Add honeypot and refine short name checks to prevent demo spam

thibaudgg · thibaudgg · commit abd2d681d657 · 2026-03-09T21:22:39.000+01:00
Implement a hidden organization field as a honeypot to catch bots, and update
short name detection to require at least 3 characters with 2 unique letters,
silently rejecting spam without creating admins. This enhances registration
security against automated abuse.
diff --git a/app/controllers/demo/registrations_controller.rb b/app/controllers/demo/registrations_controller.rb
@@ -27,6 +27,6 @@ def ensure_demo_tenant!
   end
 
   def registration_params
-    params.require(:demo_registration).permit(:name, :email, :note)
+    params.require(:demo_registration).permit(:name, :email, :note, :organization)
   end
 end
diff --git a/app/models/demo/registration.rb b/app/models/demo/registration.rb
@@ -7,6 +7,7 @@ class Demo::Registration
   attribute :name, :string
   attribute :email, :string
   attribute :note, :string
+  attribute :organization, :string
 
   attr_accessor :request
 
@@ -25,15 +26,27 @@ def save
   private
 
   def spam?
-    detector = SpamDetector.new(nil)
-    spam = detector.gibberish?(name) || detector.gibberish?(note)
+    spam = honeypot_filled? || short_name? || gibberish?
     if spam
       Rails.error.unexpected("Demo registration spam detected",
-        context: { name: name, email: email, note: note })
+        context: { name: name, email: email, note: note, reason: spam })
     end
     spam
   end
 
+  def honeypot_filled?
+    :honeypot if organization.present?
+  end
+
+  def short_name?
+    :short_name if name.present? && (name.strip.length < 3 || name.strip.scan(/\p{L}/).uniq.size < 2)
+  end
+
+  def gibberish?
+    detector = SpamDetector.new(nil)
+    :gibberish if detector.gibberish?(name) || detector.gibberish?(note)
+  end
+
   def admin_must_be_valid
     return if build_admin.valid?
 
diff --git a/app/views/demo/registrations/new.html.erb b/app/views/demo/registrations/new.html.erb
@@ -12,6 +12,11 @@
       <ol class="list-none p-2">
         <%= f.input :name, label: t("demo.registrations.new.name_input"), required: true %>
         <%= f.input :email, label: t("demo.registrations.new.email_input"), required: true %>
+
+        <div class="hidden" aria-hidden="true">
+          <%= f.input :organization, label: "Organization", required: false, input_html: { tabindex: "-1", autocomplete: "off" } %>
+        </div>
+
         <%= f.input :note, as: :text, label: t("demo.registrations.new.note_input"), required: false, input_html: { rows: 3, placeholder: t("demo.registrations.new.note_placeholder") } %>
         <%= f.action :submit, label: t("demo.registrations.new.submit"), button_html: { value: t("demo.registrations.new.submit") }, wrapper_html: { class: "actions mt-2" } %>
       </ol>
diff --git a/test/models/demo/registration_test.rb b/test/models/demo/registration_test.rb
@@ -144,17 +144,81 @@ class Demo::RegistrationTest < ActiveSupport::TestCase
     end
   end
 
-  test "short name skips gibberish check and creates admin" do
+  test "short name silently succeeds without creating admin" do
     in_demo_tenant do
       registration = Demo::Registration.new(
-        name: "Jo",
-        email: "jo@example.com")
+        name: "as",
+        email: "test@example.com")
+
+      assert_no_enqueued_emails do
+        assert_raises(ActiveSupport::ErrorReporter::UnexpectedError) do
+          assert registration.save
+        end
+      end
+
+      assert_not Admin.exists?(email: "test@example.com")
+    end
+  end
+
+  test "short name with single unique letter silently succeeds without creating admin" do
+    in_demo_tenant do
+      registration = Demo::Registration.new(
+        name: "aaa",
+        email: "test@example.com")
+
+      assert_no_enqueued_emails do
+        assert_raises(ActiveSupport::ErrorReporter::UnexpectedError) do
+          assert registration.save
+        end
+      end
+
+      assert_not Admin.exists?(email: "test@example.com")
+    end
+  end
+
+  test "three-letter name with distinct letters creates admin" do
+    in_demo_tenant do
+      registration = Demo::Registration.new(
+        name: "Joe",
+        email: "joe@example.com")
+
+      assert_enqueued_emails 2 do
+        assert registration.save
+      end
+
+      assert Admin.exists?(email: "joe@example.com")
+    end
+  end
+
+  test "honeypot filled silently succeeds without creating admin" do
+    in_demo_tenant do
+      registration = Demo::Registration.new(
+        name: "Spam Bot",
+        email: "bot@example.com",
+        organization: "Acme Corp")
+
+      assert_no_enqueued_emails do
+        assert_raises(ActiveSupport::ErrorReporter::UnexpectedError) do
+          assert registration.save
+        end
+      end
+
+      assert_not Admin.exists?(email: "bot@example.com")
+    end
+  end
+
+  test "empty honeypot allows registration" do
+    in_demo_tenant do
+      registration = Demo::Registration.new(
+        name: "Real Person",
+        email: "real@example.com",
+        organization: "")
 
       assert_enqueued_emails 2 do
         assert registration.save
       end
 
-      assert Admin.exists?(email: "jo@example.com")
+      assert Admin.exists?(email: "real@example.com")
     end
   end
 
