ActionProtectorAttribute Class

[HttpPost]
   [Ignore(skip: FireWallGuardActions.RejectWrongUserType)]
   [ActionProtector(blockAfterInvalidModelCount: 5
   , redirectToController: "home"
   , redirectToAction: "blocked", passModel: false)]
   [ValidateAntiForgeryToken]
   public IActionResult Captcha(CaptchaModel model)
   {
   var user = _page.User.AsFirewallUser();
   //1. Make sure the page came from the web application
   if (_page.Referrer is null
   || !_fireWall.License.IsLicensedDomain(_page.Referrer)
   || !_page.Referrer.AbsolutePath.Contains("Captcha", StringComparison.Ordinal))
   {
   //if was triggered by a search engine then ignore it else flag it
   if (_page.User.IsSearchEngine != SearchEngine.NotSure)
   {
   user.UserType |= UserTypes.IsMalicious | UserTypes.IsUsingDeveloperTools;
   }
   }
   // 2. Make sure the user passed the simple test
   if (!ModelState.IsValid)
   {
   if (user.ModelBlockCount - model.ErrorCount > 3)
   {
   user.UserType |= UserTypes.IsMalicious;
   }
   return View(model);
   }
   // 3. Reject to the blocked action for user error
   //    message if we discovered spoofing or other unwanted
   //    activities.
   if (_page.User.IsSpoofing()
   || user.UserType.HasFlag(UserTypes.IsMalicious)
   || user.UserType.HasFlag(UserTypes.IsUsingDeveloperTools))
   {
   return RedirectToActionPermanent("Blocked");
   }
   switch (user.UserType)
   {
   case UserTypes.IsHuman:
   case UserTypes.IsSearchEngine:
   return Redirect(model.RedirectTo);
   case UserTypes.NotDiscovered:
   return View(model);
   default:
   return RedirectToAction("Blocked");
   }
   }