feat: add captcha-backed forum security hardening

2026-03-17 16:06:28 +01:00
parent 980a15f66e
commit b3fc889452
40 changed files with 2849 additions and 108 deletions
--- a/tests/Unit/GeoBehaviorAnalyzerTest.php
+++ b/tests/Unit/GeoBehaviorAnalyzerTest.php
@@ -0,0 +1,83 @@
+<?php
+
+use App\Models\User;
+use cPad\Plugins\Forum\Models\ForumBotLog;
+use cPad\Plugins\Forum\Services\Security\GeoBehaviorAnalyzer;
+use Illuminate\Http\Request;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+uses(Tests\TestCase::class);
+
+it('scores only rapid login country changes for the same account', function () {
+    config()->set('forum_bot_protection.geo_behavior', [
+        'enabled' => true,
+        'login_actions' => ['login'],
+        'country_headers' => ['CF-IPCountry'],
+        'recent_login_window_minutes' => 60,
+        'country_change_penalty' => 50,
+    ]);
+
+    Schema::dropIfExists('forum_bot_logs');
+    Schema::dropIfExists('users');
+
+    Schema::create('users', function (Blueprint $table): void {
+        $table->id();
+        $table->string('email')->nullable();
+        $table->string('password')->nullable();
+        $table->timestamps();
+        $table->softDeletes();
+    });
+
+    Schema::create('forum_bot_logs', function (Blueprint $table): void {
+        $table->id();
+        $table->unsignedBigInteger('user_id')->nullable();
+        $table->string('ip_address', 45)->nullable();
+        $table->string('action', 80);
+        $table->unsignedTinyInteger('risk_score')->default(0);
+        $table->string('decision', 20)->default('allow');
+        $table->json('metadata')->nullable();
+        $table->timestamp('created_at')->nullable();
+    });
+
+    DB::table('users')->insert([
+        'id' => 1,
+        'email' => 'geo@example.com',
+        'password' => 'secret',
+        'created_at' => now(),
+        'updated_at' => now(),
+    ]);
+
+    $user = User::query()->findOrFail(1);
+
+    ForumBotLog::query()->create([
+        'user_id' => $user->id,
+        'ip_address' => '127.0.0.1',
+        'action' => 'login',
+        'risk_score' => 0,
+        'decision' => 'allow',
+        'metadata' => ['country_code' => 'SI'],
+        'created_at' => now()->subMinutes(10),
+    ]);
+
+    $request = Request::create('/login', 'POST');
+    $request->headers->set('CF-IPCountry', 'SI');
+
+    $unchanged = app(GeoBehaviorAnalyzer::class)->analyze($user, 'login', $request);
+
+    expect($unchanged)->toMatchArray([
+        'score' => 0,
+        'country_code' => 'SI',
+    ])->and($unchanged['reasons'])->toBe([]);
+
+    $request->headers->set('CF-IPCountry', 'JP');
+
+    $analysis = app(GeoBehaviorAnalyzer::class)->analyze($user, 'login', $request);
+
+    expect($analysis['score'])->toBe(50)
+        ->and($analysis['country_code'])->toBe('JP')
+        ->and($analysis['reasons'])->toHaveCount(1)
+        ->and($analysis['reasons'][0])->toContain('SI')
+        ->and($analysis['reasons'][0])->toContain('JP');
+});