Implement bot detection and verification

[jazairi]

Why these changes are being introduced:

We need a preliminary solution to manage bot traffic in production.

Relevant ticket(s):

• https://mitlibraries.atlassian.net/browse/USE-410

How this addresses that need:

• Implements a Bot Detector service that uses Crawler Detect to identify bots to refer to Cloudflare Turnstile.
• Implements a Turnstile Controller using the rails-cloudfire-turnstile gem for verification challenges.

Side effects of this change:

The new form may need additional styling. For now, I just added our button styles.

Developer

Accessibility

• ANDI or WAVE has been run in accordance to our guide.
• This PR contains no changes to the view layer.
• New issues flagged by ANDI or WAVE have been resolved.
• New issues flagged by ANDI or WAVE have been ticketed (link in the Pull Request details above).
• No new accessibility issues have been flagged.

New ENV

• All new ENV is documented in README.
• All new ENV has been added to Heroku Pipeline, Staging and Prod.
• ENV has not changed.

Approval beyond code review

• UXWS/stakeholder approval has been confirmed.
• UXWS/stakeholder review will be completed retroactively.
• UXWS/stakeholder review is not needed.

Additional context needed to review

This introduces rails-cloudflare-turnstile and crawler_detect as dependencies.

Code Reviewer

Code

• I have confirmed that the code works as intended.
• Any CodeClimate issues have been fixed or confirmed as
  added technical debt.

Documentation

• The commit message is clear and follows our guidelines
  (not just this pull request message).
• The documentation has been updated or is unnecessary.
• New dependencies are appropriate or there were no changes.

Testing

• There are appropriate tests covering any new functionality.
• No additional test coverage is required.

[jazairi]

Looks like the coveralls outage is ongoing. I'd like to wait until that's resolved to merge, but I think we can start code review in the meantime.

[JPrevost]

Can you configure the PR build to have this feature enabled and functioning? I want to easily be able to confirm my normal user agent is not blocked from anything but if I change my user agent to a known bot I should be challenged and then be able to pass the challenge to continue.

[JPrevost]

What is this check? If the feature is not enabled, why are we checking if the feature is enabled?

Wouldn't Feature.enabled?(:bot_detection) work for this entire method with no internal conditions?

[jazairi]

Hm, yeah, good point. It's excessively cautious, since we've gated feature validation elsewhere.

[JPrevost]

Can you add some docstrings to explain what is going on in this method (even though it is private)? It's unclear to me if this is the normal path a failed cloud flare turnstile takes or if it is a problem with our tokens, etc.

[jazairi]

I was envisioning an issue with the tokens -- will clarify.

[JPrevost]

Can you add some docstrings to explain what is going on in this method (even though it is private)?

[JPrevost]

If we are assuming this should never happen, maybe we should log to Sentry if it does? My assumption is this is handling a case in which a user agent is requesting the turnstile route even though we have it disabled which should not happen under normal circumstances.

[jazairi]

That's the idea, but now I'm wondering if we even care whether user agents are requesting the turnstile route. I might just drop this for clarity's sake.

[JPrevost]

I don't think warn is the right level here. I'd lean towards info or debug with a slight preference towards debug (i.e. I don't really want this in production logs, but if we want to keep them in for a bit until they get annoying I'm okay with info).

[jazairi]

I don't have a strong opinion on this. Happy to go with debug for now.

[JPrevost]

Can you check these routes? I don't believe /search is a route at all.

I feel like both /results and /record are the paths to block

[jazairi]

Protect all the routes, especially the shadow routes!

[qltysh]

❌ 2 blocking issues (2 total)

Tool	Category	Rule	Count
rubocop	Lint	Class has too many lines. [289/100]	1	❌
rubocop	Style	Line is too long. [121/120]	1	❌

[qltysh]

Line is too long. [121/120] [rubocop:Layout/LineLength]

[coveralls]

Pull Request Test Coverage Report for Build 22592486169

Details

• 37 of 37 (100.0%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.05%) to 98.188%

---

Totals
Change from base Build 22584961347:	0.05%
Covered Lines:	1355
Relevant Lines:	1380

---

💛 - Coveralls

[jazairi]

@JPrevost I think this is ready for review again. I pushed two separate commits, one two respond to code review feedback, and the other for linting and cleanup. When I enabled the feature in the PR build, I learned that my method name for CrawlerDetect was wrong, so that's fixed. 🤦 I'd flipped the bots? boolean to test locally, and all the stubs had the wrong name, too -- a good case for VCR, perhaps.

In any case, here's how I've tested the feature:

1. Set my UA to Googlebot in dev tools.
2. Run a search and confirm that the challenge view shows.
3. Update your UA to something non-bot and confirm that you can pass the challenge. (In my experience, it does not let you pass the challenge if using a bot UA.)