Skip to content

Add spam protection to report submission form #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
BoltTouring wants to merge 8 commits into from
Closed

Add spam protection to report submission form #552

BoltTouring wants to merge 8 commits into from

Conversation

@BoltTouring
Copy link
Contributor

@BoltTouring BoltTouring commented Jan 8, 2026
edited
Loading

Implements two layers of spam protection for the grant report submission form:

  1. Honeypot Field - Hidden `company_website` field that bots fill but humans don't

    • Returns success (200) but silently rejects if filled
    • Logs spam attempts for monitoring

  2. Time-Based Validation - Requires minimum time between form load and submission

    • Default: 2 seconds (configurable via `SPAM_MIN_FORM_TIME` env var)
    • Rejects submissions that happen too quickly
    • Logs suspiciously fast submissions

Changes

  • Added honeypot field to `GrantReportForm` component (hidden with CSS + aria-hidden)
  • Added `form_loaded_at` timestamp tracking when form mounts
  • Added spam validation checks in `/api/report` endpoint
  • Passes `form_loaded_at` through preview page to final submission

Testing

  • ✅ Honeypot field catches bots (tested manually via local)
  • ✅ Time validation prevents too-fast submissions
  • ✅ Legitimate submissions work normally
  • ✅ Spam attempts are logged for monitoring

Configuration

  • `SPAM_MIN_FORM_TIME` environment variable (default: 2000ms)

Both protections run before any GitHub API calls, preventing wasted API quota on spam.

BoltTouring and others added 6 commits November 6, 2025 09:10
@BoltTouring
about: rename Rob to robos, update bio, add redirect (/about/rob -> /…
99a3b55 
…about/robos)
@Arvin21M
Improve formatting of Robos' biography
b63cc7e 
Reformatted Robos' bio for better readability.
@BoltTouring
Update blog post author reference from rob to robos
8afd885
@BoltTouring
Update display name to Rob (keep nym as robos)
d0a57ff
@BoltTouring
Revert display name to robos
7cde75a
@BoltTouring
Add spam protection to report submission form
5338797 
- Add honeypot field (company_website) to catch bots
- Add time-based validation to prevent too-fast submissions
- Honeypot: Returns success but silently rejects if filled
- Time validation: Requires minimum 2-3 seconds between form load and submission
- Both protections log spam attempts for monitoring
- Configurable via SPAM_MIN_FORM_TIME environment variable
@BoltTouring BoltTouring requested a review from dergigi January 8, 2026 01:05
@vercel
Copy link

vercel bot commented Jan 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
os-website Ready Ready Preview, Comment Jan 8, 2026 1:13am

@BoltTouring
Merge master into feat/spam-protection-report-form
5250c1a 
Resolved conflict in data/authors/robos.mdx:
- Accept incoming change: use robos.jpg (from master) instead of rob.jpg
@BoltTouring
Fix build errors: remove unused variable and fix TypeScript error
395d91e 
- Remove unused formLoadedAt state variable
- Fix prettier formatting for localStorage.setItem
- Fix TypeScript error in grant.ts with type assertion
@BoltTouring BoltTouring marked this pull request as draft January 8, 2026 01:15
@BoltTouring
Copy link
Contributor Author

BoltTouring commented Jan 8, 2026

I implemented this for report submissions instead of applications. Will fix for both a bit later!

@dergigi dergigi mentioned this pull request Jan 13, 2026
Merged
@dergigi
Copy link
Member

dergigi commented Jan 13, 2026

Re-implemented & merged with #555

@dergigi dergigi closed this Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dergigi dergigi Awaiting requested review from dergigi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BoltTouring @dergigi @Arvin21M