Merge pull request #233 from MITLibraries/timx-565-depupdates

Removes bot_challenge_page gem

Author: JPrevost

Gemfile

@@ -4,7 +4,6 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby '3.2.9'
 
 gem 'bootsnap', require: false
-gem 'bot_challenge_page'
 gem 'graphql'
 gem 'graphql-client'
 gem 'http'

Gemfile.lock

@@ -106,10 +106,6 @@ GEM
       debug_inspector (>= 1.2.0)
     bootsnap (1.18.6)
       msgpack (~> 1.2)
-    bot_challenge_page (0.4.0)
-      http (~> 5.2)
-      rack-attack (~> 6.7)
-      rails (>= 7.1, < 8.1)
     builder (3.3.0)
     capybara (3.40.0)
       addressable
@@ -415,7 +411,6 @@ DEPENDENCIES
   better_errors
   binding_of_caller
   bootsnap
-  bot_challenge_page
   capybara
   climate_control
   debug

README.md

@@ -67,22 +67,6 @@ If the `flipflop` gem has been updated, check that the `:gdt` feature is working
 UI elements specific to GDT (e.g., geospatial search fields or the 'Ask GIS' link) appear with the
 feature flag enabled, and do not when it is disabled.
 
-### CloudFlare Turnstile
-
-This application uses [CloudFlare Turnstile](https://www.cloudflare.com/application-services/products/turnstile/) via
-the [Bot Challenge Page](https://github.com/samvera-labs/bot_challenge_page) gem.
-
-In development, you can enable/disable this by running `rails dev:cache`. When `dev:cache` is not enabled, the cache is
-set to `null` so no enforcement is in place. As we do not register `localhost` with CloudFlare, if you have `dev:cache`
-enabled locally, you won't actually see the Turnstile challenge and instead will see a message saying you have been
-blocked. This is what users would also see if a deployed app is not registered with CloudFlare so we need to ensure all
-apps we intend to protect are registered with the site key we have enabled.
-
-`Bot Challenge Page` uses [rack-attack](https://github.com/rack/rack-attack). On Heroku deployed apps, we'll be using
-Redis to track requests.
-
-See `Optional Environment Variables` for more information.
-
 ### Rack Attack
 
 This application uses [Rack Attack](https://github.com/rack/rack-attack).
@@ -109,10 +93,6 @@ See `Optional Environment Variables` for more information.
 - `BOOLEAN_OPTIONS`: comma separated list of values to present to testers on instances where `BOOLEAN_PICKER` feature is enabled.
 - `BOOLEAN_PICKER`: feature to allow users to select their preferred boolean type. If set, feature is enabled. This feature is only intended for internal team
   testing and should never be enabled in production (mostly because the UI is a mess more than it would cause harm).
-- `CLOUDFLARE_SITE_KEY`: obtained through our cloudflare account (see lastpass for account info)
-- `CLOUDFLARE_SECRET_KEY`: obtained through our cloudflare account (see lastpass for account info)
-- `CLOUDFLARE_REQUEST_PERIOD_IN_HOURS`: integer in hours we use for grouping requests. Combined with `CLOUDFLARE_REQUESTS_PER_PERIOD` this makes up the "requests allowed per time period". Defaults to 12.
-- `CLOUDFLARE_REQUESTS_PER_PERIOD`: integer representing number of results and records pages allowed in the period defined in `CLOUDFLARE_REQUEST_PERIOD_IN_HOURS`. Defaults to 10.
 - `FACT_PANELS_ENABLED`: Comma separated list of enabled fact panels. See `/views/results.html.erb` for implemented panels/valid options. Leave unset to disable all.
 - `FILTER_ACCESS_TO_FILES`: The name to use instead of "Access to files" for that filter / aggregation.
 - `FILTER_CONTENT_TYPE`: The name to use instead of "Content type" for that filter / aggregation.
@@ -189,4 +169,4 @@ If you prefer an editor other than VSCode, you can manage [Dev Containers from t
 
 [DevPod](https://github.com/loft-sh/devpod) is also something to consider. It provides a VScode-via-web-browser-in-a-box
 as well as allowing you to use whatever editor you want and only using DevPod to start/stop the containers and run your
-terminals. Local for editor, DevPod managed Dev Container for everything else.
+terminals. Local for editor, DevPod managed Dev Container for everything else.

app/controllers/application_controller.rb

@@ -1,9 +1,3 @@
 class ApplicationController < ActionController::Base
-  # This will only protect CONFIGURED routes, but also could be put on just certain
-  # controllers, it does not need to be in ApplicationController
-  before_action do |controller|
-    BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller)
-  end
-
   helper Mitlibraries::Theme::Engine.helpers
 end

config/initializers/bot_challenge_page.rb

@@ -1,5 +1,4 @@
 Rails.application.routes.draw do
-  post "/challenge", to: "bot_challenge_page/bot_challenge_page#verify_challenge", as: :bot_detect_challenge
   mount Flipflop::Engine => "/flipflop"
   root "basic_search#index"