diff --git a/Gemfile b/Gemfile index 9233248..95f6db5 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,6 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby '3.2.9' gem 'bootsnap', require: false -gem 'bot_challenge_page' gem 'graphql' gem 'graphql-client' gem 'http' diff --git a/Gemfile.lock b/Gemfile.lock index d445d7a..7d11179 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -106,10 +106,6 @@ GEM debug_inspector (>= 1.2.0) bootsnap (1.18.6) msgpack (~> 1.2) - bot_challenge_page (0.4.0) - http (~> 5.2) - rack-attack (~> 6.7) - rails (>= 7.1, < 8.1) builder (3.3.0) capybara (3.40.0) addressable @@ -415,7 +411,6 @@ DEPENDENCIES better_errors binding_of_caller bootsnap - bot_challenge_page capybara climate_control debug diff --git a/README.md b/README.md index 3af8e50..cc26966 100644 --- a/README.md +++ b/README.md @@ -67,22 +67,6 @@ If the `flipflop` gem has been updated, check that the `:gdt` feature is working UI elements specific to GDT (e.g., geospatial search fields or the 'Ask GIS' link) appear with the feature flag enabled, and do not when it is disabled. -### CloudFlare Turnstile - -This application uses [CloudFlare Turnstile](https://www.cloudflare.com/application-services/products/turnstile/) via -the [Bot Challenge Page](https://github.com/samvera-labs/bot_challenge_page) gem. - -In development, you can enable/disable this by running `rails dev:cache`. When `dev:cache` is not enabled, the cache is -set to `null` so no enforcement is in place. As we do not register `localhost` with CloudFlare, if you have `dev:cache` -enabled locally, you won't actually see the Turnstile challenge and instead will see a message saying you have been -blocked. This is what users would also see if a deployed app is not registered with CloudFlare so we need to ensure all -apps we intend to protect are registered with the site key we have enabled. - -`Bot Challenge Page` uses [rack-attack](https://github.com/rack/rack-attack). On Heroku deployed apps, we'll be using -Redis to track requests. - -See `Optional Environment Variables` for more information. - ### Rack Attack This application uses [Rack Attack](https://github.com/rack/rack-attack). @@ -109,10 +93,6 @@ See `Optional Environment Variables` for more information. - `BOOLEAN_OPTIONS`: comma separated list of values to present to testers on instances where `BOOLEAN_PICKER` feature is enabled. - `BOOLEAN_PICKER`: feature to allow users to select their preferred boolean type. If set, feature is enabled. This feature is only intended for internal team testing and should never be enabled in production (mostly because the UI is a mess more than it would cause harm). -- `CLOUDFLARE_SITE_KEY`: obtained through our cloudflare account (see lastpass for account info) -- `CLOUDFLARE_SECRET_KEY`: obtained through our cloudflare account (see lastpass for account info) -- `CLOUDFLARE_REQUEST_PERIOD_IN_HOURS`: integer in hours we use for grouping requests. Combined with `CLOUDFLARE_REQUESTS_PER_PERIOD` this makes up the "requests allowed per time period". Defaults to 12. -- `CLOUDFLARE_REQUESTS_PER_PERIOD`: integer representing number of results and records pages allowed in the period defined in `CLOUDFLARE_REQUEST_PERIOD_IN_HOURS`. Defaults to 10. - `FACT_PANELS_ENABLED`: Comma separated list of enabled fact panels. See `/views/results.html.erb` for implemented panels/valid options. Leave unset to disable all. - `FILTER_ACCESS_TO_FILES`: The name to use instead of "Access to files" for that filter / aggregation. - `FILTER_CONTENT_TYPE`: The name to use instead of "Content type" for that filter / aggregation. @@ -189,4 +169,4 @@ If you prefer an editor other than VSCode, you can manage [Dev Containers from t [DevPod](https://github.com/loft-sh/devpod) is also something to consider. It provides a VScode-via-web-browser-in-a-box as well as allowing you to use whatever editor you want and only using DevPod to start/stop the containers and run your -terminals. Local for editor, DevPod managed Dev Container for everything else. \ No newline at end of file +terminals. Local for editor, DevPod managed Dev Container for everything else. diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0c7e7a2..ba42844 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,9 +1,3 @@ class ApplicationController < ActionController::Base - # This will only protect CONFIGURED routes, but also could be put on just certain - # controllers, it does not need to be in ApplicationController - before_action do |controller| - BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller) - end - helper Mitlibraries::Theme::Engine.helpers end diff --git a/config/initializers/bot_challenge_page.rb b/config/initializers/bot_challenge_page.rb deleted file mode 100644 index 8244e7e..0000000 --- a/config/initializers/bot_challenge_page.rb +++ /dev/null @@ -1,51 +0,0 @@ -Rails.application.config.to_prepare do - - BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = true - - # Get from CloudFlare Turnstile: https://www.cloudflare.com/application-services/products/turnstile/ - # Some testing keys are also available: https://developers.cloudflare.com/turnstile/troubleshooting/testing/ - # - # Always pass testing sitekey: "1x00000000000000000000AA" - BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_sitekey = ENV.fetch('CLOUDFLARE_SITE_KEY', "NOT SET") - # Always pass testing secret_key: "1x0000000000000000000000000000000AA" - BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_secret_key = ENV.fetch('CLOUDFLARE_SECRET_KEY', "NOT SET") - - BotChallengePage::BotChallengePageController.bot_challenge_config.redirect_for_challenge = false - - # What paths do you want to protect? - # - # You can use path prefixes: "/catalog" or even "/" - # - # Or hashes with controller and/or action: - # - # { controller: "catalog" } - # { controller: "catalog", action: "index" } - # - # Note that we can only protect GET paths, and also think about making sure you DON'T protect - # any path your front-end needs JS `fetch` access to, as this would block it (at least - # without custom front-end code we haven't really explored) - - BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limited_locations = ['/results', '/record'] - - # allow rate_limit_count requests in rate_limit_period, before issuing challenge - BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_period = ENV.fetch('CLOUDFLARE_REQUEST_PERIOD_IN_HOURS', 12).to_i.hour - BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_count = ENV.fetch('CLOUDFLARE_REQUESTS_PER_PERIOD', 10).to_i - - # How long will a challenge success exempt a session from further challenges? - # BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_good_for = 36.hours - - # Exempt some requests from bot challenge protection - # BotChallengePage::BotChallengePageController.bot_challenge_config.allow_exempt = ->(controller) { - # # controller.params - # # controller.request - # # controller.session - - # # Here's a way to identify browser `fetch` API requests; note - # # it can be faked by an "attacker" - # controller.request.headers["sec-fetch-dest"] == "empty" - # } - - # More configuration is available - - BotChallengePage::BotChallengePageController.rack_attack_init -end diff --git a/config/routes.rb b/config/routes.rb index ce24c7e..16097a8 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,4 @@ Rails.application.routes.draw do - post "/challenge", to: "bot_challenge_page/bot_challenge_page#verify_challenge", as: :bot_detect_challenge mount Flipflop::Engine => "/flipflop" root "basic_search#index"