Make honeypot errors less suspicious

2024-11-21 21:53:30 +00:00 · 2024-07-10 19:30:01 +02:00 · 2024-07-10 19:30:01 +02:00 · d6b27f2f21
commit d6b27f2f21
parent e15bcfae07
3 changed files with 19 additions and 3 deletions
--- a/core/middleware.py
+++ b/core/middleware.py
@ -21,6 +21,7 @@ from django.contrib.auth import get_user
 from django.contrib.auth.middleware import (
    AuthenticationMiddleware as DjangoAuthenticationMiddleware,
 )
+from django.http import HttpResponse
 from django.utils.functional import SimpleLazyObject

 module, klass = settings.AUTH_ANONYMOUS_MODEL.rsplit(".", 1)
@ -70,3 +71,7 @@ class SignalRequestMiddleware:
    def __call__(self, request):
        _threadlocal.request = request
        return self.get_response(request)
+
+
+def custom_honeypot_error(request, context):
+    return HttpResponse("Upon reading this, the http client was enlightened.")
--- a/core/tests.py
+++ b/core/tests.py
@ -80,13 +80,15 @@ class TestUserRegistration:
        assert response.status_code == 200
        error_html = f'<ul class="errorlist"><li>{expected_error}</li></ul>'
        assertInHTML(error_html, str(response.content.decode()))
+        assert not User.objects.filter(email=payload["email"]).exists()

-    def test_register_honeypot_fail(self, client, valid_payload):
+    def test_register_honeypot_fail(self, client: Client, valid_payload):
        payload = valid_payload | {
            settings.HONEYPOT_FIELD_NAME: settings.HONEYPOT_VALUE + "random"
        }
        response = client.post(reverse("core:register"), payload)
-        assert response.status_code == 400
+        assert response.status_code == 200
+        assert not User.objects.filter(email=payload["email"]).exists()

    def test_register_user_form_fail_already_exists(
        self, client: Client, valid_payload
@ -152,7 +154,8 @@ class TestUserLogin:
                settings.HONEYPOT_FIELD_NAME: settings.HONEYPOT_VALUE + "incorrect",
            },
        )
-        assert response.status_code == 400
+        assert response.status_code == 200
+        assert response.wsgi_request.user.is_anonymous

    def test_login_success(self, client, user):
        """
@ -167,6 +170,7 @@ class TestUserLogin:
            },
        )
        assertRedirects(response, reverse("core:index"))
+        assert response.wsgi_request.user == user


@pytest.mark.parametrize(
--- a/sith/settings.py
+++ b/sith/settings.py
@ -41,6 +41,7 @@ import os
 import sys

 import sentry_sdk
+from django.utils.module_loading import import_string
 from django.utils.translation import gettext_lazy as _
 from sentry_sdk.integrations.django import DjangoIntegration

@ -58,6 +59,12 @@ SECRET_KEY = "(4sjxvhz@m5$0a$j0_pqicnc$s!vbve)z+&++m%g%bjhlz4+g2"
 HONEYPOT_FIELD_NAME = "body2"
 HONEYPOT_VALUE = "content"

+# Make honeypot errors less suspicious
+# Since the app is not loaded yet, we wrap the import_string function in a lambda call to lazy load it
+HONEYPOT_RESPONDER = lambda request, context: import_string(
+    "core.middleware.custom_honeypot_error"
+)(request, context)
+
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
 TESTING = "pytest" in sys.modules