Honeypot/Spam Guard with Runtime Neos.Fusion.Form:Runtime.RuntimeForm

lucaleon · November 16, 2021, 6:34pm

Hello everyone!

I am using Neos.Fusion.Form:Runtime.RuntimeForm for my form nodetype. In order to prevent Bots from submitting the form, I would like to implement a honeypot.

The idea would be to hide a certain input field and to require it to be empty via the schema{}. Unfortunately I don’t know how to require a field to be empty with the given methods nor how to create a custom Schema that can do this.

Thanks in advance for any input on whether or not this is a valid method or on how to implement such a schema.

daniellienert · November 16, 2021, 6:41pm

Hey Luca,

you might want to have a look at my honeypot solution for Neos forms: https://github.com/daniellienert/honeypotformfield and either use it or grab some ideas.

cheers,
Daniel

lucaleon · November 16, 2021, 6:52pm

Hi Daniel,

thanks for the tip, I already looked into it and it seems like a great solution. However, I struggle to implement it into a Fusion Runtime form, therefore I tried creating a honeypot on my own.

However, if possible I would like to use your package. Would be really greatful for some hints as I already spent the whole day on this

mficzel · November 16, 2021, 7:44pm

You can do that with pure fusion with a custom field and a validator that rejects any input.

renderer = Neos.Fusion.Form:Runtime.RuntimeForm {
    process {
        content = afx`
            .... 
            <Neos.Fusion.Form:FieldContainer 
                field.name="honey"  
                attributes.style="display:none; !important"
                attributes.autocomplete="off"
                attributes.tabindex="-1"
                >
                <Neos.Fusion.Form:Input />
            </Neos.Fusion.Form:FieldContainer>
        `

        schema {
            ...
            honey = ${Form.Schema.string().validator('StringLength', {minimum:0, maximum:0})}
        }
    }

If you want to show the thank you message but skip the email sending you can react to the value of the honey field in the actions (then the honey schema gets no validator):

action {
    email {
        @if.noHoney = ${data.honey ? false : true}
        type = 'Neos.Fusion.Form.Runtime:Email'
        options {
               ...

Offcourse the name honey and hiding the field via display:none is not for production use.

lucaleon · November 16, 2021, 8:45pm

Thank you!

this is actually more or less how I planned to do it, but I never got the schema quite right!