Add error report spam protection honeypot

[Zipixx]

I have been experiencing an increase in spam mails via the error report form.

I agree with the comments and closing of #1211. However, bot farm requests from different origins are now creating almost daily Tickets across our SSP instances.

This patch adds a simple Honeypot with the common input name "name".
I have added it to some of our prod-instances and have not received any spam error reports and no false positives from them ever since.

It is easy to test by setting the "name" input value to a non-empty string via the browsers Inspect-function before submitting the report and does not effect real error reports due to the input element being invisible to human users.

[tvdijen]

If the bots are indeed targeting SSP, this will not put them off for long.
Maybe it makes more sense to add a captcha to this page?

My idea would be to create a module that, for instance, implements Google Recaptcha. The module would have to provide a 'hook' that will let SSP known which twig-template to embed in the error form and which class to use for verification. The hook will make the module re-usable for other forms, while the modularized setup will allow people to implement other types of captchas.

I wouldn't mind setting up some proof of concept for this. @thijskh Thoughts?

[monkeyiq]

I agree that if bots are being made to attack a feedback form then they will probably evolve inline with small changes on that page. They have the source code after all ;)

I recalled some drop on the limits in recent months for Google Recaptcha which seems to be down to 10k/month on the free tier now. I imagine that even at that reduced rate it is likely to cover error feedback forms.

[Zipixx]

I just wanted to test the waters on the topic with this harmless merge request first.
However, a modularized captcha based setup would surely be the most future proof. I agree.
Preferably with an easy to overwrite endpoint. We already use paid captcha services in some of our modules and need high accessibility for fully blind users because of government requirements.
If you decide in favor of it, I'd be happy to offer my help in any form. <3

[tvdijen]

I recalled some drop on the limits in recent months for Google Recaptcha which seems to be down to 10k/month on the free tier

Unless their documentation is outdated, according to this page it's free up to 1 million Assessments / Month .

I've already done some work locally, so I will try and finish my concept this coming weekend.

[monkeyiq]

There were a bunch of sites reporting back in Jan/Feb that the tier was moving from 1 million to 10k per month. And mentions of "reCAPTCHA Lite" as the free tier. Though Google would be the ones to know rather than these other sites.