RubyGems - bot_challenge_page - Versions diffs - 0.3.1 → 0.4.0 - Mend

bot_challenge_page 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +1 -1
data/app/models/bot_challenge_page/config.rb +4 -4
data/lib/bot_challenge_page/version.rb +1 -1
metadata +2 -3
data/app/models/bot_challenge_page/simple_pow1.rb +0 -90

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e582326d0a139a9407ccd31a0bbb822d99d51a7040093d22427d563997dbea8
-  data.tar.gz: 68107c7fc6a9aa2d8e3e079e401708c740e3cf6ee840b7be6cc4f7c85e8b64df
+  metadata.gz: 1f123fae1f11aef11705e08404a9275bf61e9657cac5bc2833145494a26cbb10
+  data.tar.gz: 9ea4ba0896da4e3dc7ca4307fff1c18cc2f0b33a7c792d11f3ed926559f183a8
 SHA512:
-  metadata.gz: 3748c684eeca9e6e66b50fa5e0e5fe4b97c328862799a9dee8fc19632974df5c4489e076eede3d67f0ca8d6f5dc16476ae682d938be015606837c232866256ce
-  data.tar.gz: 2b0bf202ef9c4751a07d0acebeaedd722fd4de501b0a0ae94b004b70b03fb77682cd472aa7e1d3a34ff36810ce3b532662751f3cc79c5453c5fa673977afd0db
+  metadata.gz: 1e5ef5eaedf5c9705270da5b55ac3c0f8cf225b22ba09af3bb0782afcbc12ade3bc02b8c642ffaae14ca0c401a5858344c404c144d2094cf9f372f23ae5189c2
+  data.tar.gz: e65401e9d3a5b8379fad737842138312d5f3d3f003e59123246cbb0c0af9de932058736f07ba4b3f161eb39bdbe228e941635f63e861a7dcb0e465a1d7e6c272

data/README.md CHANGED Viewed

@@ -120,7 +120,7 @@ Rails.application.config.to_prepare do
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_period = 36.hour
   BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_count = 3
-  BotChallengePage::BotChallengePageController.allow_exempt = ->(controller) {
+  BotChallengePage::BotChallengePageController.allow_exempt = ->(controller, config) {
     # Excempt any Catalog #facet or #range_limit action that looks like an ajax/fetch request, the # challenge isn't going to work there, we just exempt it.
     #
     # sec-fetch-dest is set to 'empty' by browser on fetch requests, to limit us further;

data/app/models/bot_challenge_page/config.rb CHANGED Viewed

@@ -66,14 +66,14 @@ module BotChallengePage
     attribute :after_blocked, default: ->(bot_detect_class) {}
-    # rate limit per subnet, following lehigh's lead, although we use a smaller
-    # subnet: /24 for IPv4, and /72 for IPv6
+    # rate limit per subnet, follow lehigh's lead with
+    # subnet: /16 for IPv4 (x.y.*.*), and /64 for IPv6 (about the same size subnet for better or worse)
     # https://git.drupalcode.org/project/turnstile_protect/-/blob/0dae9f95d48f9d8cae5a8e61e767c69f64490983/src/EventSubscriber/Challenge.php#L140-151
     attribute :rate_limit_discriminator, default: (lambda do |req, config|
       if req.ip.index(":") # ipv6
-        IPAddr.new("#{req.ip}/72").to_string
+        IPAddr.new("#{req.ip}/64").to_string
       else
-        IPAddr.new("#{req.ip}/24").to_string
+        IPAddr.new("#{req.ip}/16").to_string
       end
     rescue IPAddr::InvalidAddressError
       req.ip

data/lib/bot_challenge_page/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module BotChallengePage
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bot_challenge_page
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Jonathan Rochkind
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-07 00:00:00.000000000 Z
+date: 2025-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -156,7 +156,6 @@ files:
 - app/controllers/concerns/bot_challenge_page/enforce_filter.rb
 - app/controllers/concerns/bot_challenge_page/rack_attack_init.rb
 - app/models/bot_challenge_page/config.rb
-- app/models/bot_challenge_page/simple_pow1.rb
 - app/models/bot_challenge_page/test.html
 - app/views/bot_challenge_page/_local_turnstile_script_tag.html.erb
 - app/views/bot_challenge_page/_turnstile_widget_placeholder.html.erb

data/app/models/bot_challenge_page/simple_pow1.rb DELETED Viewed

@@ -1,90 +0,0 @@
-require 'digest'
-require "base64"
-module BotChallengePage
-  # A simple proof-of-work algorithm, that we can also do in javascript
-  #
-  # ## Algorithm
-  #
-  # We calculate a deterministic "challenge" based on a secret key (salt?), current time period,
-  # and the specific client request characteristics (prob just client IP).
-  #
-  # The client has to find a prefix than when prepended to the challenge yields a Sha256 hash
-  # that begins with a certain number of zeroes in the hex representtion. The number of zeroes is the "difficulty".
-  # Each zero in hex rep is 4 bits.
-  #
-  # They send the prefix back to us as a solution, and we confirm that when prefixed to
-  # our challenge, and hashed, it has the required number of leading zeroes.
-  #
-  # (TODO: Leading zeroes in a hex represnetation or what?)
-  class SimplePow1
-    # how long is a challenge good for, it will really be good for somewhere between this and 2x this,
-    # since we always try previous challenge to avoid race condition on switch
-    CHALLENGE_PERIOD = 6.minutes
-    # how many leading 0 *BITS* -- and time varies a LOT and expands RAPIDLY when we add, we dont' totally knokw what we're doing
-    DEFAULT_DIFFICULTY = 18
-    DEFAULT_SECRET = ActiveSupport::KeyGenerator.new(Rails.application.config.secret_key_base).generate_key("BotChallengePage::SimplePow1")
-    attr_reader :client_id, :difficulty
-    def initialize(client_id:, secret: DEFAULT_SECRET, difficulty: DEFAULT_DIFFICULTY)
-      @client_id = client_id # usually client ip
-      @difficulty = difficulty
-      @secret = secret
-    end
-    # challenge is determinsitic based on our secret, the current time, and the client_id
-    def challenge(for_time: Time.now.utc)
-      period_normalized_time = for_time - (for_time.to_i % CHALLENGE_PERIOD)
-      Digest::SHA256.hexdigest "#{period_normalized_time.to_s}_#{client_id.to_s}_#{@secret.to_s}"
-    end
-    def challenge_for_last_period
-      challenge(for_time: Time.now.utc - CHALLENGE_PERIOD)
-    end
-    def challenge_params
-      {
-        challenge: challenge,
-        difficulty: difficulty
-      }
-    end
-    # Check solution against current challenge, AND against the previous period's challenge,
-    # in case we just had a race condition, meaning our time goid is actually
-    # min CHALLENGE_PERIOD and max 2 * CHALLENGE_PERIOD
-    #
-    # @param solution [String] *Base64-encoded data*, that when prefixed to the challenge,
-    #   results in a sha256 digest with `difficulty` leading 0 bits.
-    #
-    def verify_solution(solution)
-      solution = Base64.decode64(solution)
-      verify_solution_for_challenge(solution, challenge) ||
-        verify_solution_for_challenge(solution, challenge(for_time: Time.now.utc - CHALLENGE_PERIOD))
-    end
-    # @param solution [String] actual data, **not** base64 encoded
-    #
-    def verify_solution_for_challenge(aSolution, aChallenge)
-      # there's prob a more efficient mathematical way to do this wihtout converting
-      # to hex string, but this is what we've got.
-      bindigest = Digest::SHA256.digest(aSolution + aChallenge)
-      # hopefully we are not going to have a problem with endian-ness here. :(
-      bytes_required = (difficulty / 8) + 1
-      prefix_bytes = bindigest.byteslice(0, bytes_required).bytes
-      prefix_bits = prefix_bytes.collect do |byte|
-        reversed_bits = byte.digits(2)
-        reversed_bits.fill(0, reversed_bits.length..7).reverse
-      end.compact.join.slice(0, difficulty)
-      prefix_bits == ("0" * difficulty)
-    end
-  end
-end