RubyGems - bot_challenge_page - Versions diffs - 0.1.0 → 0.3.0 - Mend

bot_challenge_page 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f388eccf957733cbaab0c019d82e9803b215bf8035b2b10dc7c656b821907e7d
-  data.tar.gz: 5b8126932d6bd901ddadab4dc68259bb1d2652992de882421fbfb0cfca67b500
+  metadata.gz: a1913d93cd52d599d33f7217bb3714fbf67c82d08a888a3025cc30e51c51e438
+  data.tar.gz: 6e06e420e625a069132ae89a3ef733c1b2c246878e771e3b459ea0cdc351d14e
 SHA512:
-  metadata.gz: e5a1b5e05aefd618aca8e14570e1e0c9a32f4d5144f6bd93dabae265d1ac69759ebe19bc4dcdaf9fc07a0b121ba81be819f4d46d7ac1b111454d1bb191131906
-  data.tar.gz: 58cf73819292626fc40a696fecb7c7737ab89f92b7093e9c707bb42fe95ff83cda7303c510b807ab41a221fd0fe5c0ed5d3251983b466726dea9f252f276bdac
+  metadata.gz: 11504f2622783e4ca4bfb06b981df28260c1903e04a8900fe1797d34cd05bc29bcf3b2a1a6b9c93b85ae0f3a4639ff115699d4a548f6912b839bee62147e595c
+  data.tar.gz: 229ed02d6173b651ffd3cbef26e6444a974a14a1e9e3390d76567774a2385ad38cb4e1c289a78dda2c66f57d0e6a54e375506c9826cdbd7df7f799a7b96f03ff

data/README.md CHANGED Viewed

@@ -1,10 +1,10 @@
 # BotChallengePage
-[![CI](https://github.com/samvera-labs/bot_challenge_page/actions/workflows/ci.yml/badge.svg)](https://github.com/samvera-labs/bot_challenge_page/actions/workflows/ci.yml)
+[![CI](https://github.com/samvera-labs/bot_challenge_page/actions/workflows/ci.yml/badge.svg)](https://github.com/samvera-labs/bot_challenge_page/actions/workflows/ci.yml) [![Gem Version](https://badge.fury.io/rb/bot_challenge_page.png)](http://badge.fury.io/rb/bot_challenge_page)
-BotChallengePage lets you protect certain routes in your Rails app with [CloudFlare Turnstile](https://www.cloudflare.com/application-services/products/turnstile/) "CAPTHCA alternate" bot detector. Rather than the typical form submission use case for Turnstile, the user will be redirected to an interstitial challenge page, and redirected back on success.
+BotChallengePage lets you protect certain routes in your Rails app with [CloudFlare Turnstile](https://www.cloudflare.com/application-services/products/turnstile/) "CAPTHCA alternate" bot detector. Rather than the typical form submission use case for Turnstile, the user will be redirected to an interstitial challenge page, and automatically redirected back immediately on success.
-The motivating use case is fairly dumb (probably AI-related) crawlers, rather than targetted attacks, although we have tried to pay attention to security.  Many of our use cases were crawlers getting caught in "infinite" page variations by following every combination of voluminous facet values in search results in a near "infinite space", and causing us resource usage issues.
+The motivating use case is fairly dumb (probably AI-related) crawlers, rather than targetted attacks, although we have tried to pay attention to security.  Many of our use cases were crawlers getting caught following every combination of voluminous facet values in search results in a near "infinite space", and causing us resource usage issues.
 ![challenge page screenshot](docs/challenge-page-example.png)
@@ -18,26 +18,39 @@ The motivating use case is fairly dumb (probably AI-related) crawlers, rather th
 ## Installation and Configuration
-* Get a CloudFlare account and Turnstile widget set up, which should give you a turnstile `sitekey` and `secret_key` you will need later in configuration.
+* Get a [CloudFlare account and Turnstile widget set up](https://www.cloudflare.com/application-services/products/turnstile/), which should give you a turnstile `sitekey` and `secret_key` you will need later in configuration.
 * `bundle add bot_challenge_page`, `bundle install`
 * Run the installer
   * if you want to use rack-attack for some permissive pre-challenge rate, `rails g bot_challenge_page:install`
-  * If you do not want to use rack-attack and want challenge on FIRST request, `rails g bot_challenge_page:install --without-rack-attack`
+  * If you do not want to use rack-attack and want challenge on FIRST request, `rails g bot_challenge_page:install --no-rack-attack`
+  * By default challenge pages are "inline" at protected URL. To redirect to a separate challenge page URL instead, `--redirect-for-challenge`
+* If you are **not using rack-attack**, you need to add a before_action to the controller(s)
+  you'd like to protect, eg:
+        before_action only: :index do |controller|
+          BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true)
+        end
 * Configure in the generated `./config/initializers/bot_challenge_page.rb`
   * At a minimum you need to configure your Cloudflare Turnstile keys, and some paths to protect!
     * Note that we can only protect GET paths, and also think about making sure you DON'T protect
       any path your front-end needs JS `fetch` access to, as this would block it (at least
       without custom front-end code we haven't really explored)
     * If you are tempted to just protect `/` that may work, but worth thinking about any hearbeat paths, front-end requestable paths, or other machine-access-desired paths.
   * Some other configuration options are offered -- more advanced/specialized ones are available that are not mentioned in generated config file, see [Config class](./app/models/bot_challenge_page/config.rb)
 ## Customize challenge page display
-Some of the default challenge page html uses bootstrap alert classes. You may want to provide custom CSS if you aren't using bootstrap. You can see the default challenge page html at [challenge.html.erb](./app/views/bot_challenge_page/bot_challenge_page/challenge.html). You may wish to CSS-style other parts too!
+Some of the default challenge page html uses bootstrap alert classes. You may want to provide custom CSS if you aren't using bootstrap. You can see the default challenge page html at [challenge.html.erb](./app/views/bot_challenge_page/bot_challenge_page/challenge.html.erb). You may wish to CSS-style other parts too!
 You can customize all text via I18n, see keys in [bot_challenge_page.en.yml](./config/locales/bot_challenge_page.en.yml)
@@ -48,10 +61,41 @@ To customize the layout or challenge page HTML more further, you can use configu
 ```ruby
 BotChallengePage::BotChallengePageController.bot_challenge_config.challenge_renderer = ()->  {
   render "my_local_view_folder/whatever", layout "another_layout"
-  render layout: "another_layout" # default html but change layout. etc.
 }
 ```
+## Logging
+By default we log when a challenge result is submitted to the back-end; you can find challenge passes or failures by searching your logs for `BotChallengePage`.
+We do not log when a challenge is issued -- experience shows challenge issues far outnumber challenge results, and can fill up the logs too fast.
+If you'd like to log or observe challenge issues, you can configure a proc that is executed
+in the context of the controller, and is called when a page is blocked by a challenge.
+```ruby
+BotChallengePage::BotChallengePageController.bot_challenge_config.after_blocked = (_bot_challenge_class)->  {
+  logger.info("page blocked by challenge: #{request.uri}")
+}
+```
+Or, here's how I managed to get it in [lograge](https://github.com/roidrage/lograge), so a page blocked results in a `bot_chlng=true` param in a lograge line.
+```ruby
+BotChallengePage::BotChallengePageController.bot_challenge_config.after_blocked =
+  ->(bot_detect_class) {
+    request.env["bot_detect.blocked_for_challenge"] = true
+  }
+# production.rb
+config.lograge.custom_payload do |controller|
+  {
+    bot_chlng: controller.request.env["bot_detect.blocked_for_challenge"]
+  }.compact
+end
+```
 ## Example possible Blacklight config
 Many of us in my professional community use [blacklight](https://github.com/projectblacklight/blacklight).  Here's a possible sample blacklight config to:
@@ -77,13 +121,12 @@ Rails.application.config.to_prepare do
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_count = 3
   BotChallengePage::BotChallengePageController.allow_exempt = ->(controller) {
-    # Excempt any Catalog #facet action that looks like an ajax/fetch request, the redirect
-    # ain't gonna work there, we just exempt it.
+    # Excempt any Catalog #facet or #range_limit action that looks like an ajax/fetch request, the # challenge isn't going to work there, we just exempt it.
     #
     # sec-fetch-dest is set to 'empty' by browser on fetch requests, to limit us further;
     # sure an attacker could fake it, we don't mind if someone determined can avoid
-    # rate-limiting on this one action
-    ( controller.params[:action] == "facet" &&
+    # bot challenge on this one action
+    ( controller.params[:action].in?(["facet", "range_limit"]) &&
       controller.request.headers["sec-fetch-dest"] == "empty" &&
       controller.kind_of?(CatalogController)
     )
@@ -94,6 +137,20 @@ end
 ```
+## Development and automated testing
+All logic and config hangs off a controller, with the idea that you could sub-class the controller to override any functionality -- or even have multiple sub-classes in your app with different configuration or customized config. But this hasn't really been tested/fleshed out yet.
+Run tests with `bundle exec rspec`.
+We test with a checked-into-repo dummy app at `./spec/dummy`, and use [Appraisal](https://github.com/thoughtbot/appraisal) to test under different rails versions.
+Locally one way to test with a specific rails version appraisal is `bundle exec appraisal rails-7.2 rspec`
+If you make any changes to `Gemfile` you may need to run `bundle exec appraisal install` and commit changes.
+**One reason tests are slow** is I think we're running system tests with real turnstile proof-of-work bot detection JS code? (Or is it, when we are are using a CF turnstile testing key that always passes?).  There aren't many tests so it's no big deal, but this is something that could be investigated/optmized more potentially.
 ## Possible future features?
 * allow regex in default location_matcher? Easy to do if you want it, just say so.
@@ -114,6 +171,10 @@ The gem is available as open source under the terms of the [MIT License](https:/
 * [Similar feature built into PHP VuFind app](https://github.com/vufind-org/vufind/pull/4079)
-* Wow only after I developed all this did I notice [rails-cloudflare-turnstile](https://github.com/instrumentl/rails-cloudflare-turnstile) which implements some pieces that could have been re-used here, but I feel good.
+* [My own blog post about this approach](https://bibwild.wordpress.com/2025/01/16/using-cloudflare-turnstile-to-protect-certain-pages-on-a-rails-app/).
+* Wow only after I developed all this did I notice [rails-cloudflare-turnstile](https://github.com/instrumentl/rails-cloudflare-turnstile) which implements some pieces that could have been re-used here, but I feel good becuase we wanted these weird features. But if you want a much simpler more straightforward Turnstile implementation for more standard use cases or your own different use cases, I'd go here.
 * And yet another implementation in Rails that perhaps makes more assumptions about use cases, [turnstile-captcha](https://github.com/pfeiffer/turnstile-captcha). Haven't looked at it much.

data/app/controllers/bot_challenge_page/bot_challenge_page_controller.rb CHANGED Viewed

@@ -11,119 +11,37 @@ require 'http'
 #
 module BotChallengePage
   class BotChallengePageController < ::ApplicationController
+    include BotChallengePage::RackAttackInit
+    include BotChallengePage::EnforceFilter
     # Config for bot detection is held in class object here -- idea is
     # to support different controllers with different config protecting
     # different paths in your app if you like, is why config is with controller
     class_attribute :bot_challenge_config, default: ::BotChallengePage::Config.new
-    delegate :cf_turnstile_js_url, :cf_turnstile_sitekey, :still_around_delay_ms, to: :bot_challenge_config
-    helper_method :cf_turnstile_js_url, :cf_turnstile_sitekey, :still_around_delay_ms
     SESSION_DATETIME_KEY = "t"
     SESSION_IP_KEY = "i"
     # for allowing unsubscribe for testing
     class_attribute :_track_notification_subscription, instance_accessor: false
-    # perhaps in an initializer, and after changing any config, run:
-    #
-    #     Rails.application.config.to_prepare do
-    #       BotChallengePage::BotChallengePageController.rack_attack_init
-    #     end
-    #
-    # Safe to call more than once if you change config and want to call again, say in testing.
-    def self.rack_attack_init
-      self._rack_attack_uninit # make it safe for calling multiple times
-      ## Turnstile bot detection throttling
-      #
-      # for paths matched by `rate_limited_locations`, after over rate_limit count requests in rate_limit_period,
-      # token will be stored in rack env instructing challenge is required.
-      #
-      # For actual challenge, need before_action in controller.
-      #
-      # You could rate limit detect on wider paths than you actually challenge on, or the same. You probably
-      # don't want to rate-limit detect on narrower list of paths than you challenge on!
-      Rack::Attack.track("bot_detect/rate_exceeded/#{self.name}",
-          limit: self.bot_challenge_config.rate_limit_count,
-          period: self.bot_challenge_config.rate_limit_period) do |req|
-        if self.bot_challenge_config.enabled && self.bot_challenge_config.location_matcher.call(req, self.bot_challenge_config)
-          self.bot_challenge_config.rate_limit_discriminator.call(req, self.bot_challenge_config)
-        end
-      end
-      self._track_notification_subscription = ActiveSupport::Notifications.subscribe("track.rack_attack") do |_name, _start, _finish, request_id, payload|
-        rack_request = payload[:request]
-        rack_env     = rack_request.env
-        match_name = rack_env["rack.attack.matched"]  # name of rack-attack rule
-                                                      #
-        if match_name == "bot_detect/rate_exceeded/#{self.name}"
-          match_data   = rack_env["rack.attack.match_data"]
-          match_data_formatted = match_data.slice(:count, :limit, :period).map { |k, v| "#{k}=#{v}"}.join(" ")
-          discriminator = rack_env["rack.attack.match_discriminator"] # unique key for rate limit, usually includes ip
-          rack_env[self.bot_challenge_config.env_challenge_trigger_key] = true
-        end
-      end
-    end
-    def self._rack_attack_uninit
-      Rack::Attack.track("bot_detect/rate_exceeded/#{self.name}") {} # overwrite track name with empty proc
-      ActiveSupport::Notifications.unsubscribe(self._track_notification_subscription) if self._track_notification_subscription
-      self._track_notification_subscription = nil
-    end
-    # Usually in your ApplicationController,
-    #
-    #     before_action { |controller| BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller) }
-    #
-    # @param immediate [Boolean] always force bot protection, ignore any allowed pre-challenge rate limit
-    def self.bot_challenge_enforce_filter(controller, immediate: false)
-      if self.bot_challenge_config.enabled &&
-          (controller.request.env[self.bot_challenge_config.env_challenge_trigger_key] || immediate) &&
-          ! self._bot_detect_passed_good?(controller.request) &&
-          ! controller.kind_of?(self) && # don't ever guard ourself, that'd be a mess!
-          ! self.bot_challenge_config.allow_exempt.call(controller, self.bot_challenge_config)
-        # we can only do GET requests right now
-        if !controller.request.get?
-          Rails.logger.warn("#{self}: Asked to protect request we could not, unprotected: #{controller.request.method} #{controller.request.url}, (#{controller.request.remote_ip}, #{controller.request.user_agent})")
-          return
-        end
-        Rails.logger.info("#{self.name}: Cloudflare Turnstile challenge redirect: (#{controller.request.remote_ip}, #{controller.request.user_agent}): from #{controller.request.url}")
-        # status code temporary
-        controller.redirect_to controller.bot_detect_challenge_path(dest: controller.request.original_fullpath), status: 307
-      end
-    end
-    # Does the session already contain a bot detect pass that is good for this request
-    # Tie to IP address to prevent session replay shared among IPs
-    def self._bot_detect_passed_good?(request)
-      session_data = request.session[self.bot_challenge_config.session_passed_key]
-      return false unless session_data && session_data.kind_of?(Hash)
-      datetime = session_data[SESSION_DATETIME_KEY]
-      ip   = session_data[SESSION_IP_KEY]
-      (ip == request.remote_ip) && (Time.now - Time.iso8601(datetime) < self.bot_challenge_config.session_passed_good_for )
-    end
+    # only used if config.redirect_for_challenge is true
     def challenge
-      # possible custom render to choose layouts or templates, but normally
-      # we just do default rails render and this proc is empty.
-      if self.bot_challenge_config.challenge_renderer
-        instance_exec &self.bot_challenge_config.challenge_renderer
-      end
+      # possible custom render to choose layouts or templates, but
+      # default is what would be default template for this action
+      #
+      # We put it in instancevar as a hacky way of passing to template that can be fulfilled
+      # both here and in arbitrary controllers for direct render.
+      @bot_challenge_config = bot_challenge_config
+      instance_exec &self.bot_challenge_config.challenge_renderer
     end
     def verify_challenge
       body = {
         secret: self.bot_challenge_config.cf_turnstile_secret_key,
         response: params["cf_turnstile_response"],
-        remoteip: request.remote_ip
+        remoteip: request.remote_ip,
       }
       http = HTTP.timeout(self.bot_challenge_config.cf_timeout)
@@ -146,7 +64,10 @@ module BotChallengePage
         Rails.logger.warn("#{self.class.name}: Cloudflare Turnstile validation failed (#{request.remote_ip}, #{request.user_agent}): #{result}: #{params["dest"]}")
       end
-      # let's just return the whole thing to client? Is there anything confidential there?
+      # add config needed by JS to result
+      result["redirect_for_challenge"] = self.bot_challenge_config.redirect_for_challenge
+      # and let's just return the whole thing to client? Is there anything confidential there?
       render json: result
     rescue HTTP::Error, JSON::ParserError => e
       # probably an http timeout? or something weird.

data/app/controllers/concerns/bot_challenge_page/enforce_filter.rb ADDED Viewed

@@ -0,0 +1,59 @@
+module BotChallengePage
+  # Extracted to concern in separate file mostly for readability, not expected to be used
+  # anywehre but BotChallengePageController -- we hang all logic off controller to allow multiple
+  # controllers in an app, and over-ride in sub-classes.
+  module EnforceFilter
+    extend ActiveSupport::Concern
+    class_methods do
+      # Usually in your ApplicationController, unless using `immediate`.
+      #
+      #     before_action { |controller| BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller) }
+      #
+      # @param immediate [Boolean] always force bot protection, ignore any allowed pre-challenge rate limit
+      def bot_challenge_enforce_filter(controller, immediate: false)
+        if self.bot_challenge_config.enabled &&
+            (controller.request.env[self.bot_challenge_config.env_challenge_trigger_key] || immediate) &&
+            ! self._bot_detect_passed_good?(controller.request) &&
+            ! controller.kind_of?(self) && # don't ever guard ourself, that'd be a mess!
+            ! self.bot_challenge_config.allow_exempt.call(controller, self.bot_challenge_config)
+          # we can only do GET requests right now
+          if !controller.request.get?
+            Rails.logger.warn("#{self}: Asked to protect request we could not, unprotected: #{controller.request.method} #{controller.request.url}, (#{controller.request.remote_ip}, #{controller.request.user_agent})")
+            return
+          end
+          # Prevent caching of bot challenge page
+          controller.response.headers["Cache-Control"] = "no-store"
+          if self.bot_challenge_config.redirect_for_challenge
+            # status code temporary
+            controller.redirect_to controller.bot_detect_challenge_path(dest: controller.request.original_fullpath), status: 307
+          else
+            # hacky way to get config to view template in an arbitrary controller, good enough for now
+            controller.instance_variable_set("@bot_challenge_config", self.bot_challenge_config) unless controller.instance_variable_get("@bot_challenge_config")
+            controller.instance_exec &self.bot_challenge_config.challenge_renderer
+          end
+          # allow app to see and log if desired
+          controller.instance_exec(self, &self.bot_challenge_config.after_blocked)
+        end
+      end
+      # Does the session already contain a bot detect pass that is good for this request
+      # Tie to IP address to prevent session replay shared among IPs
+      def _bot_detect_passed_good?(request)
+        session_data = request.session[self.bot_challenge_config.session_passed_key]
+        return false unless session_data && session_data.kind_of?(Hash)
+        datetime = session_data[BotChallengePageController::SESSION_DATETIME_KEY]
+        ip   = session_data[BotChallengePageController::SESSION_IP_KEY]
+        (ip == request.remote_ip) && (Time.now - Time.iso8601(datetime) < self.bot_challenge_config.session_passed_good_for )
+      end
+    end
+  end
+end

data/app/controllers/concerns/bot_challenge_page/rack_attack_init.rb ADDED Viewed

@@ -0,0 +1,60 @@
+module BotChallengePage
+  # Extracted to concern in separate file mostly for readability, not expected to be used
+  # anywehre but BotChallengePageController -- we hang all logic off controller to allow multiple
+  # controllers in an app, and over-ride in sub-classes.
+  module RackAttackInit
+    extend ActiveSupport::Concern
+    class_methods do
+      # perhaps in an initializer, and after changing any config, run:
+      #
+      #     Rails.application.config.to_prepare do
+      #       BotChallengePage::BotChallengePageController.rack_attack_init
+      #     end
+      #
+      # Safe to call more than once if you change config and want to call again, say in testing.
+      def rack_attack_init
+        self._rack_attack_uninit # make it safe for calling multiple times
+        ## Turnstile bot detection throttling
+        #
+        # for paths matched by `rate_limited_locations`, after over rate_limit count requests in rate_limit_period,
+        # token will be stored in rack env instructing challenge is required.
+        #
+        # For actual challenge, need before_action in controller.
+        #
+        # You could rate limit detect on wider paths than you actually challenge on, or the same. You probably
+        # don't want to rate-limit detect on narrower list of paths than you challenge on!
+        Rack::Attack.track("bot_detect/rate_exceeded/#{self.name}",
+            limit: self.bot_challenge_config.rate_limit_count,
+            period: self.bot_challenge_config.rate_limit_period) do |req|
+          if self.bot_challenge_config.enabled && self.bot_challenge_config.location_matcher.call(req, self.bot_challenge_config)
+            self.bot_challenge_config.rate_limit_discriminator.call(req, self.bot_challenge_config)
+          end
+        end
+        self._track_notification_subscription = ActiveSupport::Notifications.subscribe("track.rack_attack") do |_name, _start, _finish, request_id, payload|
+          rack_request = payload[:request]
+          rack_env     = rack_request.env
+          match_name = rack_env["rack.attack.matched"]  # name of rack-attack rule
+                                                        #
+          if match_name == "bot_detect/rate_exceeded/#{self.name}"
+            match_data   = rack_env["rack.attack.match_data"]
+            match_data_formatted = match_data.slice(:count, :limit, :period).map { |k, v| "#{k}=#{v}"}.join(" ")
+            discriminator = rack_env["rack.attack.match_discriminator"] # unique key for rate limit, usually includes ip
+            rack_env[self.bot_challenge_config.env_challenge_trigger_key] = true
+          end
+        end
+      end
+      def _rack_attack_uninit
+        Rack::Attack.track("bot_detect/rate_exceeded/#{self.name}") {} # overwrite track name with empty proc
+        ActiveSupport::Notifications.unsubscribe(self._track_notification_subscription) if self._track_notification_subscription
+        self._track_notification_subscription = nil
+      end
+    end
+  end
+end

data/app/models/bot_challenge_page/config.rb CHANGED Viewed

@@ -27,6 +27,10 @@ module BotChallengePage
       end
     end
+    # Should we redirect to a challenge page (true) or just display it inline
+    # with a 403 status (false)
+    attribute :redirect_for_challenge, default: false
     attribute :enabled, default: false # Must set to true to turn on at all
     attribute :cf_turnstile_sitekey, default: "1x00000000000000000000AA" # a testing key that always passes
@@ -55,7 +59,11 @@ module BotChallengePage
     attribute :allow_exempt, default: ->(controller, config) { false }
     # replace with say `->() { render layout: 'something' }`, or `render "somedir/some_template"`
-    attribute :challenge_renderer, default: nil
+    attribute :challenge_renderer, default: ->() {
+      render "bot_challenge_page/bot_challenge_page/challenge", status: 403
+    }
+    attribute :after_blocked, default: ->(bot_detect_class) {}
     # rate limit per subnet, following lehigh's lead, although we use a smaller

data/app/views/bot_challenge_page/_local_turnstile_script_tag.html.erb CHANGED Viewed

@@ -1,6 +1,7 @@
+<%# locals: (bot_challenge_config:) -%>
 <%# we deliver our simple javascript as inline script to make deployment more
   reliable without having to deal with different asset pipelines, and it's really a fine choice anyway  %>
 <script type="text/javascript">
   async function turnstileCallback(token) {
     try {
@@ -31,12 +32,6 @@
       result = await response.json();
       if (result["success"] == true) {
-        const dest = new URLSearchParams(window.location.search).get("dest");
-        // For security make sure it only has path and on
-        if (!dest.startsWith("/") || dest.startsWith("//")) {
-          throw new Error("illegal non-local redirect: " + dest);
-        }
         // in case this page stays around, (say it was rediret to media asset), let's add a failsafe message after
         // a couple seconds.
         const delay = document.querySelector("#botChallengePageStillAroundTemplate")?.getAttribute("data-still-around-delay-ms") || 1200;
@@ -44,8 +39,19 @@
           _displayStillAroundNote()
         }, delay);
-        // replace the challenge page in history
-        window.location.replace(dest);
+        if (result["redirect_for_challenge"] == true) {
+          const dest = new URLSearchParams(window.location.search).get("dest");
+          // For security make sure it only has path and on
+          if (!dest.startsWith("/") || dest.startsWith("//")) {
+            throw new Error("illegal non-local redirect: " + dest);
+          }
+          // replace the challenge page in history
+          window.location.replace(dest);
+        } else {
+          // just need to reload and now we'll get through
+          window.location.reload();
+        }
       } else {
         console.error("Turnstile response reported as failure: " + JSON.stringify(result))
         _displayChallengeError();

data/app/views/bot_challenge_page/_turnstile_widget_placeholder.html.erb CHANGED Viewed

@@ -1,5 +1,6 @@
+<%# locals: (bot_challenge_config:) -%>
 <div
   class="cf-turnstile"
-  data-sitekey="<%= cf_turnstile_sitekey %>"
+  data-sitekey="<%= bot_challenge_config.cf_turnstile_sitekey %>"
   data-callback="turnstileCallback"
 ></div>

data/app/views/bot_challenge_page/bot_challenge_page/challenge.html.erb CHANGED Viewed

@@ -1,7 +1,7 @@
 <div class="bot_challenge_page">
   <h1 class="mb-4"><%= t('bot_challenge_page.title') %></h1>
-  <%= render "bot_challenge_page/turnstile_widget_placeholder" %>
+  <%= render "bot_challenge_page/turnstile_widget_placeholder", bot_challenge_config: @bot_challenge_config %>
   <noscript>
     <div class="alert alert-danger"><%= t('bot_challenge_page.noscript') %></div>
@@ -16,14 +16,14 @@
     </div>
   </template>
-  <template id="botChallengePageStillAroundTemplate" data-still_around_delay_ms="<%= still_around_delay_ms %>">
+  <template id="botChallengePageStillAroundTemplate" data-still_around_delay_ms="<%= @bot_challenge_config.still_around_delay_ms %>">
     <div class="alert alert-info" role="alert">
       <i class="fa fa-info-circle" aria-hidden="true"></i>
       <%= t('bot_challenge_page.still_around') %>
     </div>
   </template>
-  <script src="<%= cf_turnstile_js_url %>" async defer></script>
+  <script src="<%= @bot_challenge_config.cf_turnstile_js_url %>" async defer></script>
-  <%= render "bot_challenge_page/local_turnstile_script_tag" %>
+  <%= render "bot_challenge_page/local_turnstile_script_tag", bot_challenge_config: @bot_challenge_config %>
 </div>

data/lib/bot_challenge_page/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module BotChallengePage
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/generators/bot_challenge_page/install_generator.rb CHANGED Viewed

@@ -3,19 +3,23 @@ module BotChallengePage
     source_root File.expand_path("templates", __dir__)
     class_option :'rack_attack', type: :boolean, default: true, desc: "Support rate-limit allowance configuration"
+    class_option :redirect_for_challenge, type: :boolean, default: false, desc: "Redirect to separate challenge page instead of inline challenge"
     def generate_routes
-      route 'get "/challenge", to: "bot_challenge_page/bot_challenge_page#challenge", as: :bot_detect_challenge'
-      route 'post "/challenge", to: "bot_challenge_page/bot_challenge_page#verify_challenge"'
+      route 'post "/challenge", to: "bot_challenge_page/bot_challenge_page#verify_challenge", as: :bot_detect_challenge'
+      if options[:redirect_for_challenge]
+        route 'get "/challenge", to: "bot_challenge_page/bot_challenge_page#challenge"'
+      end
     end
     def add_before_filter_enforcement
+      # make the user do this themselves if they aren't using rack-attack, as it should
+      # only be on protected filters
+      return unless options[:rack_attack]
       inject_into_class "app/controllers/application_controller.rb", "ApplicationController" do
-        filter_code = if options[:rack_attack]
-          "BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller)"
-        else
-          "BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true)"
-        end
+        filter_code = "BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller)"
         <<-EOS
   # This will only protect CONFIGURED routes, but also could be put on just certain
@@ -41,5 +45,23 @@ module BotChallengePage
       template "initializer.rb.erb", "config/initializers/bot_challenge_page.rb"
     end
+    def suggest_filter
+      unless options[:rack_attack]
+        instructions = <<~EOS
+        You must add before_action to protect controllers
+        Add, eg:
+            before_action only: :index do |controller|
+              BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true)
+            end
+        To desired controllers and/or ApplicationController
+        EOS
+        say_status("advise", instructions, :green)
+      end
+    end
   end
 end

data/lib/generators/bot_challenge_page/templates/initializer.rb.erb CHANGED Viewed

@@ -3,9 +3,16 @@ Rails.application.config.to_prepare do
   BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = true
   # Get from CloudFlare Turnstile: https://www.cloudflare.com/application-services/products/turnstile/
+  # Some testing keys are also available: https://developers.cloudflare.com/turnstile/troubleshooting/testing/
+  #
+  # Always pass testing sitekey: "1x00000000000000000000AA"
   BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_sitekey = "MUST GET"
+  # Always pass testing secret_key: "1x0000000000000000000000000000000AA"
   BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_secret_key = "MUST GET"
+  BotChallengePage::BotChallengePageController.bot_challenge_config.redirect_for_challenge = <%= options[:redirect_for_challenge] %>
+  <%- if options[:rack_attack] %>
   # What paths do you want to protect?
   #
   # You can use path prefixes: "/catalog" or even "/"
@@ -22,17 +29,16 @@ Rails.application.config.to_prepare do
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limited_locations = [
   ]
-  # How long will a challenge success exempt a session from further challenges?
-  # BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_good_for = 36.hours
-  <%- if options[:rack_attack] %>
   # allow rate_limit_count requests in rate_limit_period, before issuing challenge
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_period = 12.hour
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_count = 2
   <% end -%>
+  # How long will a challenge success exempt a session from further challenges?
+  # BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_good_for = 36.hours
   # Exempt some requests from bot challenge protection
-  # BotChallengePage::BotChallengePageController.allow_exempt = ->(controller) {
+  # BotChallengePage::BotChallengePageController.bot_challenge_config.allow_exempt = ->(controller) {
   #   # controller.params
   #   # controller.request
   #   # controller.session

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bot_challenge_page
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Jonathan Rochkind
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-27 00:00:00.000000000 Z
+date: 2025-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -153,6 +153,8 @@ files:
 - README.md
 - Rakefile
 - app/controllers/bot_challenge_page/bot_challenge_page_controller.rb
+- app/controllers/concerns/bot_challenge_page/enforce_filter.rb
+- app/controllers/concerns/bot_challenge_page/rack_attack_init.rb
 - app/models/bot_challenge_page/config.rb
 - app/views/bot_challenge_page/_local_turnstile_script_tag.html.erb
 - app/views/bot_challenge_page/_turnstile_widget_placeholder.html.erb