Honeypot Facets 2 and 3 submodule for links and checkboxes?

Follow! My understanding is that AI bots are not actually submitting forms, but that the bots love clicking through links and the Facets issue boils down to the fact that Facet blocks aren't really checkboxes, but are in fact just links styled to look like checkboxes. Facets 3 switches to using actual checkboxes and forms instead of lists of links, which is promising and will probably save us for now.

But as time wears on and bots get more advanced, there might be real opportunity here. But my suggestion would be to first try adding additional form ids for the Facets 3 block forms to the existing Honeypot module settings on your site, to guage whether Honeypot + Facets forms it is having any effect in rebuffing bot requests. #2342473: Allow for more flexible form configuration seems like a promising solution, if you're not opposed to manually entering facet form ids. A more custom UI just for Facet blocks could be possible, but probably complex, while on the other hand, it is easily doable from a few lines of custom form_alter code.

Here is what I'm doing to add Honeypot to all Webforms. Presumably it could be adapted for Facet blocks as well assuming they follow some kind of standard form id prefix in their naming conventions.

function mymodule_form_alter(&$form, FormStateInterface $form_state, $form_id) {
  // Add honeypot protection to all Webforms.
  // @todo remove when https://drupal.org/i/3544510 lands
  if (strpos($form_id, 'webform_submission') === 0) {
    if (\Drupal::moduleHandler()->moduleExists('honeypot')) {
      // There is no reason to not enable time restriction here since
      // Honeypot respects the time_limit set in the configuration.
      \Drupal::service('honeypot')->addFormProtection($form, $form_state, ['honeypot', 'time_restriction']);
    }
  }

I'm currently running facets 3 and a hook_form_alter didn't seem to work for me. I created a module that just injects a hidden checkbox at the top of my facets via javascript and if it's checked an Event Subscriber adds an entry to watchdog. That's all my module does, and from there you can create a rule in autoban to look for that entry and ban any bots checking those boxes.

For me, I add all my facet pages to my Robots.txt so any bots coming to those pages and checking everything shouldn't be there at all. So it seems safe to ban them after clicking a hidden checkbox.

You can find my module here: https://github.com/UCBoulder/facets_honeypot

Feel free to fork it or use it as is. Any suggestions to improve it is welcome, though I'm trying to keep it simple.

I'd be happy to add facets_honeypot to this module as a sub module, but I'm not sure if it's getting too far away from what the honeypot module was originally developed for, though I'm not sure this module should be a standalone module on d.o either.