Merge pull request #1564 from sul-dlss/upgrade_bot_challenge

Author: thatbudakguy

Gemfile

@@ -88,6 +88,6 @@ gem "stimulus-rails", "~> 1.3"
 gem "turbo-rails", "~> 2.0"
 gem 'jwt'
 gem "rack-cors", "~> 2.0"
-gem "bot_challenge_page", "~> 0.4.0"
+gem "bot_challenge_page", "~> 1.0"
 gem "racecar", "~> 2.12"
 gem "cocina_display", "~> 1.1"

Gemfile.lock

@@ -110,10 +110,9 @@ GEM
       rails
     bootsnap (1.19.0)
       msgpack (~> 1.2)
-    bot_challenge_page (0.4.0)
+    bot_challenge_page (1.0.0)
       http (~> 5.2)
-      rack-attack (~> 6.7)
-      rails (>= 7.1, < 8.1)
+      rails (>= 7.1, < 8.2)
     builder (3.3.0)
     bundler-audit (0.9.2)
       bundler (>= 1.2.0, < 3)
@@ -420,8 +419,6 @@ GEM
       king_konf (~> 1.0.0)
       rdkafka (>= 0.15.0)
     rack (3.2.4)
-    rack-attack (6.8.0)
-      rack (>= 1.0, < 4)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
     rack-mini-profiler (2.3.4)
@@ -699,7 +696,7 @@ DEPENDENCIES
   blacklight (~> 8.6)
   blacklight_dynamic_sitemap (~> 0.3)
   bootsnap (>= 1.1.0)
-  bot_challenge_page (~> 0.4.0)
+  bot_challenge_page (~> 1.0)
   capistrano
   capistrano-bundler
   capistrano-passenger

app/controllers/application_controller.rb

@@ -1,8 +1,8 @@
 class ApplicationController < ActionController::Base
+  include BotChallengePage::Controller
+
   # See config/initializers/bot_challenge_page.rb to control this behavior
-  before_action do |controller|
-    BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller)
-  end
+  bot_challenge
 
   # Adds a few additional behaviors into the application controller
   include Blacklight::Controller

app/controllers/catalog_controller.rb

@@ -9,9 +9,10 @@ class CatalogController < ApplicationController
   # We protect requests for searches, but not for show pages, so we can still
   # crawl ourselves and let well-behaved search engines index our content via
   # the sitemap.
-  before_action only: :index do |controller|
-    BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true)
+  #
+  bot_challenge only: :index
 
+  before_action only: :index do
     # Additional fields needed for Bento
     if request.format.json?
       blacklight_config.add_index_field Settings.FIELDS.RESOURCE_CLASS, helper_method: :get_specific_field_type

config/initializers/bot_challenge_page.rb

@@ -1,29 +1,29 @@
 # rubocop:disable Layout/LineLength
-Rails.application.config.to_prepare do
+BotChallengePage.configure do |config|
   # If disabled, no challenges will be issued
-  BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = Settings.turnstile.enabled
+  config.enabled = Settings.turnstile.enabled
 
   # Get from CloudFlare Turnstile: https://www.cloudflare.com/application-services/products/turnstile/
   # Some testing keys are also available: https://developers.cloudflare.com/turnstile/troubleshooting/testing/
   #
   # This set of keys will always pass the challenge; the link above includes
   # sets that will always challenge or always fail, which is useful for local testing
-  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_sitekey = Settings.turnstile.site_key
-  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_secret_key = Settings.turnstile.secret_key
+  config.cf_turnstile_sitekey = Settings.turnstile.site_key
+  config.cf_turnstile_secret_key = Settings.turnstile.secret_key
 
   # Do the challenge "in place" on the page the user was on
-  BotChallengePage::BotChallengePageController.bot_challenge_config.redirect_for_challenge = false
+  config.redirect_for_challenge = false
 
   # How long will a challenge success exempt a session from further challenges?
-  # BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_good_for = 36.hours
+  # config.session_passed_good_for = 36.hours
 
   # Exempt async JS facet requests from the challenge. Someone really determined could fake
   # this header, but until we see that behavior, we'll allow it so the facet UI works.
   # We also have an exception for index json so that the mini-bento frontend fetch in Searchworks doesn't get blocked.
   # Also exempt any IPs contained in the CIDR blocks in Settings.turnstile.safelist.
-  BotChallengePage::BotChallengePageController.bot_challenge_config.allow_exempt = lambda do |controller, _config|
-    (controller.is_a?(CatalogController) && controller.params[:action].in?(%w[facet index]) && controller.request.format.json? && controller.request.headers['sec-fetch-dest'] == 'empty') ||
-      Settings.turnstile.safelist.map { |cidr| IPAddr.new(cidr) }.any? { |range| controller.request.remote_ip.in?(range) }
+  config.skip_when = lambda do |_config|
+    (is_a?(CatalogController) && params[:action].in?(%w[facet index]) && request.format.json? && request.headers['sec-fetch-dest'] == 'empty') ||
+      Settings.turnstile.safelist.map { |cidr| IPAddr.new(cidr) }.any? { |range| request.remote_ip.in?(range) }
   end
 
   # More configuration is available; see: