is-antibot 1.4.0 → 1.5.0

package/README.md

@@ -30,6 +30,7 @@
 - **Ocule** - Bot detection with advanced obfuscation
 - **YouTube** - BotGuard attestation and abuse detection
 - **LinkedIn** - Bot filter protection
+- **Reddit** - Network security challenge-page detection
 
 ### CAPTCHA Providers
 
@@ -45,7 +46,7 @@
 
 ## Why
 
-Websites receiving massive quantities of traffic throughout the day, like LinkedIn, Instagram, or YouTube, have sophisticated antibot systems to prevent automated access.
+Websites receiving massive quantities of traffic throughout the day, like LinkedIn, Reddit, Instagram, or YouTube, have sophisticated antibot systems to prevent automated access.
 
 When you try to fetch the HTML of these sites without the right tools, you often hit a 403 Forbidden, 429 Too Many Requests, or a "Please prove you're human" challenge, leaving you with a response that contains no useful data.
 

package/package.json

@@ -2,7 +2,7 @@
   "name": "is-antibot",
   "description": "Identify if a response is an antibot challenge from CloudFlare, Akamai, DataDome, Vercel, PerimeterX, Shape Security, and more, including CAPTCHA providers like reCAPTCHA and hCaptcha.",
   "homepage": "https://github.com/microlinkhq/is-antibot",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "exports": {
     ".": "./src/index.js"
   },
@@ -55,6 +55,7 @@
     "waf"
   ],
   "dependencies": {
+    "@metascraper/helpers": "~5.50.0",
     "cookie-es": "~3.1.1",
     "debug-logfmt": "~1.4.7"
   },
@@ -81,22 +82,6 @@
   "files": [
     "src"
   ],
-  "scripts": {
-    "clean": "rm -rf node_modules",
-    "contributors": "(npx git-authors-cli && npx finepack && git add package.json && git commit -m 'build: contributors' --no-verify) || true",
-    "coverage": "c8 report --reporter=text-lcov > coverage/lcov.info",
-    "lint": "standard",
-    "postrelease": "npm run release:tags && npm run release:github && (ci-publish || npm publish --access=public)",
-    "pretest": "npm run lint",
-    "release": "pnpm run release:version && pnpm run release:changelog && pnpm run release:commit && pnpm run release:tag",
-    "release:changelog": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",
-    "release:commit": "git add package.json CHANGELOG.md && git commit -m \"chore(release): $(node -p \"require('./package.json').version\")\"",
-    "release:github": "github-generate-release",
-    "release:tag": "git tag -a v$(node -p \"require('./package.json').version\") -m \"v$(node -p \"require('./package.json').version\")\"",
-    "release:tags": "git push origin HEAD:master --follow-tags",
-    "release:version": "standard-version --skip.changelog --skip.commit --skip.tag",
-    "test": "c8 ava"
-  },
   "license": "MIT",
   "ava": {
     "files": [
@@ -126,5 +111,21 @@
   "simple-git-hooks": {
     "commit-msg": "npx commitlint --edit",
     "pre-commit": "npx nano-staged"
+  },
+  "scripts": {
+    "clean": "rm -rf node_modules",
+    "contributors": "(npx git-authors-cli && npx finepack && git add package.json && git commit -m 'build: contributors' --no-verify) || true",
+    "coverage": "c8 report --reporter=text-lcov > coverage/lcov.info",
+    "lint": "standard",
+    "postrelease": "npm run release:tags && npm run release:github && (ci-publish || npm publish --access=public)",
+    "pretest": "npm run lint",
+    "release": "pnpm run release:version && pnpm run release:changelog && pnpm run release:commit && pnpm run release:tag",
+    "release:changelog": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",
+    "release:commit": "git add package.json CHANGELOG.md && git commit -m \"chore(release): $(node -p \"require('./package.json').version\")\"",
+    "release:github": "github-generate-release",
+    "release:tag": "git tag -a v$(node -p \"require('./package.json').version\") -m \"v$(node -p \"require('./package.json').version\")\"",
+    "release:tags": "git push origin HEAD:master --follow-tags",
+    "release:version": "standard-version --skip.changelog --skip.commit --skip.tag",
+    "test": "c8 ava"
   }
-}
+}

package/src/index.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const { splitSetCookieString } = require('cookie-es')
+const { parseUrl } = require('@metascraper/helpers')
 const debug = require('debug-logfmt')('is-antibot')
 
 const DETECTION = {
@@ -125,9 +126,15 @@ const detect = ({ headers = {}, html = '', url = '' } = {}) => {
     return byHeaders('datadome')
   }
 
-  // DataDome: Check for x-datadome or x-datadome-cid header presence
-  // Reference: https://github.com/scrapfly/Antibot-Detector/blob/main/detectors/antibot/detect-datadome.json
-  if (hasAnyHeader(['x-datadome', 'x-datadome-cid'])) {
+  // DataDome: x-datadome header presence.
+  // Note: `x-datadome: protected` can appear on successful responses.
+  const xDatadome = getHeader('x-datadome')
+  if (xDatadome && String(xDatadome).toLowerCase() !== 'protected') {
+    return byHeaders('datadome')
+  }
+
+  // DataDome: x-datadome-cid header presence
+  if (hasAnyHeader(['x-datadome-cid'])) {
     return byHeaders('datadome')
   }
 
@@ -381,6 +388,15 @@ const detect = ({ headers = {}, html = '', url = '' } = {}) => {
     return byHtml('aliexpress-captcha')
   }
 
+  // Reddit: blocked requests are served as HTML challenge pages.
+  // Strongest signal is the blocked-page copy in HTML.
+  if (
+    parseUrl(url).domain === 'reddit.com' &&
+    hasAnyHtml([/blocked by network security\./i])
+  ) {
+    return byHtml('reddit')
+  }
+
   // LinkedIn: trkCode=bf cookie ("bot filter") is set when LinkedIn blocks a request
   if (hasAnyCookie(['trkCode=bf'])) {
     return byCookies('linkedin')