From fe61e898a3c5ae6c5fefbd7ee65a995629cef2e7 Mon Sep 17 00:00:00 2001
From: Kailash Nadh <kailash@nadh.in>
Date: Wed, 21 Apr 2021 14:01:32 +0530
Subject: [PATCH] Add hidden nonce (honeypot) field to filter bot autofills on
 subs page

---
 cmd/public.go                                  | 8 ++++++++
 static/public/static/style.css                 | 3 +++
 static/public/templates/subscription-form.html | 2 ++
 3 files changed, 13 insertions(+)

diff --git a/cmd/public.go b/cmd/public.go
index 4c80a12..d69e713 100644
--- a/cmd/public.go
+++ b/cmd/public.go
@@ -302,6 +302,14 @@ func handleSubscriptionForm(c echo.Context) error {
 		return err
 	}
 
+	// If there's a nonce value, a bot could've filled the form.
+	if c.FormValue("nonce") != "" {
+		return c.Render(http.StatusOK, tplMessage,
+			makeMsgTpl(app.i18n.T("public.errorTitle"), "",
+				app.i18n.T("public.invalidFeature")))
+
+	}
+
 	if len(req.SubListUUIDs) == 0 {
 		return c.Render(http.StatusBadRequest, tplMessage,
 			makeMsgTpl(app.i18n.T("public.errorTitle"), "",
diff --git a/static/public/static/style.css b/static/public/static/style.css
index a939824..c3c9012 100644
--- a/static/public/static/style.css
+++ b/static/public/static/style.css
@@ -274,6 +274,9 @@ input[type="text"], input[type="email"], select {
 .form .lists {
   margin-top: 45px;
 }
+  .form .nonce {
+    display: none;
+  }
 
 .footer {
   text-align: center;
diff --git a/static/public/templates/subscription-form.html b/static/public/templates/subscription-form.html
index a4790d9..67db772 100644
--- a/static/public/templates/subscription-form.html
+++ b/static/public/templates/subscription-form.html
@@ -8,6 +8,8 @@
             <p>
                 <label>{{ L.T "subscribers.email" }}</label>
                 <input name="email" required="true" type="email" placeholder="{{ L.T "subscribers.email" }}" autofocus="true" >
+
+                <input name="nonce" class="nonce" value="" />
             </p>
             <p>
                 <label>{{ L.T "public.subName" }}</label>