spam protection improved

11 years ago · 6759abd466
2 changed files with 20 additions and 12 deletions
--- a/src/notehub/handler.clj
+++ b/src/notehub/handler.clj
@ -14,6 +14,9 @@
				@@ -14,6 +14,9 @@
    [notehub.storage :as storage]
    [cheshire.core :refer :all]))

+(defn current-timestamp []
+  (quot (System/currentTimeMillis) 100000000))
+
 ; note page cache
 (def C (atom (cache/lru-cache-factory {})))

@ -69,7 +72,10 @@
				@@ -69,7 +72,10 @@
  (GET "/:year/:month/:day/:title/edit" [year month day title]
       (note-update-page year month day title))

-  (GET "/new" [] (new-note-page (storage/sign (str (rand-int Integer/MAX_VALUE)))))
+  (GET "/new" [] (new-note-page
+                   (str
+                     (current-timestamp)
+                     (storage/sign (rand-int Integer/MAX_VALUE)))))

  (GET "/:year/:month/:day/:title" [year month day title :as params]
       (let [params (assoc (:query-params params)
@ -93,15 +99,19 @@
				@@ -93,15 +99,19 @@
               long-url (if (empty? rest-params) core-url (util/url core-url rest-params))]
           (redirect long-url))))

-
  (POST "/post-note" [session note signature password]
-        (if (= signature (storage/sign session note))
+        (if (and session
+                 (.startsWith session
+                              (str (current-timestamp)))
+                 (= signature (storage/sign session note)))
          (let [pid "NoteHub"
                psk (storage/get-psk pid)
-                params {:session session :note note :signature signature
-                        :password password :pid pid}]
+                params {:note note
+                        :pid pid
+                        :signature (storage/sign pid psk note)
+                        :password password}]
            (if (storage/valid-publisher? pid)
-              (let [resp (api/post-note (assoc params :signature (storage/sign pid psk note)))]
+              (let [resp (api/post-note params)]
                (if (get-in resp [:status :success])
                  (redirect (:longURL resp))
                  (response 400)))
--- a/test/notehub/test/handler.clj
+++ b/test/notehub/test/handler.clj
@ -10,6 +10,7 @@
				@@ -10,6 +10,7 @@
 (def date [2012 6 3])
 (def test-title "some-title")
 (def test-note "# This is a test note.\nHello _world_. Motörhead, тест.")
+(def session-key (str (quot (System/currentTimeMillis) 100000000) "somemd5hash"))

 (defn create-testnote-fixture [f]
  (add-note (build-key date test-title) test-note "testPID")
@ -30,8 +31,7 @@
				@@ -30,8 +31,7 @@
    (is (= (:body (send-request (url 2012 6 3 "some-title" "export"))) test-note))))

 (deftest note-creation
-  (let [session-key "somemd5hash"
-        date (get-date)
+  (let [date (get-date)
        title "this-is-a-test-note"
        [year month day] date]
    (testing "Note creation"
@ -49,8 +49,7 @@
				@@ -49,8 +49,7 @@
              (not (note-exists? (build-key date title)))))))))

 (deftest note-creation-utf
-  (let [session-key "somemd5hash"
-        date (get-date)
+  (let [date (get-date)
        title "радуга"
        note "# Радуга\nкаждый охотник желает знать, где сидят фазаны."
        [year month day] date]
@ -68,8 +67,7 @@
				@@ -68,8 +67,7 @@
            (not (note-exists? (build-key date title))))))))

 (deftest note-update
-  (let [session-key "somemd5hash"
-        date (get-date)
+  (let [date (get-date)
        title "this-is-a-test-note"
        [year month day] date
        hash (sign session-key test-note)]