feat(plugins) Split trusted-bot feature in a dedicated npm package

Signed-off-by: Pierre PÉRONNET <pierre.peronnet@datadoghq.com>

Author: holyhope

plugins/cloudflare-auto-session/functions/_middleware.ts

@@ -14,24 +14,37 @@ export const onRequestGet: PagesPluginFunction<
   const { request, pluginArgs, next } = context;
 
   // Get the arguments given to the Plugin by the developer
-  const { cookieName, cookieSecret, formAsset, isValid } =
+  const { cookieName, cookieSecret, formAsset, isValid, byPass } =
     withDefaults(pluginArgs);
 
   const session = new Session(cookieName, cookieSecret, isValid);
 
-  const cookie = session.getCookie(request);
-  if (cookie === undefined) {
-    return serveForm(formAsset)(context);
-  }
+  return [
+    byPass,
+    async (request: Request): Promise<boolean> => {
+      const cookie = session.getCookie(request);
+      if (cookie === undefined) {
+        return false;
+      }
+
+      if (!session.valid(cookie)) {
+        console.info('Invalid cookie');
+        return false;
+      }
 
-  if (!session.valid(cookie)) {
-    console.info('Invalid cookie');
-    return serveForm(formAsset)(context).then(session.end.bind(session));
-  }
+      return true;
+    },
+  ]
+    .map(fn => fn(request))
+    .reduce((acc, curr) => acc.then(acc => acc || curr), Promise.resolve(false))
+    .then(trusted => {
+      if (!trusted) {
+        return serveForm(formAsset)(context);
+      }
 
-  // Cookie is valid
-  // Continue to the next middleware
-  return next();
+      // Continue to the next middleware
+      return next();
+    });
 };
 
 export const onRequestPost: PagesPluginFunction<
@@ -41,6 +54,7 @@ export const onRequestPost: PagesPluginFunction<
   PluginArgs<CookieData>
 > = async ({ request, pluginArgs }) => {
   // Get the arguments given to the Plugin by the developer
+  // AllowedBot is not used for POST requests
   const { cookieName, cookieSecret, login, isValid } = withDefaults(pluginArgs);
 
   const session = new Session(cookieName, cookieSecret, isValid);

plugins/cloudflare-auto-session/package.json

@@ -2,7 +2,7 @@
   "name": "@natbienetre/cloudflare-auto-session",
   "main": "dist/index.js",
   "types": "index.d.ts",
-  "version": "1.0.5",
+  "version": "2.1.1",
   "license": "MPL-2.0",
   "funding": "https://github.com/sponsors/holyhope",
   "type": "module",
@@ -12,7 +12,7 @@
     "tsconfig.json"
   ],
   "scripts": {
-    "build": "npx wrangler pages functions build --plugin --outdir=dist",
+    "build": "npx wrangler pages functions build --plugin --outdir=dist --sourcemap --minify",
     "prepare": "npm run build",
     "format": "prettier --check --write \"**/*.{ts,js,mjs,json,md}\"",
     "prettier": "prettier --check \"**/*.{ts,js,mjs,json,md}\"",
@@ -39,5 +39,6 @@
     "eslint-plugin-promise": "^6.0.0",
     "prettier": "^3.4.2",
     "typescript": "*"
-  }
+  },
+  "packageManager": "yarn@3.6.3+sha512.d432ab8b22b89cb8b46649ebaf196159b0c1870904224771d75fdf8b55490aaa5de4d9f028deb0425f1513bff7843e97b9d117103795a23b12d2e7c1cedcf50f"
 }

plugins/cloudflare-auto-session/src/args.ts

@@ -4,11 +4,13 @@ export interface PluginArgsWithDefaults<Data extends CookieData> {
   cookieName: string;
   cookieSecret: string;
   formAsset: string;
+  byPass(request: Request): Promise<boolean>;
   login: (request: Request) => Promise<SessionSpec<Data>>;
   isValid: (data: Data) => boolean;
 }
 
 const Defaults = {
+  byPass: (_: Request): Promise<boolean> => Promise.resolve(false),
   cookieName: 'cloudflare-auto-session',
   cookieSecret: 'secret',
   login: async (request: Request): Promise<SessionSpec<CookieData>> => {

plugins/cloudflare-auto-session/src/session.ts

@@ -139,7 +139,7 @@ export const serveForm = (
 
     url.pathname = assetPath;
 
-    console.debug('Redirecting to login form', url.toString());
+    console.info('Serving the login form', url.toString());
 
     return env.ASSETS.fetch(new Request(url, request));
   };

plugins/cloudflare-auto-session/src/types.ts

@@ -21,6 +21,7 @@ export interface PluginArgs<Data extends CookieData> {
   cookieName: string;
   cookieSecret: string;
   formAsset: string;
+  byPass(request: Request): Promise<boolean>;
   login: (request: Request) => Promise<SessionSpec<Data>>;
   isValid: (session: Data) => boolean;
 }

plugins/cloudflare-env-var-password/functions/_middleware.ts

@@ -16,7 +16,6 @@ export const onRequest: PagesPluginFunction<
     getEnvVarName,
     missingPasswordCallback,
     session,
-    allowedBots,
   } = withDefaults(context.pluginArgs);
   const passwordHash = context.env[getEnvVarName(context)];
 
@@ -32,8 +31,7 @@ export const onRequest: PagesPluginFunction<
     context.request,
     passwordHash,
     passwordEncodingMethod,
-    passwordFieldName,
-    allowedBots
+    passwordFieldName
   );
 
   return autoSession<CookieData>({

plugins/cloudflare-env-var-password/package.json

@@ -2,7 +2,7 @@
   "name": "@natbienetre/cloudflare-env-var-password",
   "main": "dist/index.js",
   "types": "index.d.ts",
-  "version": "0.2.4",
+  "version": "1.1.1",
   "license": "MPL-2.0",
   "funding": "https://github.com/sponsors/holyhope",
   "type": "module",
@@ -12,7 +12,7 @@
     "tsconfig.json"
   ],
   "scripts": {
-    "build": "npx wrangler pages functions build --plugin --outdir=dist",
+    "build": "npx wrangler pages functions build --plugin --outdir=dist --sourcemap --minify",
     "prepare": "npm run build",
     "format": "prettier --check --write \"**/*.{ts,js,mjs,json,md}\"",
     "prettier": "prettier --check \"**/*.{ts,js,mjs,json,md}\"",
@@ -21,8 +21,7 @@
     "dev": "npm run build"
   },
   "dependencies": {
-    "@natbienetre/cloudflare-auto-session": "1.0.5",
-    "cidr-tools": "^11.0.2"
+    "@natbienetre/cloudflare-auto-session": "2.1.1"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20241230.0",
@@ -40,5 +39,6 @@
     "eslint-plugin-promise": "^6.0.0",
     "prettier": "^3.4.2",
     "typescript": "*"
-  }
+  },
+  "packageManager": "yarn@3.6.3+sha512.d432ab8b22b89cb8b46649ebaf196159b0c1870904224771d75fdf8b55490aaa5de4d9f028deb0425f1513bff7843e97b9d117103795a23b12d2e7c1cedcf50f"
 }

plugins/cloudflare-env-var-password/src/args.ts

@@ -1,8 +1,6 @@
-import { GoogleBot } from './google';
 import type {
   PluginArgs,
   AutoSessionArgs,
-  AllowedBots,
   PasswordEncodingMethod,
 } from './types';
 
@@ -25,7 +23,6 @@ export interface PluginArgsWithDefaults {
       Record<string, unknown>
     >
   ) => Promise<Response>;
-  allowedBots: AllowedBots;
 }
 
 export const Defaults = {
@@ -46,33 +43,6 @@ export const Defaults = {
   ): Promise<Response> => {
     throw new Error(`Missing password for ${context.request.url}`);
   },
-  allowedBots: {
-    google: new Map<GoogleBot, boolean>([
-      [GoogleBot.Googlebot, true],
-      [GoogleBot.GooglebotImage, true],
-      [GoogleBot.GooglebotVideo, true],
-      [GoogleBot.StoreBot, true],
-      [GoogleBot.InspectionTool, true],
-      [GoogleBot.Other, false],
-      [GoogleBot.OtherImage, false],
-      [GoogleBot.OtherVideo, false],
-      [GoogleBot.CloudVertexBot, false],
-      [GoogleBot.Extended, false],
-      [GoogleBot.APIsGoogle, false],
-      [GoogleBot.AdsBot, false],
-      [GoogleBot.AdsBotMobile, false],
-      [GoogleBot.AdSense, false],
-      [GoogleBot.Safety, true],
-      [GoogleBot.AutoTriggeredFeedFetcher, false],
-      [GoogleBot.AutoTriggeredPublisherCenter, false],
-      [GoogleBot.AutoTriggeredReadAloud, false],
-      [GoogleBot.AutoTriggeredSiteVerifier, false],
-      [GoogleBot.UserTriggeredFeedFetcher, false],
-      [GoogleBot.UserTriggeredPublisherCenter, false],
-      [GoogleBot.UserTriggeredReadAloud, false],
-      [GoogleBot.UserTriggeredSiteVerifier, false],
-    ]),
-  },
 };
 
 export function withDefaults(args: PluginArgs): PluginArgsWithDefaults {

plugins/cloudflare-env-var-password/src/authenticator.ts

@@ -3,44 +3,24 @@ import {
   type CookieSpec,
 } from '@natbienetre/cloudflare-auto-session';
 
-import type { AllowedBots, PasswordEncodingMethod, CookieData } from './types';
-import { allBots } from './google';
+import type { PasswordEncodingMethod, CookieData } from './types';
 
 export class Auth {
   readonly passwordEncodingMethod: PasswordEncodingMethod;
   readonly passwordFieldName: string;
   readonly expectedPasswordHash: string;
   readonly url: URL;
-  readonly verifiers: Array<(req: Request) => Promise<boolean>>;
 
   constructor(
     request: Request,
     passwordHash: string,
     passwordEncodingMethod: PasswordEncodingMethod,
-    passwordFieldName: string,
-    allowedBots: AllowedBots
+    passwordFieldName: string
   ) {
     this.url = new URL(request.url);
     this.passwordEncodingMethod = passwordEncodingMethod;
     this.passwordFieldName = passwordFieldName;
     this.expectedPasswordHash = passwordHash;
-    this.verifiers = [...allowedBots.google]
-      .filter(value => value[1])
-      .map(
-        value =>
-          allBots.get(value[0]) ??
-          (async (_: Request): Promise<boolean> => false)
-      );
-  }
-
-  async verify(req: Request): Promise<boolean> {
-    console.debug('Checking if client is a trusted bot', req.cf?.botManagement);
-    return this.verifiers
-      .map(verif => verif(req))
-      .reduce(
-        async (acc, curr) => (await acc) || (await curr),
-        Promise.resolve(false)
-      );
   }
 
   isValid(data: CookieData): boolean {
@@ -76,67 +56,53 @@ export class Auth {
   }
 
   async sessionData(request: Request): Promise<SessionSpec<CookieData>> {
-    return this.verify(request).then(verified => {
-      if (verified) {
-        console.info('Trusted bot detected');
+    return request.formData().then(async formData => {
+      const password = formData.get(this.passwordFieldName);
+
+      if (password === null) {
+        console.warn('No password provided');
 
         return {
-          authenticated: true,
-          allowed: true,
+          authenticated: false,
+          allowed: false,
           cookie: this.cookieSpec({
-            source: 'trusted-bot',
+            source: 'no-password',
           }),
         };
       }
 
-      return request.formData().then(async formData => {
-        const password = formData.get(this.passwordFieldName);
-
-        if (password === null) {
-          console.warn('No password provided');
-
-          return {
-            authenticated: false,
-            allowed: false,
-            cookie: this.cookieSpec({
-              source: 'no-password',
-            }),
-          };
-        }
-
-        return this.hashPassword(password)
-          .then(hashedPassword => this.expectedPasswordHash === hashedPassword)
-          .then(passwordMatch => {
-            if (!passwordMatch) {
-              console.warn(
-                `Password mismatch, expected ${this.expectedPasswordHash}`
-              );
-
-              return {
-                authenticated: true,
-                allowed: false,
-                cookie: this.cookieSpec({
-                  source: 'invalid-password',
-                }),
-              };
-            }
-
-            console.info('Password match');
-
-            // Remove the password from the form data
-            // before storing it in the cookie
-            formData.delete(this.passwordFieldName);
+      return this.hashPassword(password)
+        .then(hashedPassword => this.expectedPasswordHash === hashedPassword)
+        .then(passwordMatch => {
+          if (!passwordMatch) {
+            console.warn(
+              `Password mismatch, expected ${this.expectedPasswordHash}`
+            );
 
             return {
               authenticated: true,
-              allowed: true,
+              allowed: false,
               cookie: this.cookieSpec({
-                source: 'user-form',
-                userData: formData,
+                source: 'invalid-password',
               }),
             };
-          });
-      });
+          }
+
+          console.info('Password match');
+
+          // Remove the password from the form data
+          // before storing it in the cookie
+          formData.delete(this.passwordFieldName);
+
+          return {
+            authenticated: true,
+            allowed: true,
+            cookie: this.cookieSpec({
+              source: 'user-form',
+              userData: formData,
+            }),
+          };
+        });
     });
   }
 }