feat: add honeypot + time-based anti-bot checks to email flow

ijbo · ijbo · commit 4be10aff1268 · 2026-03-18T21:28:50.000+09:00
- Hidden honeypot field: bots auto-fill, humans never see it
- Time check: rejects submissions &lt; 3s after modal opens
- Both enforced client-side and server-side (Apps Script)
- Rate limiting still active as additional protection
diff --git a/changelogs/CHANGELOG-antibot.md b/changelogs/CHANGELOG-antibot.md
@@ -0,0 +1,15 @@
+# Anti-Bot Protection (Honeypot + Time Check)
+
+- Added hidden honeypot input field (bots auto-fill, humans never see it)
+- Added time-based check (rejects submissions < 3 seconds after modal opens)
+- Both checks enforced client-side and server-side
+- Rate limiting (100/day global, 7/day per-recipient) still active
+
+## Files Changed (5 total)
+
+| File | Change |
+|------|--------|
+| `js/modal-templates.js` | Added honeypot input field |
+| `css/modals.css` | Honeypot CSS (hidden from view) |
+| `js/cloud-share.js` | Time tracking, honeypot + time validation, send hp/ts |
+| `scripts/email-apps-script.js` | Server-side honeypot + time checks |
diff --git a/css/modals.css b/css/modals.css
@@ -404,6 +404,17 @@
   margin-top: 0;
 }
 
+/* Honeypot — invisible to humans, bots auto-fill */
+.share-email-hp {
+  position: absolute;
+  left: -9999px;
+  opacity: 0;
+  height: 0;
+  width: 0;
+  overflow: hidden;
+  pointer-events: none;
+}
+
 .share-email-status {
   font-size: 13px;
   margin-top: 8px;
diff --git a/js/cloud-share.js b/js/cloud-share.js
@@ -851,13 +851,19 @@
     var emailSubjectInput = document.getElementById('share-email-subject');
     var emailSendBtn = document.getElementById('share-email-send');
     var emailStatus = document.getElementById('share-email-status');
+    var emailHoneypot = document.getElementById('share-email-website');
+    var emailModalOpenTime = 0;
 
     // Restore last-used email
     var savedEmail = localStorage.getItem(M.KEYS.EMAIL_SELF);
     if (savedEmail && emailInput) emailInput.value = savedEmail;
 
-
-
+    // Track when the share result modal opens (for time-based bot detection)
+    var _origShowShareResult = showShareResult;
+    showShareResult = function (url, isSecure) {
+        _origShowShareResult(url, isSecure);
+        emailModalOpenTime = Date.now();
+    };
     if (emailSendBtn) emailSendBtn.addEventListener('click', async function () {
         var email = emailInput.value.trim();
         if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
@@ -867,8 +873,12 @@
             return;
         }
 
+        // Anti-bot: honeypot check (hidden field bots auto-fill)
+        if (emailHoneypot && emailHoneypot.value) return;
 
-
+        // Anti-bot: time check (reject submissions < 3 seconds after modal opened)
+        var elapsed = Date.now() - emailModalOpenTime;
+        if (elapsed < 3000) return;
         // Persist email for next time
         try { localStorage.setItem(M.KEYS.EMAIL_SELF, email); } catch (e) { /* ignore */ }
 
@@ -903,7 +913,9 @@
                     subject: subject,
                     title: heading,
                     content: content,
-                    shareLink: shareUrl
+                    shareLink: shareUrl,
+                    hp: emailHoneypot ? emailHoneypot.value : '',
+                    ts: elapsed
                 })
             });
             // If fetch didn't throw, the request reached Google's servers
diff --git a/js/modal-templates.js b/js/modal-templates.js
@@ -138,6 +138,7 @@
                     <div class="share-email-header"><i class="bi bi-envelope me-1"></i> Email to Self</div>
                     <input type="email" id="share-email-input" class="share-email-field" placeholder="your@email.com" autocomplete="email" />
                     <input type="text" id="share-email-subject" class="share-email-field" placeholder="Subject (optional)" />
+                    <input type="text" id="share-email-website" class="share-email-hp" tabindex="-1" autocomplete="off" aria-hidden="true" />
                     <div class="share-email-row">
                         <button class="share-btn-primary" id="share-email-send" title="Send link & file to your email">
                             <i class="bi bi-send me-1"></i> Send
diff --git a/scripts/email-apps-script.js b/scripts/email-apps-script.js
@@ -21,6 +21,16 @@ function doPost(e) {
     try {
         var data = JSON.parse(e.postData.contents);
 
+        // ── 1. Anti-bot checks ──
+        // Honeypot: hidden field that only bots fill
+        if (data.hp) {
+            return jsonResponse({ success: false, error: 'Invalid request' });
+        }
+        // Time check: reject submissions faster than 3 seconds
+        if (data.ts && data.ts < 3000) {
+            return jsonResponse({ success: false, error: 'Invalid request' });
+        }
+
         // ── 2. Rate limiting ──
         var props = PropertiesService.getScriptProperties();
         var today = new Date().toDateString();
