Add Hashcash Bot Protector #412
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #412 +/- ##
==========================================
+ Coverage 97.29% 97.31% +0.01%
==========================================
Files 146 148 +2
Lines 3735 3794 +59
==========================================
+ Hits 3634 3692 +58
- Misses 101 102 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull Request Overview
Adds a Hashcash-based proof-of-work protection mechanism to signup and login forms by integrating the active_hashcash gem, exposing new configuration options, and injecting the necessary assets and form hooks.
- Introduces
hashcash_signup/hashcash_loginsettings, default bit counts, and admin UI controls. - Wires
active_hashcashinto the Rails engine, Devise controllers, and upgrade tasks. - Registers a new JS pack and Deface overrides to append a hidden Hashcash field in the forms.
Reviewed Changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/tasks/decidim_awesome_upgrade_tasks.rake | Enhance upgrade task to include active_hashcash |
| lib/decidim/decidim_awesome/version.rb | Bump gem version to 0.12.2 |
| lib/decidim/decidim_awesome/test/initializer.rb | Enable hashcash flags in test defaults |
| lib/decidim/decidim_awesome/menu.rb | Add hashcash flags to surveys menu logic |
| lib/decidim/decidim_awesome/engine.rb | Conditionally load and include active_hashcash in Devise |
| lib/decidim/decidim_awesome/checksums.yml | Add checksums for new view overrides |
| lib/decidim/decidim_awesome/awesome.rb | Define hashcash_* config accessors and docs |
| decidim-decidim_awesome.gemspec | Declare dependency on active_hashcash ~> 0.4.0 |
| config/locales/en.yml | Add translations and help texts for hashcash options |
| config/assets.rb | Register decidim_decidim_awesome_hashcash JS pack |
| app/views/decidim/decidim_awesome/hashcash/_hidden_field.html.erb | Render Hashcash hidden field and include JS pack |
| app/views/decidim/decidim_awesome/admin/config/_form_surveys.html.erb | Add admin form controls for hashcash settings |
| app/packs/entrypoints/decidim_decidim_awesome_hashcash.js | Initialize Hashcash in a new JS entrypoint |
| app/overrides/decidim/devise/sessions/new/add_hashcash.html.erb.deface | Inject hidden field into login form |
| app/overrides/decidim/devise/registrations/new/add_hashcash.html.erb.deface | Inject hidden field into signup form |
| app/forms/decidim/decidim_awesome/admin/config_form.rb | Add attributes and validations for hashcash bits |
| app/controllers/concerns/decidim/decidim_awesome/needs_hashcash.rb | Before hooks to set/check Hashcash in controllers |
| Rakefile | Run active_hashcash:install:migrations during install |
| Gemfile | Upgrade DECIDIM_VERSION to 0.29.3 |
| .ruby-version | Pin Ruby to 3.2.8 |
Comments suppressed due to low confidence (2)
app/forms/decidim/decidim_awesome/admin/config_form.rb:23
- New form attributes and validations for hashcash settings have been added but no tests were included. Consider adding unit or integration tests to cover enabling/disabling Hashcash and bit validation logic.
attribute :hashcash_signup, Boolean
app/packs/entrypoints/decidim_decidim_awesome_hashcash.js:1
- The import path
src/vendor/hashcashmay not resolve under the current Webpacker configuration. Verify the correct alias or use a relative path to avoid module not found errors.
import Hashcash from "src/vendor/hashcash";
app/controllers/concerns/decidim/decidim_awesome/needs_hashcash.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull Request Overview
This PR integrates a Hashcash anti-bot mechanism into the register/login flows, adds configuration options for tuning difficulty, and provides an admin UI for monitoring stamps and IP addresses.
- Injects hidden Hashcash fields into Devise login and signup views via Deface overrides
- Extends the admin ConfigForm and introduces
NeedsHashcashconcern to enforce proof-of-work - Adds
HashcashControllerand updates Rake tasks, workflows, and documentation for migration and CI support
Reviewed Changes
Copilot reviewed 79 out of 79 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| app/overrides/.../add_hashcash.html.erb.deface (sessions & reg.) | Insert hidden Hashcash field in login/signup forms |
| app/helpers/decidim/decidim_awesome/map_helper.rb | Wrapped current_categories in RuboCop disable block |
| app/forms/.../config_form.rb | Added hashcash_* attributes and validations |
| app/controllers/.../private_data_controller.rb | Renamed controller/actions to PrivateDataController |
| app/controllers/.../hashcash_controller.rb | New admin UI controller for Hashcash stamps/IPs |
| app/controllers/.../config_controller.rb | Updated redirect helper to new checks path |
| app/controllers/.../checks_controller.rb | Removed unused current_view method |
| app/controllers/concerns/.../needs_hashcash.rb | New concern to configure and enforce Hashcash checks |
| app/controllers/concerns/.../maintenance_context.rb | Updated maintenance menu paths for Hashcash and checks |
| Rakefile | Added active_hashcash:install:migrations step |
| Gemfile | Bumped Decidim version and removed obsolete gems |
| CHANGELOG.md | Documented new Hashcash feature |
| .ruby-version | Set Ruby to 3.2.8 |
| .rubocop.yml | Inherited Decidim dev config, updated excludes |
| .github/workflows/tests.yml | Updated Ruby version and CI_HASHCASH_BITS env var |
| .github/workflows/lint.yml | Consolidated lint steps into matrix strategy |
| .erb-lint.yml | Added and disabled specific ERB lint rules |
Comments suppressed due to low confidence (2)
app/controllers/decidim/decidim_awesome/admin/hashcash_controller.rb:26
- Consider adding controller specs for
stamps,stamp, andaddressesactions to verify filtering, ordering, and grouping logic, ensuring regression safety.
@stamps ||= ActiveHashcash::Stamp.filter_by(params).order(created_at: :desc).limit(1000)
app/helpers/decidim/decidim_awesome/map_helper.rb:74
- The trailing colon in the RuboCop directive may prevent the rule from being disabled as intended. Remove the colon to match the standard
# rubocop:disable Rails/HelperInstanceVariablesyntax.
# rubocop:disable Rails/HelperInstanceVariable:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a bot register/login protector for brute-force attacks.
Incorporates a tuned version of https://github.com/BaseSecrete/active_hashcash