Add invisible captcha

With a time treshold of 4 seconds
and a firstname and lastname honeypot
input fields when signing up

app/controllers/registrations_controller.rb

@@ -6,6 +6,7 @@ class RegistrationsController < Devise::RegistrationsController
   include RecaptchaExperimentHelper
 
   prepend_before_action :check_captcha, only: :create
+  invisible_captcha only: :create, on_timestamp_spam: :on_timestamp_spam_callback
   before_action :whitelist_query_limiting, only: [:destroy]
   before_action :ensure_terms_accepted,
     if: -> { action_name == 'create' && Gitlab::CurrentSettings.current_application_settings.enforce_terms? }
@@ -134,4 +135,10 @@ class RegistrationsController < Devise::RegistrationsController
   def terms_accepted?
     Gitlab::Utils.to_boolean(params[:terms_opt_in])
   end
+
+  def on_timestamp_spam_callback
+    return unless Feature.enabled?(:invisible_captcha)
+
+    redirect_to new_user_session_path, alert: InvisibleCaptcha.timestamp_error_message
+  end
 end

app/views/devise/shared/_signup_box.html.haml

@@ -5,6 +5,8 @@
     = form_for(resource, as: "new_#{resource_name}", url: registration_path(resource_name), html: { class: "new_new_user gl-show-field-errors", "aria-live" => "assertive" }) do |f|
       .devise-errors
         = render "devise/shared/error_messages", resource: resource
+      - if Feature.enabled?(:invisible_captcha)
+        = invisible_captcha
       .name.form-group
         = f.label :name, _('Full name'), class: 'label-bold'
         = f.text_field :name, class: "form-control top js-block-emoji js-validate-length", :data => { :max_length => max_name_length, :max_length_message => s_("SignUp|Name is too long (maximum is %{max_length} characters).") % { max_length: max_name_length }, :qa_selector => 'new_user_name_field' }, required: true, title: _("This field is required.")

config/initializers/invisible_captcha.rb

+# frozen_string_literal: true
+
+InvisibleCaptcha.setup do |config|
+  config.honeypots = %w(firstname lastname)
+  config.timestamp_enabled = true
+  config.timestamp_threshold = 4
+end

config/locales/invisible_captcha.en.yml

+en:
+  invisible_captcha:
+    sentence_for_humans: If you are human, please ignore this field.
+    timestamp_error_message: That was a bit too quick! Please resubmit.

spec/controllers/registrations_controller_spec.rb

@@ -5,6 +5,10 @@ require 'spec_helper'
 describe RegistrationsController do
   include TermsHelper
 
+  before do
+    stub_feature_flags(invisible_captcha: false)
+  end
+
   describe '#create' do
     let(:base_user_params) { { name: 'new_user', username: 'new_username', email: 'new@user.com', password: 'Any_password' } }
     let(:user_params) { { user: base_user_params } }
@@ -88,6 +92,62 @@ describe RegistrationsController do
       end
     end
 
+    context 'when invisible captcha is enabled' do
+      before do
+        stub_feature_flags(invisible_captcha: true)
+        InvisibleCaptcha.timestamp_threshold = treshold
+      end
+
+      let(:treshold) { 4 }
+      let(:session_params) { { invisible_captcha_timestamp: form_rendered_time.iso8601 } }
+      let(:form_rendered_time) { Time.current }
+      let(:submit_time) { form_rendered_time + treshold }
+
+      describe 'the honeypot has not been filled and the signup form has not been submitted too quickly' do
+        it 'creates an account' do
+          travel_to(submit_time) do
+            expect { post(:create, params: user_params, session: session_params) }.to change(User, :count).by(1)
+          end
+        end
+      end
+
+      describe 'the honeypot has been filled' do
+        let(:user_params) { super().merge(firstname: 'Roy', lastname: 'Batty') }
+
+        it 'refuses to create an account and renders an empty body' do
+          travel_to(submit_time) do
+            expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+            expect(response).to have_gitlab_http_status(200)
+            expect(response.body).to be_empty
+          end
+        end
+      end
+
+      context 'the sign up form has been submitted without the invisible_captcha_timestamp parameter' do
+        let(:session_params) { nil }
+
+        it 'refuses to create an account and displays a flash alert' do
+          travel_to(submit_time) do
+            expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+            expect(response).to redirect_to(new_user_session_path)
+            expect(flash[:alert]).to include 'That was a bit too quick! Please resubmit.'
+          end
+        end
+      end
+
+      context 'the sign up form has been submitted too quickly' do
+        let(:submit_time) { form_rendered_time }
+
+        it 'refuses to create an account and displays a flash alert' do
+          travel_to(submit_time) do
+            expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+            expect(response).to redirect_to(new_user_session_path)
+            expect(flash[:alert]).to include 'That was a bit too quick! Please resubmit.'
+          end
+        end
+      end
+    end
+
     context 'when terms are enforced' do
       before do
         enforce_terms

spec/features/invites_spec.rb

@@ -10,6 +10,7 @@ describe 'Invites' do
   let(:group_invite) { group.group_members.invite.last }
 
   before do
+    stub_feature_flags(invisible_captcha: false)
     project.add_maintainer(owner)
     group.add_user(owner, Gitlab::Access::OWNER)
     group.add_developer('user@example.com', owner)

spec/features/users/signup_spec.rb

@@ -5,6 +5,10 @@ require 'spec_helper'
 describe 'Signup' do
   include TermsHelper
 
+  before do
+    stub_feature_flags(invisible_captcha: false)
+  end
+
   let(:new_user) { build_stubbed(:user) }
 
   describe 'username validation', :js do