Contrib.social

Option to whitelist forms that shouldn't have spam protection

Open on Drupal.org →
Created on 24 January 2025, 2 days ago

Problem/Motivation

This might sound like a strange feature to have, but the use case here is when using the OpenID Connect module. This module provides login buttons to handle requests to authenticate through an OpenID provider. For example, there is one in the footer of this new site we just launched in beta: https://new.reviewboard.ca.

The Spammaster module ended up blocking our client's office IP address so they were unable to login using this feature. It would simply result in a blank page. The log showed it as a firewall BUFFER BLOCK. As a short term solution I whitelisted their IP address, but this is not really an ideal or permanent solution to the problem.

There's probably a reason why the OpenID Connect module uses a form with a submit button instead of just a link to redirect to the provider, but if so I don't know what it is.

For this reason I think it would be reasonable for the SpamMaster module to allow forms to be white-listed, not just IPs and email addresses.

Steps to reproduce

Reproducing this would be a bit of a challenge as you'd have to setup a Drupal site with OpenID connect and an auth provider configured (even if just a dummy one). Then, you probably have to click that open id login button an excessive amount from the same source IP address to trigger the spammaster firewall.

Apparently that's easy if you have a whole office full of staff within the same network all trying to use it.

Proposed resolution

Add some sort of configuration to the Spammaster backend in Drupal that provides a select element to pick from forms in the site and/or a text field to enter a form ID to be added to a forms whitelist.

In the form alter code in the spammaster.module file, check to see if the form ID exists in the whitelist and, if so, return without adding any of the spammaster functionality to the form in the first place.

Feature request
Status

Active

Version

2.54

Component

Code

Created by

🇨🇦Canada teknocat

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @teknocat
  • Comment 2 days ago
    🇵🇹Portugal pedro-alves

    Hello @teknocat ,

    Yes, sounds reasonable. We will add the feature in next version 2.55 somewhere inside the module Protection Tools. Congrats, new.reviewboard.ca looks really good.
    Meanwhile, I do see a block for 50.117.xxx.xxx in openid_connect_login_form, you can avoid these blocks by setting the firewall rules to Relaxed mode (Protection Tools -> Basic Tools -> HAF Firewall Rules -> Relaxed)
    I also see 82.147.84.215 whitelisted, careful... this one is dangerous... 100% confidence:
    https://www.spammaster.org/search-threat/?search_spam_threat=82.147.84.215

  • Comment 1 day ago
    🇨🇦Canada teknocat

    Hello @pedro-alves,

    Thank you for the fast response and the advice! I really appreciate how responsive you are to issues on this module and how quickly you implement changes and updates.

    I will go and change the HAF firewall rule to relaxed and advise my team so we can see if that's appropriate in our other sites as well.

    That other IP address you mentioned was white-listed by accident and I removed it already. I just copied and pasted the wrong one by mistake when trying to white list the client's IP address.

    Looking forward to that next update with the feature to exclude/white-list forms entirely.

    Peter

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024