diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index ba6b3cd..b6e97e3 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -1,4 +1,5 @@ package Travelynx::Controller::Account; + # Copyright (C) 2020 Daniel Friesel # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -62,6 +63,7 @@ sub registration_form { sub register { my ($self) = @_; + my $dt = $self->req->param('dt'); my $user = $self->req->param('user'); my $email = $self->req->param('email'); my $password = $self->req->param('password'); @@ -118,6 +120,18 @@ sub register { return; } + if ( not $dt + or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 6 ) + { + # a human user should take at least five seconds to fill out the form. + # Throw a CSRF error at presumed spammers. + $self->render( + 'register', + invalid => 'csrf', + ); + return; + } + my $token = make_token(); my $pw_hash = hash_password($password); my $db = $self->pg->db; diff --git a/templates/register.html.ep b/templates/register.html.ep index 1983e92..c27b591 100644 --- a/templates/register.html.ep +++ b/templates/register.html.ep @@ -3,6 +3,7 @@ % } %= form_for '/register' => (method => 'POST') => begin %= csrf_field + %= hidden_field dt => DateTime->now(time_zone => 'Europe/Berlin')->epoch