From 1b1cb18839d813ba112617d6c99daece07b080d3 Mon Sep 17 00:00:00 2001
From: nesges <thomas@nesges.eu>
Date: Fri, 19 Apr 2024 09:18:34 +0200
Subject: [PATCH 1/5] fixed mislabeling of name input

---
 resources/views/auth/register.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/auth/register.blade.php b/resources/views/auth/register.blade.php
index d345b037a..40b69ce60 100644
--- a/resources/views/auth/register.blade.php
+++ b/resources/views/auth/register.blade.php
@@ -14,7 +14,7 @@
                 {!! csrf_field() !!}
 
                 <div class="form-group">
-                    <label for="email">{{ trans('auth.name') }}</label>
+                    <label for="name">{{ trans('auth.name') }}</label>
                     @include('form.text', ['name' => 'name'])
                 </div>
 

From 31272e60b6f4685ec7a0378553ff57860cd5e387 Mon Sep 17 00:00:00 2001
From: nesges <thomas@nesges.eu>
Date: Fri, 19 Apr 2024 09:35:09 +0200
Subject: [PATCH 2/5] add ambrosia-container to registration form as honeypot
 for bots: new form field "username" must not be filled

---
 app/Access/Controllers/RegisterController.php |  1 +
 resources/sass/_forms.scss                    | 11 +++++++++++
 resources/views/auth/register.blade.php       |  5 +++++
 3 files changed, 17 insertions(+)

diff --git a/app/Access/Controllers/RegisterController.php b/app/Access/Controllers/RegisterController.php
index 13b97f03c..25b0a3036 100644
--- a/app/Access/Controllers/RegisterController.php
+++ b/app/Access/Controllers/RegisterController.php
@@ -87,6 +87,7 @@ class RegisterController extends Controller
             'name'     => ['required', 'min:2', 'max:100'],
             'email'    => ['required', 'email', 'max:255', 'unique:users'],
             'password' => ['required', Password::default()],
+            'username' => ['prohibited'], // this is a honeypot for bots that must not be filled in
         ]);
     }
 }
diff --git a/resources/sass/_forms.scss b/resources/sass/_forms.scss
index e480531fc..fc0eb49bd 100644
--- a/resources/sass/_forms.scss
+++ b/resources/sass/_forms.scss
@@ -389,6 +389,17 @@ input[type=color] {
   }
 }
 
+.form-group.ambrosia-container, .form-group.ambrosia-container * {
+    position:absolute;
+    height:0px !important;
+    width:0px !important;
+    margin:0 !important;
+    padding:0 !important;
+    background:transparent !important;
+    color:transparent !important;
+    border:none !important;
+}
+
 .title-input input[type="text"] {
   display: block;
   width: 100%;
diff --git a/resources/views/auth/register.blade.php b/resources/views/auth/register.blade.php
index 40b69ce60..c271bb34b 100644
--- a/resources/views/auth/register.blade.php
+++ b/resources/views/auth/register.blade.php
@@ -13,6 +13,11 @@
             <form action="{{ url("/register") }}" method="POST" class="mt-l stretch-inputs">
                 {!! csrf_field() !!}
 
+                <div class="form-group ambrosia-container">
+                    <label for="name">{{ trans('auth.name') }}</label>
+                    @include('form.text', ['name' => 'username'])
+                </div>
+
                 <div class="form-group">
                     <label for="name">{{ trans('auth.name') }}</label>
                     @include('form.text', ['name' => 'name'])

From 16399b63be640fbe934ada9da1e8cc4f36b2c8d7 Mon Sep 17 00:00:00 2001
From: nesges <thomas@nesges.eu>
Date: Sun, 21 Apr 2024 16:08:28 +0200
Subject: [PATCH 3/5] better accessibility for honepot formfield

---
 resources/sass/_forms.scss              | 11 +++++++----
 resources/views/auth/register.blade.php |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/resources/sass/_forms.scss b/resources/sass/_forms.scss
index fc0eb49bd..e7ee8c285 100644
--- a/resources/sass/_forms.scss
+++ b/resources/sass/_forms.scss
@@ -390,14 +390,17 @@ input[type=color] {
 }
 
 .form-group.ambrosia-container, .form-group.ambrosia-container * {
-    position:absolute;
-    height:0px !important;
-    width:0px !important;
-    margin:0 !important;
+    position:absolute !important;
+    height:1px !important;
+    width:1px !important;
+    margin:-1px !important;
     padding:0 !important;
     background:transparent !important;
     color:transparent !important;
     border:none !important;
+    overflow: hidden !important;
+    clip: rect(0,0,0,0) !important;
+	white-space: nowrap !important;
 }
 
 .title-input input[type="text"] {
diff --git a/resources/views/auth/register.blade.php b/resources/views/auth/register.blade.php
index c271bb34b..f9f4e8cb3 100644
--- a/resources/views/auth/register.blade.php
+++ b/resources/views/auth/register.blade.php
@@ -13,7 +13,7 @@
             <form action="{{ url("/register") }}" method="POST" class="mt-l stretch-inputs">
                 {!! csrf_field() !!}
 
-                <div class="form-group ambrosia-container">
+                <div class="form-group ambrosia-container" aria-hidden="true">
                     <label for="name">{{ trans('auth.name') }}</label>
                     @include('form.text', ['name' => 'username'])
                 </div>

From 0d2a268be09ed1ec55e90f2bd085d6e5034d0660 Mon Sep 17 00:00:00 2001
From: nesges <thomas@nesges.eu>
Date: Sun, 21 Apr 2024 17:44:01 +0200
Subject: [PATCH 4/5] whitespace only

---
 resources/sass/_forms.scss | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/sass/_forms.scss b/resources/sass/_forms.scss
index e7ee8c285..e6d062ce8 100644
--- a/resources/sass/_forms.scss
+++ b/resources/sass/_forms.scss
@@ -400,7 +400,7 @@ input[type=color] {
     border:none !important;
     overflow: hidden !important;
     clip: rect(0,0,0,0) !important;
-	white-space: nowrap !important;
+    white-space: nowrap !important;
 }
 
 .title-input input[type="text"] {
@@ -552,4 +552,4 @@ input.shortcut-input {
   width: auto;
   max-width: 120px;
   height: auto;
-}
\ No newline at end of file
+}

From 5c28bcf8651474ffd7f15831e3de705aae5a7ef8 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sat, 4 May 2024 13:59:41 +0100
Subject: [PATCH 5/5] Registration: Reviewed added simple honeypot, added
 testing

Also cleaned up old RegistrationController syntax.
Review of #4970
---
 app/Access/Controllers/RegisterController.php | 20 +++++--------------
 resources/views/auth/register.blade.php       |  3 ++-
 tests/Auth/RegistrationTest.php               | 19 ++++++++++++++++++
 3 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/app/Access/Controllers/RegisterController.php b/app/Access/Controllers/RegisterController.php
index 25b0a3036..e9812aa5d 100644
--- a/app/Access/Controllers/RegisterController.php
+++ b/app/Access/Controllers/RegisterController.php
@@ -15,24 +15,13 @@ use Illuminate\Validation\Rules\Password;
 
 class RegisterController extends Controller
 {
-    protected SocialDriverManager $socialDriverManager;
-    protected RegistrationService $registrationService;
-    protected LoginService $loginService;
-
-    /**
-     * Create a new controller instance.
-     */
     public function __construct(
-        SocialDriverManager $socialDriverManager,
-        RegistrationService $registrationService,
-        LoginService $loginService
+        protected SocialDriverManager $socialDriverManager,
+        protected RegistrationService $registrationService,
+        protected LoginService $loginService
     ) {
         $this->middleware('guest');
         $this->middleware('guard:standard');
-
-        $this->socialDriverManager = $socialDriverManager;
-        $this->registrationService = $registrationService;
-        $this->loginService = $loginService;
     }
 
     /**
@@ -87,7 +76,8 @@ class RegisterController extends Controller
             'name'     => ['required', 'min:2', 'max:100'],
             'email'    => ['required', 'email', 'max:255', 'unique:users'],
             'password' => ['required', Password::default()],
-            'username' => ['prohibited'], // this is a honeypot for bots that must not be filled in
+            // Basic honey for bots that must not be filled in
+            'username' => ['prohibited'],
         ]);
     }
 }
diff --git a/resources/views/auth/register.blade.php b/resources/views/auth/register.blade.php
index f9f4e8cb3..1ea712e1d 100644
--- a/resources/views/auth/register.blade.php
+++ b/resources/views/auth/register.blade.php
@@ -13,8 +13,9 @@
             <form action="{{ url("/register") }}" method="POST" class="mt-l stretch-inputs">
                 {!! csrf_field() !!}
 
+                {{-- Simple honeypot field --}}
                 <div class="form-group ambrosia-container" aria-hidden="true">
-                    <label for="name">{{ trans('auth.name') }}</label>
+                    <label for="username">{{ trans('auth.name') }}</label>
                     @include('form.text', ['name' => 'username'])
                 </div>
 
diff --git a/tests/Auth/RegistrationTest.php b/tests/Auth/RegistrationTest.php
index ff1a9d66b..60ae17573 100644
--- a/tests/Auth/RegistrationTest.php
+++ b/tests/Auth/RegistrationTest.php
@@ -184,4 +184,23 @@ class RegistrationTest extends TestCase
         $resp->assertSee('The email must be a valid email address.');
         $resp->assertSee('The password must be at least 8 characters.');
     }
+
+    public function test_registration_simple_honeypot_active()
+    {
+        $this->setSettings(['registration-enabled' => 'true']);
+
+        $resp = $this->get('/register');
+        $this->withHtml($resp)->assertElementExists('form input[name="username"]');
+
+        $resp = $this->post('/register', [
+            'name' => 'Barry',
+            'email' => 'barrybot@example.com',
+            'password' => 'barryIsTheBestBot',
+            'username' => 'MyUsername'
+        ]);
+        $resp->assertRedirect('/register');
+
+        $resp = $this->followRedirects($resp);
+        $this->withHtml($resp)->assertElementExists('form input[name="username"].text-neg');
+    }
 }