nextjs-secure 0.6.0 → 0.7.0

package/dist/bot.cjs

@@ -0,0 +1,1521 @@
+'use strict';
+
+// src/middleware/bot/user-agent.ts
+var KNOWN_BOT_PATTERNS = [
+  // Search Engines - Generally allowed
+  {
+    name: "Googlebot",
+    pattern: /Googlebot|Google-InspectionTool|Storebot-Google|GoogleOther/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Google search crawler"
+  },
+  {
+    name: "Bingbot",
+    pattern: /bingbot|msnbot|BingPreview/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Microsoft Bing crawler"
+  },
+  {
+    name: "Yahoo Slurp",
+    pattern: /Slurp/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Yahoo search crawler"
+  },
+  {
+    name: "DuckDuckBot",
+    pattern: /DuckDuckBot|DuckDuckGo-Favicons-Bot/i,
+    category: "search_engine",
+    allowed: true,
+    description: "DuckDuckGo crawler"
+  },
+  {
+    name: "Baiduspider",
+    pattern: /Baiduspider/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Baidu search crawler"
+  },
+  {
+    name: "Yandex",
+    pattern: /YandexBot|YandexImages|YandexMobileBot/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Yandex search crawler"
+  },
+  {
+    name: "Applebot",
+    pattern: /Applebot/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Apple search crawler"
+  },
+  {
+    name: "Sogou",
+    pattern: /Sogou/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Sogou search crawler"
+  },
+  {
+    name: "Exabot",
+    pattern: /Exabot/i,
+    category: "search_engine",
+    allowed: true,
+    description: "Exalead search crawler"
+  },
+  // Social Media - Generally allowed
+  {
+    name: "Facebook",
+    pattern: /facebookexternalhit|Facebot|facebookcatalog/i,
+    category: "social_media",
+    allowed: true,
+    description: "Facebook crawler for link previews"
+  },
+  {
+    name: "Twitter",
+    pattern: /Twitterbot/i,
+    category: "social_media",
+    allowed: true,
+    description: "Twitter/X crawler for cards"
+  },
+  {
+    name: "LinkedIn",
+    pattern: /LinkedInBot/i,
+    category: "social_media",
+    allowed: true,
+    description: "LinkedIn crawler for previews"
+  },
+  {
+    name: "Pinterest",
+    pattern: /Pinterest|Pinterestbot/i,
+    category: "social_media",
+    allowed: true,
+    description: "Pinterest crawler"
+  },
+  {
+    name: "Slack",
+    pattern: /Slackbot/i,
+    category: "social_media",
+    allowed: true,
+    description: "Slack link preview bot"
+  },
+  {
+    name: "Discord",
+    pattern: /Discordbot/i,
+    category: "social_media",
+    allowed: true,
+    description: "Discord link preview bot"
+  },
+  {
+    name: "Telegram",
+    pattern: /TelegramBot/i,
+    category: "social_media",
+    allowed: true,
+    description: "Telegram link preview bot"
+  },
+  {
+    name: "WhatsApp",
+    pattern: /WhatsApp/i,
+    category: "social_media",
+    allowed: true,
+    description: "WhatsApp link preview"
+  },
+  {
+    name: "Snapchat",
+    pattern: /Snapchat/i,
+    category: "social_media",
+    allowed: true,
+    description: "Snapchat crawler"
+  },
+  // Monitoring - Generally allowed
+  {
+    name: "UptimeRobot",
+    pattern: /UptimeRobot/i,
+    category: "monitoring",
+    allowed: true,
+    description: "UptimeRobot monitoring"
+  },
+  {
+    name: "Pingdom",
+    pattern: /Pingdom/i,
+    category: "monitoring",
+    allowed: true,
+    description: "Pingdom monitoring"
+  },
+  {
+    name: "StatusCake",
+    pattern: /StatusCake/i,
+    category: "monitoring",
+    allowed: true,
+    description: "StatusCake monitoring"
+  },
+  {
+    name: "Site24x7",
+    pattern: /Site24x7/i,
+    category: "monitoring",
+    allowed: true,
+    description: "Site24x7 monitoring"
+  },
+  {
+    name: "Datadog",
+    pattern: /Datadog/i,
+    category: "monitoring",
+    allowed: true,
+    description: "Datadog synthetic monitoring"
+  },
+  {
+    name: "New Relic",
+    pattern: /NewRelicPinger/i,
+    category: "monitoring",
+    allowed: true,
+    description: "New Relic synthetic monitoring"
+  },
+  {
+    name: "Checkly",
+    pattern: /Checkly/i,
+    category: "monitoring",
+    allowed: true,
+    description: "Checkly monitoring"
+  },
+  // SEO Tools - Usually allowed but can be blocked
+  {
+    name: "Ahrefs",
+    pattern: /AhrefsBot|AhrefsSiteAudit/i,
+    category: "seo",
+    allowed: false,
+    description: "Ahrefs SEO crawler"
+  },
+  {
+    name: "Semrush",
+    pattern: /SemrushBot/i,
+    category: "seo",
+    allowed: false,
+    description: "Semrush SEO crawler"
+  },
+  {
+    name: "Moz",
+    pattern: /rogerbot|DotBot/i,
+    category: "seo",
+    allowed: false,
+    description: "Moz SEO crawler"
+  },
+  {
+    name: "Majestic",
+    pattern: /MJ12bot/i,
+    category: "seo",
+    allowed: false,
+    description: "Majestic SEO crawler"
+  },
+  {
+    name: "Screaming Frog",
+    pattern: /Screaming Frog/i,
+    category: "seo",
+    allowed: false,
+    description: "Screaming Frog SEO Spider"
+  },
+  // AI Crawlers - Configurable
+  {
+    name: "GPTBot",
+    pattern: /GPTBot/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "OpenAI GPT training crawler"
+  },
+  {
+    name: "ChatGPT-User",
+    pattern: /ChatGPT-User/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "ChatGPT user browsing"
+  },
+  {
+    name: "Claude-Web",
+    pattern: /Claude-Web|ClaudeBot|anthropic-ai/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "Anthropic Claude crawler"
+  },
+  {
+    name: "Bytespider",
+    pattern: /Bytespider/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "ByteDance AI crawler"
+  },
+  {
+    name: "CCBot",
+    pattern: /CCBot/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "Common Crawl bot"
+  },
+  {
+    name: "Google-Extended",
+    pattern: /Google-Extended/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "Google AI training crawler"
+  },
+  {
+    name: "Cohere-ai",
+    pattern: /cohere-ai/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "Cohere AI crawler"
+  },
+  {
+    name: "PerplexityBot",
+    pattern: /PerplexityBot/i,
+    category: "ai_crawler",
+    allowed: false,
+    description: "Perplexity AI crawler"
+  },
+  // Feed Readers - Generally allowed
+  {
+    name: "Feedly",
+    pattern: /Feedly/i,
+    category: "feed_reader",
+    allowed: true,
+    description: "Feedly RSS reader"
+  },
+  {
+    name: "Feedbin",
+    pattern: /Feedbin/i,
+    category: "feed_reader",
+    allowed: true,
+    description: "Feedbin RSS reader"
+  },
+  {
+    name: "NewsBlur",
+    pattern: /NewsBlur/i,
+    category: "feed_reader",
+    allowed: true,
+    description: "NewsBlur RSS reader"
+  },
+  // Link Previews - Generally allowed
+  {
+    name: "Embedly",
+    pattern: /Embedly/i,
+    category: "preview",
+    allowed: true,
+    description: "Embedly link preview"
+  },
+  {
+    name: "Iframely",
+    pattern: /Iframely/i,
+    category: "preview",
+    allowed: true,
+    description: "Iframely link preview"
+  },
+  // Security Scanners - Block by default
+  {
+    name: "Nessus",
+    pattern: /Nessus/i,
+    category: "security",
+    allowed: false,
+    description: "Nessus vulnerability scanner"
+  },
+  {
+    name: "Nikto",
+    pattern: /Nikto/i,
+    category: "security",
+    allowed: false,
+    description: "Nikto web scanner"
+  },
+  {
+    name: "sqlmap",
+    pattern: /sqlmap/i,
+    category: "security",
+    allowed: false,
+    description: "sqlmap SQL injection tool"
+  },
+  {
+    name: "WPScan",
+    pattern: /WPScan/i,
+    category: "security",
+    allowed: false,
+    description: "WordPress vulnerability scanner"
+  },
+  {
+    name: "Acunetix",
+    pattern: /Acunetix/i,
+    category: "security",
+    allowed: false,
+    description: "Acunetix vulnerability scanner"
+  },
+  // Known Scrapers - Block
+  {
+    name: "Scrapy",
+    pattern: /Scrapy/i,
+    category: "scraper",
+    allowed: false,
+    description: "Scrapy web scraper"
+  },
+  {
+    name: "HTTrack",
+    pattern: /HTTrack/i,
+    category: "scraper",
+    allowed: false,
+    description: "HTTrack website copier"
+  },
+  {
+    name: "WebCopier",
+    pattern: /WebCopier/i,
+    category: "scraper",
+    allowed: false,
+    description: "WebCopier tool"
+  },
+  {
+    name: "SiteSnagger",
+    pattern: /SiteSnagger/i,
+    category: "scraper",
+    allowed: false,
+    description: "SiteSnagger downloader"
+  },
+  // Spam Bots - Always block
+  {
+    name: "Spam Bot",
+    pattern: /spam|harvester|extractor|collect/i,
+    category: "spam",
+    allowed: false,
+    description: "Generic spam bot pattern"
+  },
+  {
+    name: "Email Harvester",
+    pattern: /email.*harvest|harvest.*email/i,
+    category: "spam",
+    allowed: false,
+    description: "Email harvesting bot"
+  },
+  // Malicious - Always block
+  {
+    name: "Malicious Generic",
+    pattern: /masscan|ZmEu|morfeus|nmap/i,
+    category: "malicious",
+    allowed: false,
+    description: "Known malicious tools"
+  },
+  {
+    name: "Vulnerability Scanner",
+    pattern: /havij|w3af|webscarab/i,
+    category: "malicious",
+    allowed: false,
+    description: "Vulnerability scanning tools"
+  },
+  // Generic Bot Pattern
+  {
+    name: "Generic Bot",
+    pattern: /bot|crawl|spider|scrape|fetch/i,
+    category: "unknown",
+    allowed: false,
+    description: "Generic bot pattern"
+  },
+  {
+    name: "HTTP Library",
+    pattern: /python-requests|python-urllib|curl|wget|axios|node-fetch|got\//i,
+    category: "unknown",
+    allowed: false,
+    description: "HTTP library user agent"
+  }
+];
+var DEFAULT_ALLOWED_CATEGORIES = [
+  "search_engine",
+  "social_media",
+  "monitoring",
+  "feed_reader",
+  "preview"
+];
+var DEFAULT_ALLOWED_BOTS = [
+  "Googlebot",
+  "Bingbot",
+  "Yahoo Slurp",
+  "DuckDuckBot",
+  "Applebot",
+  "Facebook",
+  "Twitter",
+  "LinkedIn",
+  "Slack",
+  "Discord",
+  "UptimeRobot",
+  "Pingdom"
+];
+function analyzeUserAgent(userAgent, options = {}) {
+  const {
+    blockAllBots = false,
+    allowCategories = DEFAULT_ALLOWED_CATEGORIES,
+    allowList = DEFAULT_ALLOWED_BOTS,
+    blockList = [],
+    customPatterns = [],
+    blockEmptyUA = true,
+    blockSuspiciousUA = true
+  } = options;
+  if (!userAgent || userAgent.trim() === "") {
+    return {
+      isBot: blockEmptyUA,
+      category: "unknown",
+      confidence: blockEmptyUA ? 0.9 : 0,
+      reason: "Empty User-Agent",
+      userAgent: userAgent || ""
+    };
+  }
+  const allPatterns = [...customPatterns, ...KNOWN_BOT_PATTERNS];
+  let matchedPattern = null;
+  for (const pattern of allPatterns) {
+    if (pattern.pattern.test(userAgent)) {
+      matchedPattern = pattern;
+      break;
+    }
+  }
+  if (!matchedPattern && blockSuspiciousUA && isSuspiciousUA(userAgent)) {
+    return {
+      isBot: true,
+      category: "unknown",
+      confidence: 0.8,
+      reason: "Suspicious User-Agent pattern",
+      userAgent
+    };
+  }
+  if (!matchedPattern) {
+    return {
+      isBot: false,
+      confidence: 0.1,
+      reason: "No bot pattern matched",
+      userAgent
+    };
+  }
+  if (blockList.includes(matchedPattern.name)) {
+    return {
+      isBot: true,
+      category: matchedPattern.category,
+      name: matchedPattern.name,
+      confidence: 0.95,
+      reason: `Blocked bot: ${matchedPattern.name}`,
+      userAgent
+    };
+  }
+  if (blockAllBots) {
+    return {
+      isBot: true,
+      category: matchedPattern.category,
+      name: matchedPattern.name,
+      confidence: 0.9,
+      reason: `Bot blocked (blockAllBots mode): ${matchedPattern.name}`,
+      userAgent
+    };
+  }
+  if (allowList.includes(matchedPattern.name)) {
+    return {
+      isBot: true,
+      category: matchedPattern.category,
+      name: matchedPattern.name,
+      confidence: 0.95,
+      reason: `Allowed bot: ${matchedPattern.name}`,
+      userAgent
+    };
+  }
+  if (allowCategories.includes(matchedPattern.category)) {
+    return {
+      isBot: true,
+      category: matchedPattern.category,
+      name: matchedPattern.name,
+      confidence: 0.9,
+      reason: `Allowed category: ${matchedPattern.category}`,
+      userAgent
+    };
+  }
+  return {
+    isBot: true,
+    category: matchedPattern.category,
+    name: matchedPattern.name,
+    confidence: 0.85,
+    reason: matchedPattern.allowed ? `Allowed bot: ${matchedPattern.name}` : `Blocked bot: ${matchedPattern.name}`,
+    userAgent
+  };
+}
+function isSuspiciousUA(userAgent) {
+  if (userAgent.length < 10) {
+    return true;
+  }
+  if (/^[0-9a-f]{8,}$/i.test(userAgent)) {
+    return true;
+  }
+  const hasBrowserIndicator = /Mozilla|Chrome|Safari|Firefox|Edge|Opera|MSIE|Trident/i.test(userAgent);
+  const hasOSIndicator = /Windows|Mac|Linux|Android|iOS|iPhone|iPad/i.test(userAgent);
+  if (hasBrowserIndicator && !hasOSIndicator && userAgent.length < 50) {
+    return true;
+  }
+  if (/Chrome\/[0-4]\./i.test(userAgent) || /Firefox\/[0-3]\./i.test(userAgent)) {
+    return true;
+  }
+  return false;
+}
+function isBotAllowed(botName, options = {}) {
+  const {
+    blockAllBots = false,
+    allowCategories = DEFAULT_ALLOWED_CATEGORIES,
+    allowList = DEFAULT_ALLOWED_BOTS,
+    blockList = []
+  } = options;
+  if (blockList.includes(botName)) {
+    return false;
+  }
+  if (blockAllBots) {
+    return false;
+  }
+  if (allowList.includes(botName)) {
+    return true;
+  }
+  const pattern = KNOWN_BOT_PATTERNS.find((p) => p.name === botName);
+  if (pattern && allowCategories.includes(pattern.category)) {
+    return true;
+  }
+  return pattern?.allowed ?? false;
+}
+function getBotsByCategory(category) {
+  return KNOWN_BOT_PATTERNS.filter((p) => p.category === category);
+}
+function createBotPattern(name, pattern, category, allowed = false, description) {
+  return {
+    name,
+    pattern: typeof pattern === "string" ? new RegExp(pattern, "i") : pattern,
+    category,
+    allowed,
+    description
+  };
+}
+
+// src/middleware/bot/honeypot.ts
+var DEFAULT_HONEYPOT_FIELDS = [
+  "_hp_email",
+  "_hp_name",
+  "_hp_website",
+  "_hp_phone",
+  "_hp_address",
+  "email_confirm",
+  "website_url",
+  "fax_number"
+];
+var DEFAULT_HONEYPOT_OPTIONS = {
+  fieldName: "_hp_email",
+  additionalFields: [],
+  checkIn: ["body", "query"],
+  validate: void 0
+};
+async function checkHoneypot(req, options = {}) {
+  const {
+    fieldName = DEFAULT_HONEYPOT_OPTIONS.fieldName,
+    additionalFields = DEFAULT_HONEYPOT_OPTIONS.additionalFields,
+    checkIn = DEFAULT_HONEYPOT_OPTIONS.checkIn,
+    validate
+  } = options;
+  const allFields = [fieldName, ...additionalFields];
+  const filledFields = [];
+  if (checkIn.includes("query")) {
+    const url = new URL(req.url);
+    for (const field of allFields) {
+      const value = url.searchParams.get(field);
+      if (value !== null && value !== "") {
+        filledFields.push(`query:${field}`);
+      }
+    }
+  }
+  if (checkIn.includes("body") && hasBody(req)) {
+    try {
+      const body = await getRequestBody(req);
+      if (body && typeof body === "object") {
+        for (const field of allFields) {
+          const value = body[field];
+          if (value !== void 0 && value !== null && value !== "") {
+            if (validate && !validate(value)) {
+              continue;
+            }
+            filledFields.push(`body:${field}`);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  if (checkIn.includes("headers")) {
+    for (const field of allFields) {
+      const headerName = `x-${field.replace(/_/g, "-")}`;
+      const value = req.headers.get(headerName);
+      if (value !== null && value !== "") {
+        filledFields.push(`header:${headerName}`);
+      }
+    }
+  }
+  if (filledFields.length > 0) {
+    return {
+      isBot: true,
+      category: "spam",
+      confidence: 0.95,
+      reason: `Honeypot triggered: ${filledFields.join(", ")}`,
+      ip: getClientIP(req)
+    };
+  }
+  return {
+    isBot: false,
+    confidence: 0,
+    reason: "Honeypot check passed"
+  };
+}
+function withHoneypot(handler, options = {}) {
+  return async (req, ctx) => {
+    const result = await checkHoneypot(req, options);
+    if (result.isBot) {
+      return new Response(
+        JSON.stringify({
+          success: false,
+          error: "Request rejected"
+        }),
+        {
+          status: 403,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req, ctx);
+  };
+}
+function generateHoneypotHTML(options = {}) {
+  const {
+    fieldName = DEFAULT_HONEYPOT_OPTIONS.fieldName,
+    additionalFields = []
+  } = options;
+  const allFields = [fieldName, ...additionalFields];
+  const fields = allFields.map((field) => {
+    const style = getRandomHidingStyle();
+    const labelText = humanizeFieldName(field);
+    return `
+    <div style="${style}" aria-hidden="true" tabindex="-1">
+      <label for="${field}">${labelText}</label>
+      <input
+        type="text"
+        id="${field}"
+        name="${field}"
+        autocomplete="off"
+        tabindex="-1"
+      />
+    </div>`;
+  }).join("\n");
+  return `<!-- Honeypot fields - Do not fill these -->
+${fields}`;
+}
+function generateHoneypotCSS(options = {}) {
+  const {
+    fieldName = DEFAULT_HONEYPOT_OPTIONS.fieldName,
+    additionalFields = []
+  } = options;
+  const allFields = [fieldName, ...additionalFields];
+  const selectors = allFields.map((f) => `#${f}`).join(", ");
+  return `
+/* Honeypot field hiding */
+${selectors} {
+  position: absolute !important;
+  left: -9999px !important;
+  top: -9999px !important;
+  opacity: 0 !important;
+  height: 0 !important;
+  width: 0 !important;
+  z-index: -1 !important;
+  pointer-events: none !important;
+}
+`.trim();
+}
+function hasBody(req) {
+  const method = req.method.toUpperCase();
+  return ["POST", "PUT", "PATCH", "DELETE"].includes(method);
+}
+async function getRequestBody(req) {
+  try {
+    const contentType = req.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      const cloned = req.clone();
+      return await cloned.json();
+    }
+    if (contentType.includes("application/x-www-form-urlencoded")) {
+      const cloned = req.clone();
+      const text = await cloned.text();
+      return Object.fromEntries(new URLSearchParams(text));
+    }
+    if (contentType.includes("multipart/form-data")) {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        obj[key] = value;
+      });
+      return obj;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getClientIP(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || "unknown";
+}
+function getRandomHidingStyle() {
+  const styles = [
+    "position: absolute; left: -9999px; top: -9999px;",
+    "position: fixed; left: -100vw; visibility: hidden;",
+    "opacity: 0; height: 0; width: 0; overflow: hidden;",
+    "clip: rect(0, 0, 0, 0); white-space: nowrap; border: 0;",
+    "transform: scale(0); position: absolute;"
+  ];
+  return styles[Math.floor(Math.random() * styles.length)];
+}
+function humanizeFieldName(field) {
+  return field.replace(/^_hp_/, "").replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
+}
+
+// src/middleware/bot/behavior.ts
+var DEFAULT_BEHAVIOR_OPTIONS = {
+  minRequestInterval: 100,
+  maxRequestsPerSecond: 10,
+  windowMs: 6e4,
+  store: void 0,
+  identifier: void 0,
+  patterns: {
+    sequentialAccess: true,
+    regularTiming: true,
+    missingHeaders: true
+  }
+};
+var MemoryBehaviorStore = class {
+  records = /* @__PURE__ */ new Map();
+  maxIdentifiers;
+  accessOrder = [];
+  constructor(options = {}) {
+    this.maxIdentifiers = options.maxIdentifiers || 1e4;
+  }
+  async record(identifier, timestamp, path) {
+    if (!this.records.has(identifier) && this.records.size >= this.maxIdentifiers) {
+      const oldest = this.accessOrder.shift();
+      if (oldest) {
+        this.records.delete(oldest);
+      }
+    }
+    const idx = this.accessOrder.indexOf(identifier);
+    if (idx > -1) {
+      this.accessOrder.splice(idx, 1);
+    }
+    this.accessOrder.push(identifier);
+    const records = this.records.get(identifier) || [];
+    records.push({ timestamp, path });
+    this.records.set(identifier, records);
+  }
+  async getHistory(identifier, windowMs) {
+    const records = this.records.get(identifier) || [];
+    const cutoff = Date.now() - windowMs;
+    const filtered = records.filter((r) => r.timestamp > cutoff);
+    if (filtered.length !== records.length) {
+      this.records.set(identifier, filtered);
+    }
+    return filtered;
+  }
+  async cleanup(maxAge) {
+    const cutoff = Date.now() - maxAge;
+    for (const [identifier, records] of this.records.entries()) {
+      const filtered = records.filter((r) => r.timestamp > cutoff);
+      if (filtered.length === 0) {
+        this.records.delete(identifier);
+        const idx = this.accessOrder.indexOf(identifier);
+        if (idx > -1) {
+          this.accessOrder.splice(idx, 1);
+        }
+      } else {
+        this.records.set(identifier, filtered);
+      }
+    }
+  }
+  /**
+   * Get store statistics
+   */
+  getStats() {
+    let totalRecords = 0;
+    for (const records of this.records.values()) {
+      totalRecords += records.length;
+    }
+    return {
+      identifiers: this.records.size,
+      totalRecords
+    };
+  }
+  /**
+   * Clear all records
+   */
+  clear() {
+    this.records.clear();
+    this.accessOrder = [];
+  }
+};
+async function analyzeBehavior(req, history, options = {}) {
+  const {
+    minRequestInterval = DEFAULT_BEHAVIOR_OPTIONS.minRequestInterval,
+    maxRequestsPerSecond = DEFAULT_BEHAVIOR_OPTIONS.maxRequestsPerSecond,
+    patterns = DEFAULT_BEHAVIOR_OPTIONS.patterns
+  } = options;
+  const reasons = [];
+  let score = 0;
+  const now = Date.now();
+  const requestCount = history.length;
+  const intervals = [];
+  for (let i = 1; i < history.length; i++) {
+    intervals.push(history[i].timestamp - history[i - 1].timestamp);
+  }
+  const avgInterval = intervals.length > 0 ? intervals.reduce((a, b) => a + b, 0) / intervals.length : Infinity;
+  const oneSecondAgo = now - 1e3;
+  const requestsLastSecond = history.filter((r) => r.timestamp > oneSecondAgo).length;
+  if (requestsLastSecond > maxRequestsPerSecond) {
+    score += 0.3;
+    reasons.push(`High request rate: ${requestsLastSecond}/s (max: ${maxRequestsPerSecond})`);
+  }
+  const hasRapidRequests = intervals.some((i) => i < minRequestInterval);
+  if (hasRapidRequests) {
+    score += 0.25;
+    reasons.push(`Rapid requests detected: interval < ${minRequestInterval}ms`);
+  }
+  if (patterns?.regularTiming && intervals.length >= 5) {
+    const variance = calculateVariance(intervals);
+    const coefficientOfVariation = Math.sqrt(variance) / avgInterval;
+    if (coefficientOfVariation < 0.1) {
+      score += 0.2;
+      reasons.push("Suspiciously regular request timing");
+    }
+  }
+  if (patterns?.sequentialAccess && history.length >= 5) {
+    const paths = history.map((r) => r.path);
+    if (isSequentialPattern(paths)) {
+      score += 0.15;
+      reasons.push("Sequential URL access pattern detected");
+    }
+  }
+  if (patterns?.missingHeaders) {
+    const missingScore = checkMissingHeaders(req);
+    if (missingScore > 0) {
+      score += missingScore;
+      reasons.push("Missing typical browser headers");
+    }
+  }
+  score = Math.min(1, score);
+  return {
+    suspicious: score >= 0.5,
+    score,
+    reasons,
+    requestCount,
+    avgInterval
+  };
+}
+async function checkBehavior(req, options = {}) {
+  const {
+    store = new MemoryBehaviorStore(),
+    windowMs = DEFAULT_BEHAVIOR_OPTIONS.windowMs,
+    identifier: getIdentifier
+  } = options;
+  const identifier = getIdentifier ? await getIdentifier(req) : getClientIP2(req);
+  const history = await store.getHistory(identifier, windowMs);
+  const now = Date.now();
+  const path = new URL(req.url).pathname;
+  await store.record(identifier, now, path);
+  const updatedHistory = [...history, { timestamp: now, path }];
+  const analysis = await analyzeBehavior(req, updatedHistory, options);
+  return {
+    isBot: analysis.suspicious,
+    confidence: analysis.score,
+    reason: analysis.reasons.join("; ") || "Behavior analysis passed",
+    ip: identifier
+  };
+}
+var globalBehaviorStore;
+function getGlobalBehaviorStore() {
+  if (!globalBehaviorStore) {
+    globalBehaviorStore = new MemoryBehaviorStore();
+  }
+  return globalBehaviorStore;
+}
+function withBehaviorAnalysis(handler, options = {}) {
+  const store = options.store || getGlobalBehaviorStore();
+  const mergedOptions = { ...options, store };
+  return async (req, ctx) => {
+    const result = await checkBehavior(req, mergedOptions);
+    if (result.isBot && result.confidence >= 0.5) {
+      return new Response(
+        JSON.stringify({
+          error: "Too Many Requests",
+          message: "Unusual request pattern detected",
+          retryAfter: 60
+        }),
+        {
+          status: 429,
+          headers: {
+            "Content-Type": "application/json",
+            "Retry-After": "60"
+          }
+        }
+      );
+    }
+    return handler(req, ctx);
+  };
+}
+function getClientIP2(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || "unknown";
+}
+function calculateVariance(numbers) {
+  if (numbers.length === 0) return 0;
+  const mean = numbers.reduce((a, b) => a + b, 0) / numbers.length;
+  const squaredDiffs = numbers.map((n) => Math.pow(n - mean, 2));
+  return squaredDiffs.reduce((a, b) => a + b, 0) / numbers.length;
+}
+function isSequentialPattern(paths) {
+  const numbers = paths.map((p) => {
+    const match = p.match(/(\d+)/);
+    return match ? parseInt(match[1], 10) : null;
+  }).filter((n) => n !== null);
+  if (numbers.length < 3) return false;
+  let sequential = 0;
+  for (let i = 1; i < numbers.length; i++) {
+    if (numbers[i] === numbers[i - 1] + 1) {
+      sequential++;
+    }
+  }
+  return sequential >= numbers.length * 0.6;
+}
+function checkMissingHeaders(req) {
+  let score = 0;
+  const typicalHeaders = [
+    "accept",
+    "accept-language",
+    "accept-encoding"
+  ];
+  for (const header of typicalHeaders) {
+    if (!req.headers.get(header)) {
+      score += 0.05;
+    }
+  }
+  const accept = req.headers.get("accept");
+  if (accept && !accept.includes("text/html") && !accept.includes("application/json") && !accept.includes("*/*")) {
+    score += 0.05;
+  }
+  const referer = req.headers.get("referer");
+  const path = new URL(req.url).pathname;
+  if (!referer && path !== "/" && !path.includes("/api/")) {
+    score += 0.03;
+  }
+  return score;
+}
+
+// src/middleware/bot/captcha.ts
+var CAPTCHA_VERIFY_URLS = {
+  recaptcha: "https://www.google.com/recaptcha/api/siteverify",
+  hcaptcha: "https://hcaptcha.com/siteverify",
+  turnstile: "https://challenges.cloudflare.com/turnstile/v0/siteverify"
+};
+var DEFAULT_TOKEN_FIELDS = {
+  recaptcha: "g-recaptcha-response",
+  hcaptcha: "h-captcha-response",
+  turnstile: "cf-turnstile-response"
+};
+async function verifyCaptcha(token, options) {
+  const { provider, secretKey, action } = options;
+  const verifyUrl = CAPTCHA_VERIFY_URLS[provider];
+  const formData = new URLSearchParams();
+  formData.append("secret", secretKey);
+  formData.append("response", token);
+  try {
+    const response = await fetch(verifyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formData.toString()
+    });
+    if (!response.ok) {
+      return {
+        success: false,
+        errorCodes: [`HTTP ${response.status}`]
+      };
+    }
+    const data = await response.json();
+    return parseCaptchaResponse(data, provider, action);
+  } catch (error) {
+    return {
+      success: false,
+      errorCodes: ["verification-failed", String(error)]
+    };
+  }
+}
+function parseCaptchaResponse(data, provider, expectedAction) {
+  switch (provider) {
+    case "recaptcha":
+      return parseRecaptchaResponse(data, expectedAction);
+    case "hcaptcha":
+      return parseHCaptchaResponse(data);
+    case "turnstile":
+      return parseTurnstileResponse(data);
+    default:
+      return {
+        success: false,
+        errorCodes: ["unknown-provider"]
+      };
+  }
+}
+function parseRecaptchaResponse(data, expectedAction) {
+  const result = {
+    success: data.success === true,
+    score: typeof data.score === "number" ? data.score : void 0,
+    action: typeof data.action === "string" ? data.action : void 0,
+    hostname: typeof data.hostname === "string" ? data.hostname : void 0,
+    challengeTs: typeof data.challenge_ts === "string" ? data.challenge_ts : void 0,
+    errorCodes: Array.isArray(data["error-codes"]) ? data["error-codes"] : void 0
+  };
+  if (result.success && expectedAction && result.action !== expectedAction) {
+    result.success = false;
+    result.errorCodes = ["action-mismatch"];
+  }
+  return result;
+}
+function parseHCaptchaResponse(data) {
+  return {
+    success: data.success === true,
+    hostname: typeof data.hostname === "string" ? data.hostname : void 0,
+    challengeTs: typeof data.challenge_ts === "string" ? data.challenge_ts : void 0,
+    errorCodes: Array.isArray(data["error-codes"]) ? data["error-codes"] : void 0
+  };
+}
+function parseTurnstileResponse(data) {
+  return {
+    success: data.success === true,
+    hostname: typeof data.hostname === "string" ? data.hostname : void 0,
+    challengeTs: typeof data.challenge_ts === "string" ? data.challenge_ts : void 0,
+    action: typeof data.action === "string" ? data.action : void 0,
+    errorCodes: Array.isArray(data["error-codes"]) ? data["error-codes"] : void 0
+  };
+}
+async function extractCaptchaToken(req, options) {
+  const { provider, tokenField } = options;
+  const fieldName = tokenField || DEFAULT_TOKEN_FIELDS[provider];
+  const url = new URL(req.url);
+  const queryToken = url.searchParams.get(fieldName);
+  if (queryToken) {
+    return queryToken;
+  }
+  if (hasBody2(req)) {
+    try {
+      const body = await getRequestBody2(req);
+      if (body && typeof body === "object") {
+        const bodyToken = body[fieldName];
+        if (typeof bodyToken === "string") {
+          return bodyToken;
+        }
+      }
+    } catch {
+    }
+  }
+  const headerToken = req.headers.get(`x-${fieldName}`);
+  if (headerToken) {
+    return headerToken;
+  }
+  return null;
+}
+async function checkCaptcha(req, options) {
+  const { threshold = 0.5, skip } = options;
+  if (skip && await skip(req)) {
+    return {
+      isBot: false,
+      confidence: 0,
+      reason: "CAPTCHA check skipped"
+    };
+  }
+  const token = await extractCaptchaToken(req, options);
+  if (!token) {
+    return {
+      isBot: true,
+      confidence: 0.9,
+      reason: "CAPTCHA token missing",
+      ip: getClientIP3(req)
+    };
+  }
+  const result = await verifyCaptcha(token, options);
+  if (!result.success) {
+    return {
+      isBot: true,
+      confidence: 0.95,
+      reason: `CAPTCHA verification failed: ${result.errorCodes?.join(", ") || "unknown"}`,
+      ip: getClientIP3(req)
+    };
+  }
+  if (result.score !== void 0 && result.score < threshold) {
+    return {
+      isBot: true,
+      confidence: 1 - result.score,
+      reason: `CAPTCHA score too low: ${result.score} (threshold: ${threshold})`,
+      ip: getClientIP3(req)
+    };
+  }
+  return {
+    isBot: false,
+    confidence: result.score !== void 0 ? 1 - result.score : 0.1,
+    reason: "CAPTCHA verification passed"
+  };
+}
+function withCaptcha(handler, options) {
+  return async (req, ctx) => {
+    const result = await checkCaptcha(req, options);
+    if (result.isBot) {
+      return new Response(
+        JSON.stringify({
+          error: "CAPTCHA Required",
+          message: result.reason,
+          code: "CAPTCHA_FAILED"
+        }),
+        {
+          status: 403,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req, ctx);
+  };
+}
+function generateRecaptchaV2(siteKey, options = {}) {
+  const { theme = "light", size = "normal" } = options;
+  return `
+<script src="https://www.google.com/recaptcha/api.js" async defer></script>
+<div class="g-recaptcha" data-sitekey="${siteKey}" data-theme="${theme}" data-size="${size}"></div>
+`.trim();
+}
+function generateRecaptchaV3(siteKey, action = "submit") {
+  return `
+<script src="https://www.google.com/recaptcha/api.js?render=${siteKey}"></script>
+<script>
+  function getRecaptchaToken() {
+    return new Promise((resolve, reject) => {
+      grecaptcha.ready(() => {
+        grecaptcha.execute('${siteKey}', { action: '${action}' })
+          .then(resolve)
+          .catch(reject);
+      });
+    });
+  }
+</script>
+`.trim();
+}
+function generateHCaptcha(siteKey, options = {}) {
+  const { theme = "light", size = "normal" } = options;
+  return `
+<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
+<div class="h-captcha" data-sitekey="${siteKey}" data-theme="${theme}" data-size="${size}"></div>
+`.trim();
+}
+function generateTurnstile(siteKey, options = {}) {
+  const { theme = "auto", size = "normal" } = options;
+  return `
+<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
+<div class="cf-turnstile" data-sitekey="${siteKey}" data-theme="${theme}" data-size="${size}"></div>
+`.trim();
+}
+function hasBody2(req) {
+  const method = req.method.toUpperCase();
+  return ["POST", "PUT", "PATCH", "DELETE"].includes(method);
+}
+async function getRequestBody2(req) {
+  try {
+    const contentType = req.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      const cloned = req.clone();
+      return await cloned.json();
+    }
+    if (contentType.includes("application/x-www-form-urlencoded")) {
+      const cloned = req.clone();
+      const text = await cloned.text();
+      return Object.fromEntries(new URLSearchParams(text));
+    }
+    if (contentType.includes("multipart/form-data")) {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        obj[key] = value;
+      });
+      return obj;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getClientIP3(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || "unknown";
+}
+
+// src/middleware/bot/middleware.ts
+function defaultBotResponse(result) {
+  return new Response(
+    JSON.stringify({
+      error: "Forbidden",
+      message: result.reason || "Request blocked",
+      code: "BOT_DETECTED",
+      category: result.category
+    }),
+    {
+      status: 403,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Bot-Detection": "true"
+      }
+    }
+  );
+}
+async function detectBot(req, options = {}) {
+  const results = [];
+  if (options.userAgent !== false) {
+    const uaOptions = options.userAgent === true ? {} : options.userAgent || {};
+    const userAgent = req.headers.get("user-agent");
+    const uaResult = analyzeUserAgent(userAgent, uaOptions);
+    if (uaResult.isBot && !isAllowedBot(uaResult, uaOptions)) {
+      results.push(uaResult);
+    }
+  }
+  if (options.honeypot !== false && hasBody3(req)) {
+    const hpOptions = options.honeypot === true ? {} : options.honeypot || {};
+    const hpResult = await checkHoneypot(req, hpOptions);
+    if (hpResult.isBot) {
+      results.push(hpResult);
+    }
+  }
+  if (options.behavior !== false) {
+    const behaviorOptions = options.behavior === true ? {} : options.behavior || {};
+    if (!behaviorOptions.store) {
+      behaviorOptions.store = getGlobalBehaviorStore();
+    }
+    const behaviorResult = await checkBehavior(req, behaviorOptions);
+    if (behaviorResult.isBot) {
+      results.push(behaviorResult);
+    }
+  }
+  if (options.captcha) {
+    const captchaResult = await checkCaptcha(req, options.captcha);
+    if (captchaResult.isBot) {
+      results.push(captchaResult);
+    }
+  }
+  if (results.length === 0) {
+    return {
+      isBot: false,
+      confidence: 0,
+      reason: "All checks passed",
+      ip: getClientIP4(req),
+      userAgent: req.headers.get("user-agent") || void 0
+    };
+  }
+  const highestConfidence = results.reduce(
+    (prev, curr) => curr.confidence > prev.confidence ? curr : prev
+  );
+  const allReasons = results.map((r) => r.reason).filter(Boolean).join("; ");
+  return {
+    isBot: true,
+    category: highestConfidence.category,
+    name: highestConfidence.name,
+    confidence: highestConfidence.confidence,
+    reason: allReasons,
+    ip: getClientIP4(req),
+    userAgent: req.headers.get("user-agent") || void 0
+  };
+}
+function isAllowedBot(result, options) {
+  const {
+    allowCategories = DEFAULT_ALLOWED_CATEGORIES,
+    allowList = DEFAULT_ALLOWED_BOTS,
+    blockList = [],
+    blockAllBots = false
+  } = options;
+  if (result.name && blockList.includes(result.name)) {
+    return false;
+  }
+  if (blockAllBots) {
+    return false;
+  }
+  if (result.name && allowList.includes(result.name)) {
+    return true;
+  }
+  if (result.category && allowCategories.includes(result.category)) {
+    return true;
+  }
+  return false;
+}
+function withBotProtection(handler, options = {}) {
+  const {
+    skip,
+    onBot,
+    log,
+    mode = "block"
+  } = options;
+  return async (req, ctx) => {
+    if (skip && await skip(req)) {
+      return handler(req, { ...ctx, bot: void 0 });
+    }
+    const result = await detectBot(req, options);
+    if (log) {
+      if (typeof log === "function") {
+        log(result);
+      } else if (result.isBot) {
+        console.log("[Bot Detection]", JSON.stringify(result));
+      }
+    }
+    if (result.isBot) {
+      if (mode === "block") {
+        if (onBot) {
+          return onBot(req, result);
+        }
+        return defaultBotResponse(result);
+      }
+    }
+    const extendedCtx = {
+      ...ctx,
+      bot: result
+    };
+    return handler(req, extendedCtx);
+  };
+}
+function withUserAgentProtection(handler, options = {}) {
+  return withBotProtection(handler, {
+    userAgent: options,
+    honeypot: false,
+    behavior: false
+  });
+}
+function withHoneypotProtection(handler, options = {}) {
+  return withBotProtection(handler, {
+    userAgent: false,
+    honeypot: options,
+    behavior: false
+  });
+}
+function withBehaviorProtection(handler, options = {}) {
+  return withBotProtection(handler, {
+    userAgent: false,
+    honeypot: false,
+    behavior: options
+  });
+}
+function withCaptchaProtection(handler, options) {
+  return withBotProtection(handler, {
+    userAgent: false,
+    honeypot: false,
+    behavior: false,
+    captcha: options
+  });
+}
+var BOT_PROTECTION_PRESETS = {
+  /**
+   * Relaxed - Only blocks obvious bots
+   */
+  relaxed: {
+    userAgent: {
+      blockAllBots: false,
+      allowCategories: ["search_engine", "social_media", "monitoring", "feed_reader", "preview", "seo"]
+    },
+    honeypot: false,
+    behavior: false
+  },
+  /**
+   * Standard - Good balance of protection
+   */
+  standard: {
+    userAgent: {
+      blockAllBots: false,
+      allowCategories: ["search_engine", "social_media", "monitoring"]
+    },
+    honeypot: true,
+    behavior: {
+      maxRequestsPerSecond: 10
+    }
+  },
+  /**
+   * Strict - Maximum protection
+   */
+  strict: {
+    userAgent: {
+      blockAllBots: false,
+      allowCategories: ["search_engine"],
+      blockEmptyUA: true,
+      blockSuspiciousUA: true
+    },
+    honeypot: {
+      additionalFields: ["_hp_name", "_hp_phone"]
+    },
+    behavior: {
+      maxRequestsPerSecond: 5,
+      minRequestInterval: 200
+    }
+  },
+  /**
+   * API - For API endpoints
+   */
+  api: {
+    userAgent: {
+      blockAllBots: true,
+      blockEmptyUA: true
+    },
+    honeypot: false,
+    behavior: {
+      maxRequestsPerSecond: 20
+    }
+  }
+};
+function withBotProtectionPreset(handler, preset, overrides = {}) {
+  const presetOptions = BOT_PROTECTION_PRESETS[preset];
+  const mergedOptions = { ...presetOptions, ...overrides };
+  return withBotProtection(handler, mergedOptions);
+}
+function hasBody3(req) {
+  const method = req.method.toUpperCase();
+  return ["POST", "PUT", "PATCH", "DELETE"].includes(method);
+}
+function getClientIP4(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || "unknown";
+}
+
+exports.BOT_PROTECTION_PRESETS = BOT_PROTECTION_PRESETS;
+exports.DEFAULT_ALLOWED_BOTS = DEFAULT_ALLOWED_BOTS;
+exports.DEFAULT_ALLOWED_CATEGORIES = DEFAULT_ALLOWED_CATEGORIES;
+exports.DEFAULT_BEHAVIOR_OPTIONS = DEFAULT_BEHAVIOR_OPTIONS;
+exports.DEFAULT_HONEYPOT_FIELDS = DEFAULT_HONEYPOT_FIELDS;
+exports.DEFAULT_HONEYPOT_OPTIONS = DEFAULT_HONEYPOT_OPTIONS;
+exports.KNOWN_BOT_PATTERNS = KNOWN_BOT_PATTERNS;
+exports.MemoryBehaviorStore = MemoryBehaviorStore;
+exports.analyzeBehavior = analyzeBehavior;
+exports.analyzeUserAgent = analyzeUserAgent;
+exports.checkBehavior = checkBehavior;
+exports.checkCaptcha = checkCaptcha;
+exports.checkHoneypot = checkHoneypot;
+exports.createBotPattern = createBotPattern;
+exports.detectBot = detectBot;
+exports.extractCaptchaToken = extractCaptchaToken;
+exports.generateHCaptcha = generateHCaptcha;
+exports.generateHoneypotCSS = generateHoneypotCSS;
+exports.generateHoneypotHTML = generateHoneypotHTML;
+exports.generateRecaptchaV2 = generateRecaptchaV2;
+exports.generateRecaptchaV3 = generateRecaptchaV3;
+exports.generateTurnstile = generateTurnstile;
+exports.getBotsByCategory = getBotsByCategory;
+exports.getGlobalBehaviorStore = getGlobalBehaviorStore;
+exports.isBotAllowed = isBotAllowed;
+exports.isSuspiciousUA = isSuspiciousUA;
+exports.verifyCaptcha = verifyCaptcha;
+exports.withBehaviorAnalysis = withBehaviorAnalysis;
+exports.withBehaviorProtection = withBehaviorProtection;
+exports.withBotProtection = withBotProtection;
+exports.withBotProtectionPreset = withBotProtectionPreset;
+exports.withCaptcha = withCaptcha;
+exports.withCaptchaProtection = withCaptchaProtection;
+exports.withHoneypot = withHoneypot;
+exports.withHoneypotProtection = withHoneypotProtection;
+exports.withUserAgentProtection = withUserAgentProtection;
+//# sourceMappingURL=bot.cjs.map
+//# sourceMappingURL=bot.cjs.map