定制 kim/defender 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

kim/defender

Composer 安装命令:

composer require kim/defender

包简介

Fend off spam bots by using randomized input names / honeypots.

README 文档

README

This package helps you fend off spam bots by using randomized input names and honeypots.

Introduction

Spam is a huge problem for the Web. Form-filling bots read the form presented to them and automatically fill out the fields. Another type of bot record the POST data and replay it back to the submission URL. This package helps fend off these bots with minimal effort.

The package randomizes the input names so that bots cannot make educated guesses. Example:

Before: <input type="text" name="username">

After: <input type="text" name="neeS9dJDeQCbNvN3lgyxIkdQ6R1l2GHEEnmt">

In addition to this, this package allows you to add a random number of hidden inputs aka "honeypots" (or bait). Your regular users would never see these, but the bots do. Bots tend to fill out all inputs so you can then easily reject any forms that have the "bait" inputs filled out.

By doing this, bots will struggle to decipher your form, record the POST data, and spam your site.

Installation

To install this package, just follow these quick and easy steps.

Composer

Pull this package through composer by opening composer.json file and adding this within require:

"kim/defender": "~1.0"

Afterward, run either composer update or composer install.

Providers and Aliases

Next, open config/app.php and add this to your providers array:

Kim\Defender\DefenderServiceProvider::class

and this to your aliases array:

'Defender' => Kim\Defender\DefenderFacade::class

Usage

Creating Input Fields

Normally, this is how you would create a username input field:

<input type="text" name="username">

However, we want to randomize the name, and to do so, we use the Defender facade:

<input type="text" name="{{ Defender::username() }}">

Here are some other common inputs (like email and password) that are all built-in to the package.

<input type="email" name="{{ Defender::email() }}">
<input type="password" name="{{ Defender::password() }}">

You can also easily create your own custom type by using the get method and passing in the name of your input.

<input type="text" name="{{ Defender::get('custom') }}">
<textarea name="{{ Defender::get('message') }}"></textarea>
<input type="date" name="{{ Defender::get('some_date_field') }}">

With that said, I'm sure a lot of you are wondering how you retrieve the values if the names are all randomized. That's easy. In your controller, you can easily retrieve these values by using the same methods.

Example Controller:

// Import it at the top
use Defender;


public function example(Request $request)
{
	$email = $request->input( Defender::email() );
	$username = $request->input( Defender::username() );

	$custom = $request->input( Defender::get('custom') );
}

Honeypots

This is all great, but to make it even more bulletproof, we need some honeypots. These are editable fields that are invisible to people. If bots fill them out, then we know to reject the submission. We can create honeypots in multiple ways.

The most basic method is by using the baitToken method. This simply creates a randomized token as bait. However, it does not hide the field. I recommend using JavaScript or CSS to hide this input.

<input type="text" name="{{ Defender::baitToken() }}">
<!-- Output: <input type="text" name="some_random_string"> -->

The baitField method creates a random type of input (text, email, password, radio, checkbox, etc.). A random styling is also applied that hides these inputs.

{{ Defender::baitField() }}
<!-- Output: <input type="random_type" name="some_random_string" style="random_styling_that_hides_this"> -->

Finally, we have the baitFields method. This not only creates a random input field, but it also creates a random number of input fields.

{{ Defender::baitFields() }}
<!-- Output x1 to x5: <input type="random_type" name="some_random_string" style="random_styling_that_hides_this"> -->

The baitFields method also accepts an integer argument. For example, Defender::baitFields(20) will output anywhere from 1 to 20 hidden baits.

Validating & Rejecting

You use the same methods to validate the fields.

// Import the Defender facade
use Defender;

// Add to the rules
public function rules()
{
    return [
        Defender::username() => 'required'
    ];
}

As for rejecting the honeypots, the simplest way to do this is by adding the packages's DefendAgainstSpam middleware. To do this, open app/Http/Kernel.php, and add the middleware to either the $middleware or $routeMiddleware arrays. If you add it to the $middleware array, then this package will check the honeypots in every single request. This is the easiest way to handle it. However, if you would like to apply the middleware to specific routes, then you need to add it to your $routeMiddleware array. Both examples are demonstrated below.

// Add here if you want to automatically check all routes
protected $middleware = [
	...
	\Kim\Defender\Middleware\DefendAgainstSpam::class
];

// Add here if you want to manually check specific routes
protected $routeMiddleware = [
	'defend' => \Kim\Defender\Middleware\DefendAgainstSpam::class
];

If you added it to $routeMiddleware, you now need to manually check specific routes so change your routes file to reflect that.

Route::get('/example', [
	'as' => 'example'
	'middleware' => 'defend',
	'uses' => 'ExampleController@store'
]);

If the middleware catches a potential spammer, it will throw an InvalidFormException. You can catch this inside your app/Exceptions/Handler.php file and do whatever you want.

public function render($request, Exception $e)
{
    if ($e instanceof \Kim\Defender\Exceptions\InvalidFormException) {
        // This example just redirect them back home. However, you probably
        // also want to do other things like: log the time, ip, etc.
        return redirect('/');
    }

    return parent::render($request, $e);
}

Finally, for those who don't want to use the middleware, you can use the custom validation rule, 'reject'.

public function rules()
{
    $rules = [
        // Your rules..
    ];

    // We reject the bait here
    foreach (Defender::bait() as $bait) {
        $rules[$bait] = 'reject';
    }

    return $rules;
}

License

This package is free software distributed under the terms of the MIT license.

kim/defender 适用场景与选型建议

kim/defender 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 564 次下载、GitHub Stars 达 10, 最近一次更新时间为 2015 年 10 月 11 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「php」 「laravel」 「Honeypot」 「spam prevention」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 kim/defender 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 kim/defender 我们能提供哪些服务?
定制开发 / 二次开发

基于 kim/defender 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 564
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 10
  • 点击次数: 26
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 10
  • Watchers: 1
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2015-10-11