replace local code with code extracted to BotChallengePage gem

For turnstile protection of some things

Author: jrochkind

Gemfile

@@ -268,3 +268,5 @@ end
 gem "barnes"
 
 gem 'equivalent-xml'
+
+gem "bot_challenge_page"

Gemfile.lock

@@ -158,6 +158,10 @@ GEM
     bootstrap4-kaminari-views (1.0.1)
       kaminari (>= 0.13)
       rails (>= 3.1)
+    bot_challenge_page (0.2.0)
+      http (~> 5.2)
+      rack-attack (~> 6.7)
+      rails (>= 7.1, < 8.1)
     browse-everything (1.5.0)
       addressable (~> 2.5)
       aws-sdk-s3
@@ -801,6 +805,7 @@ DEPENDENCIES
   blacklight_range_limit (~> 9.0.0)
   bootsnap (>= 1.4.4)
   bootstrap4-kaminari-views
+  bot_challenge_page
   browse-everything (~> 1.5)
   browser (~> 6.0)
   capybara (>= 2.15)

app/controllers/application_controller.rb

@@ -1,4 +1,10 @@
 class ApplicationController < ActionController::Base
+  # This will only protect CONFIGURED routes, but also could be put on just certain
+  # controllers, it does not need to be in ApplicationController
+  before_action do |controller|
+    BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller)
+  end
+
   # Blacklight tried to add some things to ApplicationController, but
   # we pretty much only want to use CatalogController from Blacklight, so
   # are trying just doing these things there instead
@@ -23,8 +29,6 @@ class ApplicationController < ActionController::Base
 
   around_action :batch_kithe_indexable
 
-  before_action { |controller| BotDetectController.bot_detection_enforce_filter(controller) }
-
   def batch_kithe_indexable
     Kithe::Indexable.index_with(batching: true) do
       yield

app/controllers/bot_detect_controller.rb

@@ -40,7 +40,7 @@ class DownloadsController < ApplicationController
 
   # protect originals only from bots with bot challenge redirect, no allowed pre-challenge
   # rate limit.
-  before_action(only: :original) { |controller| BotDetectController.bot_detection_enforce_filter(controller, immediate: true) }
+  before_action(only: :original) { |controller| BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true) }
 
   #GET /downloads/:asset_id
   def original

app/controllers/downloads_controller.rb

@@ -70,6 +70,8 @@ class Application < Rails::Application
 
     # code to be executed when launching `rails console`
     # https://github.com/rails/rails/blob/cf27cfa18bc3742cfaf732da5a839521d6662785/railties/lib/rails/railtie.rb#L143
+
+require 'rack/attack'
     console do
       # Disable honeybadger reporting in conosle. Avoid those annoying SIGHUP errors
       # reported for timed out console you left running.

config/application.rb

@@ -0,0 +1,59 @@
+# Some explanation at https://sciencehistory.atlassian.net/wiki/spaces/HDC/pages/2645098498/Cloudflare+Turnstile+bot+detection
+Rails.application.config.to_prepare do
+  config = BotChallengePage::BotChallengePageController.bot_challenge_config
+
+  # allow rate_limit_count requests in rate_limit_period, before issuing challenge
+  config.rate_limit_period = 12.hour
+  config.rate_limit_count = 2 # seriously reduced to see if that helps
+
+  # How long a challenge pass is good for
+  config.session_passed_good_for = 24.hours
+
+  config.enabled                 = ScihistDigicoll::Env.lookup(:cf_turnstile_enabled)
+  config.cf_turnstile_sitekey    = ScihistDigicoll::Env.lookup(:cf_turnstile_sitekey)
+  config.cf_turnstile_secret_key = ScihistDigicoll::Env.lookup(:cf_turnstile_secret_key)
+
+  # any custom collection controllers or other controllers that offer search have to be listed here
+  # to rate-limit them!
+  config.rate_limited_locations = [
+    '/catalog',
+    '/focus',
+    # we want to omit `/collections` list page, so we do these by controller
+    { controller: "collection_show" },
+    { controller: "collection_show_controllers/immigrants_and_innovation_collection" },
+    { controller: "collection_show_controllers/oral_history_collection"},
+    { controller: "collection_show_controllers/bredig_collection"}
+  ]
+
+  config.allow_exempt = ->(controller, config) {
+    # Excempt any Catalog #facet action that looks like an ajax/fetch request, the redirect
+    # ain't gonna work there, we just exempt it.
+    #
+    # sec-fetch-dest is set to 'empty' by browser on fetch requests, to limit us further;
+    # sure an attacker could fake it, we don't mind if someone determined can avoid rate-limiting on this one action
+    ( controller.params[:action] == "facet" &&
+      controller.request.headers["sec-fetch-dest"] == "empty" &&
+      controller.kind_of?(CatalogController)
+    ) ||
+    # Exempt honeybadger token from uptime checker
+    # https://docs.honeybadger.io/guides/security/
+    (
+      ENV['HONEYBADGER_TOKEN'].present? &&
+      controller.request.headers['Honeybadger-Token'] == ENV['HONEYBADGER_TOKEN']
+    ) ||
+    # Exempt a collection controller (or sub-class!) with _no query params_, we want to
+    # let Google and other bots into colleciton home pages, even though they show search results.
+    (
+      controller.kind_of?(CollectionShowController) &&
+      controller.respond_to?(:has_search_parameters?) &&
+      !controller.has_search_parameters?
+    ) ||
+    ## exempt PDF original downloads, which are protected with an 'immediate' filter
+    (
+      controller.kind_of?(DownloadsController) &&
+      controller.params[:file_category] == "pdf"
+    )
+  }
+
+  BotChallengePage::BotChallengePageController.rack_attack_init
+end