RubyGems - bot_challenge_page - Versions diffs - 0.10.0 → 1.0.0 - Mend

bot_challenge_page 0.10.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +22 -17
data/app/controllers/concerns/bot_challenge_page/guard_action.rb +10 -0
data/lib/bot_challenge_page/version.rb +1 -1
metadata +5 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb4f4b1a29eae8a320d95d2279e21ab44ef8168be416136790c96d2150de1ac3
-  data.tar.gz: fa8fe854808413b95c4e2c4a5c4ecf4ed7b3826f77b487d46aee895f9a2d6735
+  metadata.gz: 62e4404007888e13f20c7ec554c37d7afd5727c5e3b2e21e671d72fa7bf9c589
+  data.tar.gz: 3f52d0766f04f9268fff39ebca416fa7fb51c7b2314dc4e39e204fce5c25811b
 SHA512:
-  metadata.gz: '082b26cdef3709185fb7616d009798c26d244485ccb03e24593512f1af6481450413351356f044e380e953f65e28a6ac386ca490ba778fbea78c71109f2dc98d'
-  data.tar.gz: 805a64dfc7de28b6f27fdf0c4b64b18cba29e98ae59376bce6565e133b993246b3783312f65ad69d9c65df8ea31a4193f0dbe2cd5cb4006ca81264caa60464c7
+  metadata.gz: 7f9cc9d5917dbe0eced73fdbe74529644197d5181c2b77511bd5055664ba46b01525a149b1ff1258071015dec2862772179f11073ee28bb3fbfcd1c1b05300d6
+  data.tar.gz: 1d2a65e52aada9752f5d7149834a73ae75e6d9974839f91f55982da49b6803e3f3f2cd052f5fe809039de96f34e8180b916ac5da7c8eeb46e033c9c8dc1b7873

data/README.md CHANGED Viewed

@@ -31,7 +31,7 @@ The motivating use case is fairly dumb (probably AI-related) crawlers crawling s
 * Configure in the generated `./config/initializers/bot_challenge_page.rb`
   * At a minimum you need to configure your Cloudflare Turnstile keys
-  * Some other configuration options are offered -- more advanced/specialized ones are available that are not mentioned in generated config file, see [Config class](./app/models/bot_challenge_page/config.rb)
+  * Some other configuration options are offered -- more advanced/specialized ones are available that are not mentioned in generated config file, see [Config class](./lib/bot_challenge_page/config.rb)
 ## Protect some paths
@@ -39,15 +39,15 @@ You can add `bot_challenge` to a controller to protect all actions in that contr
 You can also use all the Rails `before_action` params to apply to only some actions or requests in that controller: `only` and `except` to specify actions; and `if` and `unless` to specify procs to filter individual requests.
-    * Note that we can only protect GET paths, and also think about making sure you DON'T protect
-      any path your front-end needs JS `fetch` access to, as this would block it (at least
-      without custom front-end code we haven't really explored)
+  * Note that we can only protect GET paths, and also think about making sure you DON'T protect
+    any path your front-end needs JS `fetch` access to, as this would block it (at least
+    without custom front-end code we haven't really explored)
-    * If you are tempted to just protect `/` that may work, but you may need to exclude hearbeat paths, front-end (AJAX) requestable paths, API endpoints, uptime checker requests, or other machine-access-desired paths. These may be good candidates for an `unless` parameter, or the `skip_when` configuration.
+  * If you are tempted to just protect `/` that may work, but you may need to exclude hearbeat paths, front-end (AJAX) requestable paths, API endpoints, uptime checker requests, or other machine-access-desired paths. These may be good candidates for an `unless` parameter, or the `skip_when` configuration.
-    * The author is a librarian who believes maintaining machine access in general is a public good, and tries to limit access with a bot challenge to the minimum paths necessary for app sustainability.
+  * The author is a librarian who believes maintaining machine access in general is a public good, and tries to limit access with a bot challenge to the minimum paths necessary for app sustainability.
-    * The default configuration only allows re-use of a 'pass' cookie from requests with same IP address subnet and user-agent-related headers. This can be customized.
+  * The default configuration only allows re-use of a 'pass' cookie from requests with same IP address subnet and user-agent-related headers. This can be customized.
 ```ruby
 class WidgetController < ApplicationController
@@ -92,7 +92,7 @@ The challenge page by default will be displayed in your app's default rails `lay
 To customize the layout or challenge page HTML more further, you can use configuration to supply a `render` method for the controller pointing to your own templates or other layouts. You will probably want to re-use the partials we use in our default template, for standard functionality. And you'll want to provide `<template>` elements with the same id's for those elements, but can put whatever you want inside the templates!
 ```ruby
-BotChallengePage::BotChallengePageController.bot_challenge_config.challenge_renderer = ()->  {
+config.challenge_renderer = ()->  {
   render "my_local_view_folder/whatever", layout "another_layout"
 }
 ```
@@ -107,7 +107,7 @@ If you'd like to log or observe challenge issues, you can configure a proc that
 in the context of the controller, and is called when a page is blocked by a challenge.
 ```ruby
-BotChallengePage::BotChallengePageController.bot_challenge_config.after_blocked = (_bot_challenge_class)->  {
+config.after_blocked = (_bot_challenge_class)->  {
   logger.info("page blocked by challenge: #{request.uri}")
 }
 ```
@@ -115,7 +115,7 @@ BotChallengePage::BotChallengePageController.bot_challenge_config.after_blocked
 Or, here's how I managed to get it in [lograge](https://github.com/roidrage/lograge), so a page blocked results in a `bot_chlng=true` param in a lograge line.
 ```ruby
-BotChallengePage::BotChallengePageController.bot_challenge_config.after_blocked =
+config.after_blocked =
   ->(bot_detect_class) {
     request.env["bot_detect.blocked_for_challenge"] = true
   }
@@ -129,6 +129,8 @@ config.lograge.custom_payload do |controller|
 end
 ```
+Later, however, using similar mechanism, I actually suppressed logging of actions that resulted in bot challenges altogether -- they were exhausting my log platform quota.
 ## Example possible Blacklight config
 Many of us in my professional community use [blacklight](https://github.com/projectblacklight/blacklight).  Here's a possible sample blacklight config to:
@@ -143,18 +145,18 @@ Many of us in my professional community use [blacklight](https://github.com/proj
 ```ruby
 # ./config/initializers/bot_challenge_page.rb
-Rails.application.config.to_prepare do
-  BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = true
+BotChanngePage.configure do
+  config.enabled = true
   # Need to set store to a Rails cache store other than null store, if you want to track
-  # rate limits.
-  BotChallengePage::BotChallengePageController.bot_challenge_config.store = :redis_store
+  # rate limits.  We chooes to use a different store than Rails.cache.
+  config.store = ActiveSupport::Cache::RedisCacheStore.new(url: $some_redis_url)
   # Get from CloudFlare Turnstile: https://www.cloudflare.com/application-services/products/turnstile/
-  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_sitekey = "MUST GET"
-  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_secret_key = "MUST GET"
+  config.cf_turnstile_sitekey = "MUST GET"
+  config.cf_turnstile_secret_key = "MUST GET"
-  BotChallengePage::BotChallengePageController.bot_challenge_config.skip_when = ->(config) {
+  config.skip_when = ->(config) {
     # Exempt honeybadger token to allow HB uptime checker in
     # https://docs.honeybadger.io/guides/security/
     (
@@ -193,6 +195,7 @@ class CatalogController < ApplicationController
   }
 end
+```
 ## Development and automated testing
@@ -235,4 +238,6 @@ The gem is available as open source under the terms of the [MIT License](https:/
 * And yet another implementation in Rails that perhaps makes more assumptions about use cases, [turnstile-captcha](https://github.com/pfeiffer/turnstile-captcha). Haven't looked at it much.
+* Great article summarizing our community of practice's knowledge of bot defenses, written after this gem: [Mitigating Aggressive Crawler Traffic in the Age of Generative AI: A Collaborative Approach from the University of North Carolina at Chapel Hill Libraries](https://journal.code4lib.org/articles/18489), by Jason Casden, David Romani, Tim Shearer, and Jeff Campbell, Code4Lib Journal Issue 61, 2025-10-21

data/app/controllers/concerns/bot_challenge_page/guard_action.rb CHANGED Viewed

@@ -31,6 +31,16 @@ module BotChallengePage
           else
             # hacky way to get config to view template in an arbitrary controller, good enough for now
             controller.instance_variable_set("@bot_challenge_config", self.bot_challenge_config) unless controller.instance_variable_get("@bot_challenge_config")
+            # set preload HTTP header with turnstile url for better page speed
+            # May or may not be one there already, we can always add on
+            preload_link_value = %Q{<#{self.bot_challenge_config.cf_turnstile_js_url}>; rel=preload; as=script}
+            if controller.headers["link"].present?
+              controller.headers["link"] += ",#{preload_link_value}"
+            else
+              controller.headers["link"] = "#{preload_link_value}"
+            end
             controller.instance_exec &self.bot_challenge_config.challenge_renderer
           end

data/lib/bot_challenge_page/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module BotChallengePage
-  VERSION = "0.10.0"
+  VERSION = "1.0.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bot_challenge_page
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Jonathan Rochkind
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-08-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -103,7 +102,7 @@ dependencies:
         version: '7.1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -113,7 +112,7 @@ dependencies:
         version: '7.1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: http
   requirement: !ruby/object:Gem::Requirement
@@ -128,7 +127,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.2'
-description:
 email:
 - jonathan@dnil.net
 executables: []
@@ -162,7 +160,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/samvera-labs/bot_challenge_page
   source_code_uri: https://github.com/samvera-labs/bot_challenge_page
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -177,8 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
-signing_key:
+rubygems_version: 3.7.1
 specification_version: 4
 summary: Show a bot challenge interstitial for Rails, usually using Cloudflare Turnstile
 test_files: []