "Upload Image"}
</Button>
<Input
id="image-upload"
type="file"
accept="image/*"
onChange={handleImageUpload}
disabled={isUploading || isPickingLocation}
className="hidden"
required
/>
{!isUploading && formData.photoUrl && (
<span className="text-sm text-green-600">✓ Uploaded</span>
)}
</div>
)}
<div className="flex items-center gap-2">
<Button
type="button"
variant="outline"
disabled={isUploading || isPickingLocation}
onClick={() => document.getElementById("image-upload")?.click()}
>
{isUploading
? "Uploading..."
: formData.photoUrl
? "Change Image"
: "Upload Image"}
</Button>
</div>

<div className="space-y-2">
<Label htmlFor="description">Description</Label>
<Input
id="image-upload"
type="file"
accept="image/*"
onChange={handleImageUpload}
disabled={isUploading || isPickingLocation}
className="hidden"
required
id="description"
name="description"
value={formData.description}
onChange={handleInputChange}
placeholder="Enter description (optional)"
disabled={isPickingLocation}
/>
{!isUploading && formData.photoUrl && (
<span className="text-sm text-green-600">✓ Uploaded</span>
)}
</div>
</div>

<div className="space-y-2">
<Label htmlFor="description">Description</Label>
<Input
id="description"
name="description"
value={formData.description}
onChange={handleInputChange}
placeholder="Enter description (optional)"
disabled={isPickingLocation}
/>
</div>
<div className="space-y-2">
<Label htmlFor="author">Author *</Label>
<Input
id="author"
name="author"
value={formData.author}
onChange={handleInputChange}
placeholder="Enter author name"
disabled={isPickingLocation}
required
/>
</div>

<div className="space-y-2">
<Label htmlFor="author">Author *</Label>
<Input
id="author"
name="author"
value={formData.author}
onChange={handleInputChange}
placeholder="Enter author name"
disabled={isPickingLocation}
required
/>
</div>
<div className="space-y-2 hp">
<Label htmlFor="website">Website</Label>
<Input
name="website"
value={formData.website}
onChange={handleInputChange}
tabIndex={-1}
autoComplete="off"
aria-hidden="true"
/>
</div>

<Button
onClick={handleSubmit}
disabled={
isSubmitting ||
isUploading ||
isPickingLocation ||
!formData.photoUrl ||
!formData.position
}
className="w-full"
>
{isSubmitting ? "Submitting..." : "Submit"}
</Button>
</form>
<Button
onClick={handleSubmit}
disabled={
isSubmitting ||
isUploading ||
isPickingLocation ||
!formData.photoUrl ||
!formData.position
}
className="w-full"
>
{isSubmitting ? "Submitting..." : "Submit"}
</Button>
</form>
)}
</CardContent>
</Card>
Expand Down
5 changes: 4 additions & 1 deletion plugin/src/extensions/sp_submitter/submitter/app.css
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,7 @@
--background: transparent;
}

/* Add your custom styles here */
/* Honeypot */
.hp {
display: none;
}
8 changes: 8 additions & 0 deletions plugin/src/extensions/sp_submitter/submitter/hooks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ type FormData = {
type: "Point";
coordinates: [number, number];
} | null;
website: string;
};

export default () => {
Expand All @@ -22,6 +23,7 @@ export default () => {
author: "",
photoUrl: "",
position: null,
website: "",
});
const [isSubmitting, setIsSubmitting] = useState(false);
const [isUploading, setIsUploading] = useState(false);
Expand Down Expand Up @@ -115,6 +117,11 @@ export default () => {
return;
}

// Anti-bot validation
if (formData.website.trim() !== "") {
return;
}

setIsSubmitting(true);

try {
Expand All @@ -133,6 +140,7 @@ export default () => {
author: "",
photoUrl: "",
position: null,
website: "",
});
setIsSubmitSuccess(true);
} else {
Expand Down
44 changes: 40 additions & 4 deletions server/api/photographs.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,24 @@ import cors from "cors";
import { cmsService } from "../src/services/cms.js";
import { CreatePhotographRequest } from "../src/types";
import { authenticate, AuthenticatedRequest } from "../src/utils/auth.js";
import { createPhotographRateLimiter } from "../src/utils/rateLimiter.js";
import { sendSuccess, sendError } from "../src/utils/response.js";
import { validateRequest, PhotographSchema } from "../src/utils/validation.js";

// CORS configuration
const corsOptions = {
origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
origin: (
origin: string | undefined,
callback: (err: Error | null, allow?: boolean) => void
) => {
const corsOrigin = process.env.CORS_ORIGIN;
if (!corsOrigin) {
callback(null, true);
return;
}
const allowedOrigins = corsOrigin.split(',').map(o => o.trim());

const allowedOrigins = corsOrigin.split(",").map((o) => o.trim());

if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
Expand Down Expand Up @@ -105,6 +109,32 @@ async function handleCreatePhotograph(
res: VercelResponse,
modelId: string
) {
// Check rate limit for photograph creation
const rateLimitResult = createPhotographRateLimiter.consume(req);

// Add rate limit headers
res.setHeader("X-RateLimit-Limit", rateLimitResult.limit);
res.setHeader("X-RateLimit-Remaining", rateLimitResult.remaining);
res.setHeader(
"X-RateLimit-Reset",
new Date(rateLimitResult.resetTime).toISOString()
);

if (!rateLimitResult.success) {
return sendError(
res,
"RATE_LIMIT_EXCEEDED",
"Too many photograph submissions, please try again later.",
429,
[
{
field: "rate_limit",
message: `Please wait ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1000)} seconds before trying again.`,
},
]
);
}

const validation = validateRequest(PhotographSchema, req.body);

if (!validation.success) {
Expand All @@ -117,6 +147,12 @@ async function handleCreatePhotograph(
);
}

// Honeypot validation - silently reject if website field is filled
if (validation.data?.website && validation.data.website.trim() !== "") {
// Return success to avoid tipping off bots, but don't create the photograph
return sendSuccess(res, { id: "blocked", message: "Success" }, 201);
}

try {
const photograph = await cmsService.createPhotograph(
modelId,
Expand Down
1 change: 1 addition & 0 deletions server/src/types/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ export type CreatePhotographRequest = {
type: "Point";
coordinates: [number, number];
};
website?: string;
};

export type ApiResponse<T> = {
Expand Down
Loading