Merge branch 'main' into Xe/anubis-custom-logger

Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>
fix(anubis): store the challenge method in the store (#924 )
2026-04-09 10:08:45 +00:00 · 2025-07-28 10:59:16 -04:00 · 2025-07-28 10:57:50 -04:00 · 2025-07-27 22:47:21 -04:00 · 2025-07-27 00:41:43 +00:00 · 2025-07-25 17:30:21 +00:00
9 changed files with 35 additions and 20 deletions
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -21,7 +21,7 @@ jobs:
          persist-credentials: false

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@7edac99f961f18b581bbd960d59d049f04c0002f # v6.4.1
+        uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc # v6.4.3

      - name: Run zizmor 🌈
        run: uvx zizmor --format sarif . > results.sarif 
@@ -29,7 +29,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 

      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4
        with:
          sarif_file: results.sarif
          category: zizmor
--- a/data/bots/_deny-pathological.yaml
+++ b/data/bots/_deny-pathological.yaml
@@ -1,3 +1,4 @@
 - import: (data)/bots/cloudflare-workers.yaml
 - import: (data)/bots/headless-browsers.yaml
- import: (data)/bots/us-ai-scraper.yaml
+- import: (data)/bots/us-ai-scraper.yaml
+- import: (data)/bots/custom-async-http-client.yaml
--- a/data/bots/custom-async-http-client.yaml
+++ b/data/bots/custom-async-http-client.yaml
@@ -0,0 +1,5 @@
+- name: "custom-async-http-client"
+  user_agent_regex: "Custom-AsyncHttpClient"
+  action: WEIGH
+  weight:
+    adjust: 10
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,7 +13,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

+- Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
 - The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
+- [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
 - The [`segments`](./admin/configuration/expressions.mdx#segments) function was added for splitting a path into its slash-separated segments.
 - When issuing a challenge, Anubis stores information about that challenge into the store. That stored information is later used to validate challenge responses. This works around nondeterminism in bot rules. ([#917](https://github.com/TecharoHQ/anubis/issues/917))

--- a/internal/log.go
+++ b/internal/log.go
@@ -26,8 +26,8 @@ func InitSlog(level string) {
 	slog.SetDefault(slog.New(h))
 }

-func GetRequestLogger(r *http.Request) *slog.Logger {
-	return slog.With(
+func GetRequestLogger(base *slog.Logger, r *http.Request) *slog.Logger {
+	return base.With(
 		"host", r.Host,
 		"method", r.Method,
 		"path", r.URL.Path,
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -75,6 +75,7 @@ type Server struct {
 	hs512Secret []byte
 	opts        Options
 	store       store.Interface
+	logger      *slog.Logger
 }

 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
@@ -150,7 +151,7 @@ func (s *Server) maybeReverseProxyOrPage(w http.ResponseWriter, r *http.Request)
 }

 func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpStatusOnly bool) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)

 	// Adjust cookie path if base prefix is not empty
 	cookiePath := "/"
@@ -158,7 +159,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 		cookiePath = strings.TrimSuffix(anubis.BasePrefix, "/") + "/"
 	}

-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		localizer := localization.GetLocalizer(r)
@@ -274,7 +275,7 @@ func (s *Server) checkRules(w http.ResponseWriter, r *http.Request, cr policy.Ch
 		return true
 	default:
 		s.ClearCookie(w, CookieOpts{Path: cookiePath, Host: r.Host})
-		slog.Error("CONFIG ERROR: unknown rule", "rule", cr.Rule)
+		lg.Error("CONFIG ERROR: unknown rule", "rule", cr.Rule)
 		s.respondWithError(w, r, fmt.Sprintf("%s \"maybeReverseProxy.Rules\"", localizer.T("internal_server_error")))
 		return true
 	}
@@ -310,7 +311,7 @@ func (s *Server) handleDNSBL(w http.ResponseWriter, r *http.Request, ip string,
 }

 func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)

 	redir := r.FormValue("redir")
@@ -329,7 +330,7 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 	r.URL.Path = redir

 	encoder := json.NewEncoder(w)
-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		w.WriteHeader(http.StatusInternalServerError)
@@ -381,7 +382,7 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 }

 func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)

 	redir := r.FormValue("redir")
@@ -428,7 +429,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		s.respondWithError(w, r, fmt.Sprintf("%s \"passChallenge\"", localizer.T("internal_server_error")))
@@ -509,7 +510,7 @@ func cr(name string, rule config.Rule, weight int) policy.CheckResult {
 }

 // Check evaluates the list of rules, and returns the result
-func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error) {
+func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *policy.Bot, error) {
 	host := r.Header.Get("X-Real-Ip")
 	if host == "" {
 		return decaymap.Zilch[policy.CheckResult](), nil, fmt.Errorf("[misconfiguration] X-Real-Ip header is not set")
@@ -533,7 +534,7 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 			case config.RuleDeny, config.RuleAllow, config.RuleBenchmark, config.RuleChallenge:
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
-				slog.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
+				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
 				weight += b.Weight.Adjust
 			}
 		}
@@ -542,7 +543,7 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 	for _, t := range s.policy.Thresholds {
 		result, _, err := t.Program.ContextEval(r.Context(), &policy.ThresholdRequest{Weight: weight})
 		if err != nil {
-			slog.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
+			lg.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
 			continue
 		}

--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -343,7 +343,7 @@ func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {

 			req.Header.Add("X-Real-Ip", "127.0.0.1")

-			cr, bot, err := s.check(req)
+			cr, bot, err := s.check(req, s.logger)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -583,7 +583,7 @@ func TestCloudflareWorkersRule(t *testing.T) {
 				req.Header.Add("X-Real-Ip", "127.0.0.1")
 				req.Header.Add("Cf-Worker", "true")

-				cr, _, err := s.check(req)
+				cr, _, err := s.check(req, s.logger)
 				if err != nil {
 					t.Fatal(err)
 				}
@@ -601,7 +601,7 @@ func TestCloudflareWorkersRule(t *testing.T) {

 				req.Header.Add("X-Real-Ip", "127.0.0.1")

-				cr, _, err := s.check(req)
+				cr, _, err := s.check(req, s.logger)
 				if err != nil {
 					t.Fatal(err)
 				}
--- a/lib/config.go
+++ b/lib/config.go
@@ -43,6 +43,7 @@ type Options struct {
 	OpenGraph           config.OpenGraph
 	ServeRobotsTXT      bool
 	CookieSecure        bool
+	Logger              *slog.Logger
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
@@ -89,8 +90,12 @@ func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty
 }

 func New(opts Options) (*Server, error) {
+	if opts.Logger == nil {
+		opts.Logger = slog.With("subsystem", "anubis")
+	}
+
 	if opts.ED25519PrivateKey == nil && opts.HS512Secret == nil {
-		slog.Debug("opts.PrivateKey not set, generating a new one")
+		opts.Logger.Debug("opts.PrivateKey not set, generating a new one")
 		_, priv, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return nil, fmt.Errorf("lib: can't generate private key: %v", err)
@@ -108,6 +113,7 @@ func New(opts Options) (*Server, error) {
 		opts:        opts,
 		OGTags:      ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph, opts.Policy.Store),
 		store:       opts.Policy.Store,
+		logger:      opts.Logger,
 	}

 	mux := http.NewServeMux()
--- a/lib/http.go
+++ b/lib/http.go
@@ -120,7 +120,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}

-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)

 	if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") && randomChance(64) {
 		lg.Error("client was given a challenge but does not in fact support gzip compression")
Author	SHA1	Message	Date
Xe Iaso	ebeead900d	Merge branch 'main' into Xe/anubis-custom-logger Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>	2025-07-28 10:59:16 -04:00
Xe Iaso	4a4031450c	fix(anubis): store the challenge method in the store (#924 ) * fix(lib): reduce challenge string size Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(internal): add host, method, and path to request logs Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(anubis): log when challenges explicitly fail Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(lib): make challenge validation fully deterministic Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(anubis): nuke challengeFor function Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update changelog Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-28 10:57:50 -04:00
dependabot[bot]	8feacc78fc	build(deps): bump the github-actions group with 2 updates (#929 ) Bumps the github-actions group with 2 updates: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) and [github/codeql-action](https://github.com/github/codeql-action). Updates `astral-sh/setup-uv` from 6.4.1 to 6.4.3 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](`7edac99f96...e92bafb625`) Updates `github/codeql-action` from 3.29.2 to 3.29.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](`181d5eefc2...4e828ff8d4`) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 6.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 3.29.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2025-07-27 22:47:21 -04:00
Xe Iaso	bca2e87e80	feat(default-rules): add weight to Custom-AsyncHttpClient (#914 ) Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>	2025-07-27 00:41:43 +00:00
Xe Iaso	79ac2ec92b	test(lib): amend s.check usage Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-07-25 17:30:21 +00:00
Xe Iaso	0e5f382798	fix(lib): add the ability to set a custom slog Logger Closes #864	2025-07-25 16:31:50 +00:00