Skip to content

CloudFlare Turnstile #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 24, 2025
Merged

CloudFlare Turnstile #208

merged 5 commits into from
Mar 24, 2025

Conversation

@JPrevost
Copy link
Member

@JPrevost JPrevost commented Mar 20, 2025
edited
Loading

Why are these changes being introduced:

  • Bots are using more resources than desired

Relevant ticket(s):

How does this address that need:

  • Adds rack-attack and bot_challenge_page gems
  • Adds redis to heroku app.json (will need to manually enable in staging and production environments before merge)

Developer

Accessibility
  • ANDI or WAVE has been run in accordance to our guide.
  • This PR contains no changes to the view layer.
  • New issues flagged by ANDI or WAVE have been resolved.
  • New issues flagged by ANDI or WAVE have been ticketed (link in the Pull Request details above).
  • No new accessibility issues have been flagged.
New ENV
  • All new ENV is documented in README.
  • All new ENV has been added to Heroku Pipeline, Staging and Prod.
  • ENV has not changed.
Approval beyond code review
  • UXWS/stakeholder approval has been confirmed.
  • UXWS/stakeholder review will be completed retroactively.
  • UXWS/stakeholder review is not needed.
Additional context needed to review

E.g., if the PR includes updated dependencies and/or data
migration, or how to confirm the feature is working.

Code Reviewer

Code
  • I have confirmed that the code works as intended.
  • Any CodeClimate issues have been fixed or confirmed as
    added technical debt.
Documentation
  • The commit message is clear and follows our guidelines
    (not just this pull request message).
  • The documentation has been updated or is unnecessary.
  • New dependencies are appropriate or there were no changes.
Testing
  • There are appropriate tests covering any new functionality.
  • No additional test coverage is required.

@JPrevost
CloudFlare Turnstile
a1fbf1a 
Why are these changes being introduced:

* Bots are using more resources than desired

Relevant ticket(s):

* https://mitlibraries.atlassian.net/browse/TIMX-480

How does this address that need:

* Adds rack-attack and bot_challenge_page gems
* Adds redis to heroku app.json (will need to manually enable in
  staging and production environments before merge)
@coveralls
Copy link

coveralls commented Mar 20, 2025
edited
Loading

Pull Request Test Coverage Report for Build 14038084987

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.005%) to 98.658%
Totals Coverage Status
Change from base Build 13844179321: 0.005%
Covered Lines: 588
Relevant Lines: 596
💛 - Coveralls

@mitlib mitlib temporarily deployed to timdex-ui-pi-timx-480-c-gyagje March 20, 2025 15:45 Inactive
@JPrevost JPrevost had a problem deploying to timdex-ui-pi-timx-480-c-gyagje March 21, 2025 18:25 Failure
@JPrevost JPrevost force-pushed the timx-480-cloudflare-turnstile branch from 55068b5 to c69842e Compare March 24, 2025 13:22
@JPrevost JPrevost temporarily deployed to timdex-ui-pi-timx-480-c-gyagje March 24, 2025 13:22 Inactive
@JPrevost JPrevost temporarily deployed to timdex-ui-pi-timx-480-c-gyagje March 24, 2025 13:53 Inactive
@JPrevost JPrevost temporarily deployed to timdex-ui-pi-timx-480-c-gyagje March 24, 2025 14:28 Inactive
@JPrevost JPrevost temporarily deployed to timdex-ui-pi-timx-480-c-gyagje March 24, 2025 14:38 Inactive
@jazairi jazairi self-assigned this Mar 24, 2025
jazairi
jazairi approved these changes Mar 24, 2025
View reviewed changes
Copy link
Contributor

@jazairi jazairi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed this works as described locally. (I.e., after 10 requests to /results, I get a 403 page.) I've never configured these tools before, so I can't offer much on that side of things, but the config seems straightforward enough.

As I understand it, the only risk introduced here is that a user will get a Cloudflare turnstile every 10 search attempts. That might be a little onerous for folks on an extended user journey, but since we can easily adjust it, I think it's fine as an initial setting.

@JPrevost
Copy link
Member Author

JPrevost commented Mar 24, 2025

@jazairi Just to clarify, once a user gets a turnstile challenge and passes they will not get another challenge in that browser instance for about a day regardless of how many searches they do.

@jazairi
Copy link
Contributor

jazairi commented Mar 24, 2025

@JPrevost In that case, no concerns on my end.

@JPrevost JPrevost merged commit 5babd3f into main Mar 24, 2025
5 checks passed
@JPrevost JPrevost deleted the timx-480-cloudflare-turnstile branch October 1, 2025 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jazairi jazairi jazairi approved these changes

@matt-bernhardt matt-bernhardt Awaiting requested review from matt-bernhardt

Assignees

@jazairi jazairi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JPrevost @coveralls @jazairi @mitlib