feat(cache): prevent bots from writing to cache#1128
Open
Conversation
…ation Bots can read from cache but must not write to it or trigger background revalidation. They often hit arbitrary URLs with unique query params that would pollute all cache tiers with one-hit entries. - Detect bot requests via User-Agent (existing isBot utility) - Skip cache.put() for bot requests - Skip background revalidation for bot requests - Bots still get served stale/cached responses (read-only) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Tagging OptionsShould a new tag be published when this PR is merged?
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughLoader now detects bot requests and treats them as cache-read-only: bots may read cached responses but are prevented from performing Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Client
participant Loader
participant Cache
participant BackgroundReval
Client->>Loader: HTTP Request
Loader->>Loader: isBot(request)?
alt Bot request
Loader->>Cache: read
Cache-->>Loader: cached (fresh/stale/miss)
alt cached
Loader-->>Client: serve cached (no cache.put)
else miss
Loader-->>Client: serve generated (no background reval)
end
else Non-bot request
Loader->>Cache: read
Cache-->>Loader: cached (fresh/stale/miss)
alt fresh
Loader-->>Client: serve fresh
else miss or stale
Loader->>BackgroundReval: spawn revalidation (background)
BackgroundReval->>Cache: cache.put (update)
BackgroundReval-->>Loader: done
Loader-->>Client: serve content
end
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@blocks/loader.ts`:
- Around line 313-326: The single-flight leader selection uses request.url
alone, allowing a bot request to become leader and cause concurrent non-bot
callers to inherit bot behavior via the closure-captured isBotRequest; fix by
making the flight key include the bot flag and by evaluating isBotRequest into a
local variable before creating the flight so the leader decision is
per-client-type (e.g., build a flightKey using request.url plus isBotRequest or
use separate flight maps for bots vs non-bots), and keep cache.put and
revalidation guarded by that local isBotRequest value so non-bot requests never
inherit bot-read-only behavior.
Bot requests skip cache writes and revalidation. If a bot became the singleFlight leader, concurrent non-bot callers would inherit that behavior and miss their cache write. Fix: bots bypass singleFlight entirely and run staleWhileRevalidate directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Instead of bypassing singleFlight entirely (which wastes CPU on duplicate bot requests), use a prefixed flight key so bots still deduplicate among themselves but never become leader for non-bot callers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
isBot()utility (UA-based detection)Test plan
loader_cachemetric — bot requests should show as hits/stale but never miss→write🤖 Generated with Claude Code
PR 5 of 5 — split from #1122. Merge order: 1 → 2 → 3 → 4 → 5
Summary by cubic
Prevent bots from writing to the loader cache, triggering background revalidation, or leading non-bot singleFlight work. Bots can still read cached/stale responses and now deduplicate via a separate singleFlight key.
isBot(User-Agent).cache.putand background revalidation for bots.Written for commit 844cac8. Summary will update on new commits.
Summary by CodeRabbit