Avoid registration spam

dub.selections.json

@@ -3,23 +3,23 @@
 	"versions": {
 		"botan": "1.12.18",
 		"botan-math": "1.0.3",
-		"diet-ng": "1.8.1",
-		"eventcore": "0.9.30",
+		"diet-ng": "1.8.2",
+		"eventcore": "0.9.35",
 		"libasync": "0.8.6",
 		"libevent": "2.0.2+2.0.16",
 		"memutils": "1.0.10",
-		"mir-linux-kernel": "1.0.1",
-		"openssl": "3.3.3",
+		"mir-linux-kernel": "1.2.1",
+		"openssl": "3.3.4",
 		"openssl-static": "1.0.5+3.0.8",
 		"silly": "1.1.1",
 		"stdx-allocator": "2.77.5",
 		"taggedalgebraic": "0.11.23",
 		"vibe-container": "1.3.1",
-		"vibe-core": "2.8.4",
-		"vibe-d": "0.10.0",
-		"vibe-http": "1.1.0",
-		"vibe-inet": "1.0.0",
-		"vibe-serialization": "1.0.3",
-		"vibe-stream": "1.1.0"
+		"vibe-core": "2.9.6",
+		"vibe-d": "0.10.1",
+		"vibe-http": "1.1.2",
+		"vibe-inet": "1.0.1",
+		"vibe-serialization": "1.0.6",
+		"vibe-stream": "1.1.1"
 	}
 }

source/userman/web.d

@@ -262,13 +262,24 @@ class UserManWebInterface {
 		SessionVar!(string, "userFullName") m_sessUserFullName;
 		SessionVar!(string, "userID") m_sessUserID;
 		UserManAPISettings m_settings;
+		size_t m_postEpoch;
 	}
 
 	this(UserManAPI api, string prefix = "/")
 	{
+		import core.time : hours;
+		import std.random : unpredictableSeed;
+		import vibe.core.core : setTimer;
+
 		m_api = api;
 		m_settings = api.settings;
 		m_prefix = prefix;
+
+		// Invalidates pending forms every 2 to 4 hours, just making sure it
+		// always starts with a random number, no need to be cryptographically
+		// secure, this is just to make it a little more difficult for spammers
+		m_postEpoch = unpredictableSeed();
+		setTimer(2.hours, { m_postEpoch++; }, true);
 	}
 
 	deprecated this(UserManController controller, string prefix = "/")
@@ -319,12 +330,15 @@ class UserManWebInterface {
 	{
 		string error = _error;
 		auto settings = m_settings;
-		render!("userman.register.dt", error, settings);
+		auto postEpoch = m_postEpoch;
+		render!("userman.register.dt", error, settings, postEpoch);
 	}
 
 	@noAuth @errorDisplay!getRegister
-	void postRegister(ValidEmail email, Nullable!string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation)
+	void postRegister(ValidEmail email, Nullable!string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation, string check)
 	{
+		import std.conv : to;
+
 		string username;
 		if (m_settings.useUserNames) {
 			enforce(!name.isNull, "Missing user name field.");
@@ -335,6 +349,9 @@ class UserManWebInterface {
 			username = name.get;
 		} else username = email;
 
+		if (check != "a3fb"~m_postEpoch.to!string && check != "a3fb"~(m_postEpoch-1).to!string)
+			throw new Exception("Form expired");
+
 		m_api.users.register(email, username, fullName, password);
 
 		if (m_settings.requireActivation) {

views/userman.register.dt

@@ -35,4 +35,7 @@ block userman.content
 					label(for="passwordConfirmation") Password confirmation:
 				td
 					input(type="password", name="passwordConfirmation")
-		button(type="submit") Register account
+		input#fc(type="hidden", name="check", value="3fb")
+		button(type="submit") Register account
+
+	script var fc=document.getElementById("fc");fc.setAttribute("value","a"+fc.getAttribute("value")+"#{postEpoch}");