I will add a honeypot-field to the devise registration form (as a simple captcha). Where is the best place to check if data has been entered into this field?
If a bot has entered something into this field, he should be sent back to the index page without notification. As I am still far from being fluent in Rails, it would be helpful to see the syntax for this too.
On
I had a similar issue with bots signing up via my Devise registration form so tackled it by doing the following:
rails generate devise:views)# app/views/devise/registrations/new.html.erb
<div class="form__honeypot">
If you see this, leave it blank. Only bots should see this
<input type="text" name="body" value="" />
</div>
.form {
position: relative;
&__honeypot {
position: absolute;
visibility: hidden;
left: -5000px;
top: -5000px;
}
}
create method.rails g devise:controllers users -c=registrations
You can generate them all or just the one you need using the -c flag.
# app/controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: [:create]
def create
if params[:body].present?
return redirect_to root_path
end
super
end
def configure_sign_up_params
devise_parameter_sanitizer.permit(:sign_up, keys: [:body])
end
end
Essentially this is going to redirect anyone (hopefully bots), who populate the hidden field on the form, back to the root_url
routes.rb, added the line let Devise know to use our generated controller to handle registrations.# config/routes.rb
Rails.application.routes.draw do
devise_for :users, controllers: { registrations: 'users/registrations' }
end
I think the best place to do that is at the model, because it may be a business logic to accept only records from "verified humans".
You can create a validation method that does this: