hettiger / spa-honeypot
Honeypot package for Single Page Applications
Requires
- php: ^8.1
- illuminate/contracts: ^9.0
- spatie/laravel-package-tools: ^1.13.0
Requires (Dev)
- laravel/pint: ^1.0
- nunomaduro/collision: ^6.0
- nunomaduro/larastan: ^2.0.1
- nuwave/lighthouse: ^5.61
- orchestra/testbench: ^7.0
- pestphp/pest: ^1.21
- pestphp/pest-plugin-laravel: ^1.1
- pestphp/pest-plugin-mock: ^1.0
- phpstan/extension-installer: ^1.1
- phpstan/phpstan-deprecation-rules: ^1.0
- phpstan/phpstan-phpunit: ^1.0
- phpunit/phpunit: ^9.5
Suggests
- nuwave/lighthouse: This package supports Lighthouse PHP (optional)
Conflicts
- nuwave/lighthouse: <5.61
This package is auto-updated.
Last update: 2024-11-29 06:47:38 UTC
README
Helps to protect SPA's (Single Page Applications) against SPAM without using cookies or user input.
Installation
composer require hettiger/spa-honeypot php artisan spa-honeypot:install
Usage
- Add the
form.honeypot
,form.token
orform
middleware to a forms target route
Route::post('form', fn () => 'OK')->middleware('form');
The
form
middleware group simply combinesform.honeypot
andform.token
so you don't have to. Using justform.token
protection without theform.honeypot
middleware or vise versa is supported.
- Use one of the corresponding frontend libraries to make form token requests
Lighthouse GraphQL API
- Add the
form.token.handle
middleware to thelighthouse.route.middleware
config
// config/lighthouse.php — must be published 'middleware' => [ // … 'form.token.handle', ],
- Register the honeypot scalar in your
graphql/schema.graphql
file
scalar Honeypot @scalar(class: "Hettiger\\Honeypot\\GraphQL\\Scalars\\HoneypotScalar") # …
- Add a honeypot field to any input that you want to protect against SPAM
input SendContactRequestInput { # … honey: Honeypot }
The
field
config is not being used in GraphQL context.
- Add the
@requireFormToken
directive to any field that you want to protect against SPAM
# e.g. graphql/contact.graphql extend type Mutation { sendContactRequest(input: SendContactRequestInput): SendContactRequestPayload @requireFormToken }
- Use one of the corresponding frontend libraries to make form token requests
Customizing Responses
You may provide custom error response factories using the config:
return [ // … 'honeypot_error_response_factory' => \Hettiger\Honeypot\ErrorResponseFactory::class, 'form_token_error_response_factory' => \Hettiger\Honeypot\ErrorResponseFactory::class, ];
Alternatively you can provide a simple Closure
anywhere in your application:
use Hettiger\Honeypot\Facades\Honeypot; use Illuminate\Support\ServiceProvider; class AppServiceProvider extends ServiceProvider { // … public function boot() { $errorResponseFactory = fn (bool $isGraphQLRequest) => $isGraphQLRequest ? ['errors' => [['message' => 'Whoops, something went wrong …']]] : 'Whoops, something went wrong …'; Honeypot::respondToHoneypotErrorsUsing($errorResponseFactory); Honeypot::respondToFormTokenErrorsUsing($errorResponseFactory); } }
You don't have to worry about adding the form token header yourself. It'll be added for you automatically.
Testing
composer test
Frontend Libraries
Changelog
Please see CHANGELOG for more information on what has changed recently.
Credits
License
The MIT License (MIT). Please see License File for more information.