jamesturk / django-honeypot Goto Github PK

The README mentions that HONEYPOT_VALUE and HONEYPOT_VERIFIER can be used to "implement a more advanced technique such as using timestamps".

It would be nice to include a recipe so people don't have to reinvent the wheel. I use something like this:

utils/honeypot.py:

import time
from django.core.signing import BadSignature, Signer

SALT = 'honey'


def value_generator():
    # Return monotonic timestamp (won't ever go backwards)
    signer = Signer(salt=SALT)
    value = int(time.monotonic())
    return signer.sign(value)


def value_verifier(value):
    # Verify that the submitted value was generated at most
    # an hour (in seconds) ago
    signer = Signer(salt=SALT)
    try:
        value = signer.unsign(value)
    except BadSignature:
        return False
    else:
        return 0 < time.monotonic() - int(value) < 60 * 60

settings.py:

import utils.honeypot

HONEYPOT_VALUE = honeypot.value_generator
HONEYPOT_VERIFIER = honeypot.value_verifier

AttributeError at /
'function' object has no attribute 'as_view'

i'm having above error when i try to use decorator within my class based view

I want to implement time stamp based verification. i.e, if the form is submitted too fast I want it to be invalid.

In other words I want a custom validator.

You say in reademe that this is possible, but I'm unable to figure out how.

Please direct me to the method to achieve this.

Thanks!

The latest version in pypi doesn't work with Django 3.0.

As I see, you have already fixed this in master. Will be great to have this fix uploaded to pypi :)

You will need to adapt your class:

https://stackoverflow.com/questions/42232606/django-exception-middleware-typeerror-object-takes-no-parameters

Otherwise you will get an error like this:

File "/usr/local/lib/python2.7/dist-packages/django/utils/autoreload.py", line 226, in wrapper
fn(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 142, in inner_run
handler = self.get_handler(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/contrib/staticfiles/management/commands/runserver.py", line 27, in get_handler
handler = super(Command, self).get_handler(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 64, in get_handler
return get_internal_wsgi_application()
File "/usr/local/lib/python2.7/dist-packages/django/core/servers/basehttp.py", line 49, in get_internal_wsgi_application
return import_string(app_path)
File "/usr/local/lib/python2.7/dist-packages/django/utils/module_loading.py", line 20, in import_string
module = import_module(module_path)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/home/ubuntu/workspace/src/escalert/wsgi.py", line 16, in
application = get_wsgi_application()
File "/usr/local/lib/python2.7/dist-packages/django/core/wsgi.py", line 14, in get_wsgi_application
return WSGIHandler()
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/wsgi.py", line 153, in init
self.load_middleware()
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 82, in load_middleware
mw_instance = middleware(handler)
TypeError: object() takes no parameters

Would be cool if you could fix that!

Hello,

I have a big project where I recently added honeypot as dependency. I enabled the honeypot.middleware.HoneypotMiddleware middleware but then every single test that performs a POST breaks, because, of course, the honeypot field is not being sent.

I've investigated what Django does for the CSRF middleware, and they have a couple of hacks in place that I'm not sure apply for honeypot, since those require that the test Client gets instantiated with a custom parameter enforce_csrf_checks=False.

Can you think of any other way of using the middleware without breaking all the tests? (the existing tests are too many, adding the honeypot field to each one does not scale).

Thank you.

Using the combined middleware of this app, HoneypotMiddleware, I cannot save anything I try to change on admin without getting the 400 bad request error page honeypot/honeypot_error.html.

Nothing is entered into the value that the honeypot input field uses when I try to save.

Removing the middleware and honeypot configuration from settings.py completely fixed the problem. It would still be useful to have django-honeypot work even on admin pages.

I also mentioned this issue in django-cookie-consent. Maybe both maintainers could work together to sort this out.

jazzband/django-cookie-consent#26

2 issues when using the combined middleware with django-cookie-consent.

Removing the combined middleware and django-honeypot completely caused both issues to go away.

First one is that I am unable to accept or decline cookies from the cookie bar that django-cookie-consent uses:
https://github.com/bmihelac/django-cookie-consent/blob/master/tests/core/templates/test_page.html

POST http://127.0.0.1:8000/cookies/accept/Stripe,Youtube/ 400 (Bad Request)

https://github.com/bmihelac/django-cookie-consent/blob/master/cookie_consent/static/cookie_consent/cookiebar.js

django-cookie-consent line showing the problem:
fetch(e.target.getAttribute("href"), {method: "POST"})

Failed to load resource. Responded a status of 400.

Tried changing the field name setting and that did not work.

The second one is that I am unable to use {% extends app/file.html %} to customize the honeypot_error.html file to make it look like the CSS the rest of my project uses.

If accepting or declining from the cookie bar:

POST http://127.0.0.1:8000/cookies/decline/Stripe,Youtube/ 500 (Internal Server Error)

https://github.com/bmihelac/django-cookie-consent/blob/master/cookie_consent/static/cookie_consent/cookiebar.js

django-cookie-consent line showing the problem:
fetch(e.target.getAttribute("href"), {method: "POST"})

If filling out the form (at /contact/ for example) and passing a value to the hidden django-honeypot value:

AttributeError at /contact/
'str' object has no attribute 'COOKIES'

cookie_consent/util.py in get_cookie_dict_from_request, line 36

https://github.com/bmihelac/django-cookie-consent/blob/master/cookie_consent/util.py

Some more advanced bots can recognize that fields with display:none should not be filled.
We can achieve something similar to display:none without actually using it.

We recently got a bot submission on our contact form using django-honeypot, which is the reason I'm suggesting the change.

These CSS properties can replace display:none:

        opacity: 0;
        position: absolute;
        top: 0;
        left: 0;
        height: 0;
        width: 0;
        z-index: -1;

Kind regards.

#25

If I don't pass the field name agument to the decorator then honeypot works fine.

Pseudo code below...

@check_honeypot('foo_field')
def contact_form(request, form_class=ContactForm)
...

Exception message:
AttributeError at /contact/
'str' object has no attribute 'module'
Request Method: GET
Request URL: http://127.0.0.1:8000/contact/
Exception Type: AttributeError
Exception Value:
'str' object has no attribute 'module'
Exception Location: /System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/functools.py in update_wrapper, line 33

This seems to work perfect on development server but as soon as I deploy and attempt to use this functionality I get Server Error (500). Any insight would be truly appreciated.

I made a quick change few years ago to exclude urls from being checked. See domenkozar@99e423e

This is because in the middleware you call render_to_string which eventually makes a call to force_unicode. Now when you call re.sub a conversion has to be made. The solution is to inline the template with triple quotes and not call render_to_string.

Hi there,

the check_honeypot currently only works with view methods as the inner decorator function assumes to be request the first argument. I tried to use the application with class based views, but the decorator will get passed self as the first argument.

Just an idea for an improvement!

With kind regards,
Henning

`
The conflict is caused by:
The user requested Django==4.0.1
django-honeypot 1.0.2 depends on Django<4.0 and >=2.2

To fix this you could try to:

1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict
   `

I am getting a conflict error with this package in django4.0.1.
Looks like you didn't dump it to django4 yet. Hope to see the update as soon as possible.

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

admin_honeypot.LoginAttempt.ip_address: (fields.W900) IPAddressField has been deprecated. Will be removed in Django 1.9.
Use GenericIPAddressField instead.

pip install django-honeypot installs version 1.1.0, released on December 9, 2023.

The middleware content type check key and types are hardcoded and therefore don't allow honeypotting some pages they should. Perhaps the keys and types could be added as settings to override the defaults:

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

content_type = response['Content-Type'].split(';')[0]

I believe response['Content-Type'] isn't working for me because my header is response['content-type'] or similar.

I have followed instructions given to me on creating forms in django, as I have thought that the app was referring to html form at first. But even when I did, I always get the error html page. what am I doing wrong?

Here is what I did:
http://stackoverflow.com/questions/16780086/how-do-i-install-an-app-that-doesnt-have-models-or-views

How exempt all secure when use API of REST? Because I have 400 error when send POST with ajax to API

or meaybe I can add headers to check?

csrf changes broke things, easy fix

Why did pipenv make this downgrade in Pipfile.lock?

        "django": {
-            "markers": "python_version >= '3.8'",
-            "version": "==4.1.13"
+            "markers": "python_version >= '3.10'",
+            "version": "==5.0"
        },
        "django-honeypot": {
-            "version": "==1.0.4"
+            "version": "==0.9.0"
        },

Fixed in:

• #86 but not yet released to PyPI.

% python3.12 -m venv .venv
% source .venv/bin/activate
% pip install --upgrade pip
% pip install django==5.0 django-honeypot==1.0.4 --> Failure
% pip install django==5.0 django-honeypot --> Success but with django-honeypot downgraded to v0.9.0

Please release a new version to PyPI. — Done!

I'm not understanding how to override the template without writing to the honeypot templates in the package. Is there a way to do this, and if so could this be explained more clearly in the documentation?

Thanks!

I'm not familiar with poetry but I think the line

Django = "^2.2" in the pyroject.toml is causing this error when I try to install 1.0.0:

django-honeypot 1.0.0 depends on Django<3.0 and >=2.2

When I add honeypot.middleware.HoneypotViewMiddleware to MIDDLEWARE in settings.py I get the following error message

  File "/opt/project/ncn/ncn/wsgi.py", line 16, in <module>
    application = get_wsgi_application()
  File "/usr/local/lib/python3.6/dist-packages/django/core/wsgi.py", line 13, in get_wsgi_application
    return WSGIHandler()
  File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/wsgi.py", line 135, in __init__
    self.load_middleware()
  File "/usr/local/lib/python3.6/dist-packages/django/core/handlers/base.py", line 37, in load_middleware
    mw_instance = middleware(handler)
TypeError: object() takes no parameters