attempt to prevent registration spam

lib/Travelynx/Controller/Account.pm

@@ -1,4 +1,5 @@
 package Travelynx::Controller::Account;
+
 # Copyright (C) 2020 Daniel Friesel
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
@@ -62,6 +63,7 @@ sub registration_form {
 
 sub register {
 	my ($self)    = @_;
+	my $dt        = $self->req->param('dt');
 	my $user      = $self->req->param('user');
 	my $email     = $self->req->param('email');
 	my $password  = $self->req->param('password');
@@ -118,6 +120,18 @@ sub register {
 		return;
 	}
 
+	if ( not $dt
+		or DateTime->now( time_zone => 'Europe/Berlin' )->epoch - $dt < 6 )
+	{
+		# a human user should take at least five seconds to fill out the form.
+		# Throw a CSRF error at presumed spammers.
+		$self->render(
+			'register',
+			invalid => 'csrf',
+		);
+		return;
+	}
+
 	my $token   = make_token();
 	my $pw_hash = hash_password($password);
 	my $db      = $self->pg->db;

templates/register.html.ep

@@ -3,6 +3,7 @@
 % }
 %= form_for '/register' => (method => 'POST') => begin
 	%= csrf_field
+	%= hidden_field dt => DateTime->now(time_zone => 'Europe/Berlin')->epoch
 	<div class="row">
 		<div class="input-field col l6 m12 s12">
 			<i class="material-icons prefix">account_circle</i>