Is allauth open to including an (optional) honeypot field on registration?

[RileyMathews]

Hey there! First off thanks for making such a great library! I've used it in virtually every Django project I start.

I have a public Django app using allauth that was recently hit by a steady swarm of bot login attempts. I was able to quickly add a 'honeypot' system by extended the registration form class that seemed to stem the tide for now. That had me curious if this system is something that Allauth would be interested in having as a built in option? I would be open to working on a PR for the implementation. My thought is it would be configurable with at the very least having options for...

• enabling/disabling the honeypot system
• an option for naming the honeypot field so it does not conflict with any other expected registration fields. (for example I named my field 'phone_number' as my app does not actually collect them but this might conflict with other apps registration forms)

Like I said just curious if this is something you are open to including? Open to discussion on this!

[pennersr]

You mention "by a steady swarm of bot login attempts" and "by extended the registration form class" -- so does your honeypot solution protect only the signup form, or both?

Must admit, I don't have any actual insights on whether or not honeypot fields are still effective in 2024, but if so, then it is indeed something useful to add. Are there at all any stats / publications on this?

I guess the only setting needed would be a ACCOUNT_SIGNUP_FORM_HONEYPOT_FIELD = "phone_number" (or, "" / None to have it turned off).

[RileyMathews]

Ahh my mistake in saying 'steady stream of login' it was indeed a steady stream of signups. I was able to identify them relatively easy because I have not marketed this app publically at all and have only sent it to a few close friends for 'beta testing'. The signups had garbage usernames and never verified their emails or took any other actions in the app.

To be completely honest I was slightly surprised it worked as well. I was already also looking into how to add captcha but decided to throw in the honeypot quickly as I knew captcha would be more involved just to see if it would stem the tide. I'll spend some time doing some more research on how effective honeypots actually are in general today and bring my findings back here before I start work on this.

[RileyMathews]

So unfortunately I had a hard time finding any super credible research on this. I was hoping to find an article from some third party security firm or the like. But I was still able to find lots of articles suggesting that honeypots are still valuable as a part of a more wholly integrated bot detection system. I did also find lots of great tips for how to make the honeypot less detectible such as not using 'display none' as the style but instead positioning the element off screen. Another common suggestion is to not alter your response at all when a registration succeeds. This might be a little difficult as I'm not entirely familiar with all the potential responses allauth can give to registration depending on configuration but I will do my best to try to find a good way to integrate this.

I will start working on this but I don't know that I can provide a solid timeline for an ETA. Let me know if you have any feedback or suggestions @pennersr !