chore: bump Playwright dev dependency to version 1.56.0

.devcontainer/docker-compose.yaml

@@ -1,12 +1,12 @@
 services:
   playwright:
-    image: mcr.microsoft.com/playwright:v1.52.0-noble
+    image: mcr.microsoft.com/playwright:v1.56.0-noble
     init: true
     network_mode: service:workspace
     command:
       - /bin/sh
       - -c
-      - npx -y playwright@1.52.0 run-server --port 9001 --host 0.0.0.0
+      - npx -y playwright@1.56.0 run-server --port 9001 --host 0.0.0.0
 
   valkey:
     image: valkey/valkey:8

.github/workflows/go.yml

@@ -38,7 +38,7 @@ jobs:
         with:
           path: |
             ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-playwright-1.56.0
 
       - name: install node deps
         run: |
@@ -46,8 +46,8 @@ jobs:
 
       - name: install playwright browsers
         run: |
-          npx --no-install playwright@1.52.0 install --with-deps
+          npx playwright@1.56.0 install --with-deps
-          npx --no-install playwright@1.52.0 run-server --port 9001 &
+          npx playwright@1.56.0 run-server --port 9001 &
 
       - name: Build
         run: npm run build

cmd/anubis/main.go

@@ -83,7 +83,7 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-	customRealIPHeader       = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
+	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
 
 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -145,19 +145,19 @@ func parseBindNetFromAddr(address string) (string, string) {
 	return "", address
 }
 
-func parseSameSite(s string) http.SameSite {
+func parseSameSite(s string) (http.SameSite) {
-	switch strings.ToLower(s) {
+    switch strings.ToLower(s) {
-	case "none":
+    case "none":
-		return http.SameSiteNoneMode
+        return http.SameSiteNoneMode
-	case "lax":
+    case "lax":
-		return http.SameSiteLaxMode
+        return http.SameSiteLaxMode
-	case "strict":
+    case "strict":
-		return http.SameSiteStrictMode
+        return http.SameSiteStrictMode
 	case "default":
 		return http.SameSiteDefaultMode
-	default:
+    default:
-		log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
+        log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
-	}
+    }
 	return http.SameSiteDefaultMode
 }
 

docs/docs/CHANGELOG.md

@@ -13,7 +13,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
-- Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an `ALLOW` threshold.
 - Expose WEIGHT rule matches as Prometheus metrics.
 - Allow more OCI registry clients [based on feedback](https://github.com/TecharoHQ/anubis/pull/1253#issuecomment-3506744184).
 - Expose services directory in the embedded `(data)` filesystem.
@@ -21,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Allow Renovate as an OCI registry client.
 - Properly handle 4in6 addresses so that IP matching works with those addresses.
 - Add support to simple Valkey/Redis cluster mode
+- Bump the Playwright dev dependency to 1.56.0
 
 ## v1.23.1: Lyse Hext - Echo 1
 

internal/test/playwright_test.go

@@ -99,7 +99,7 @@ const (
 	actionChallenge action = "CHALLENGE"
 
 	placeholderIP     = "fd11:5ee:bad:c0de::"
-	playwrightVersion = "1.52.0"
+	playwrightVersion = "1.56.0"
 )
 
 type action string

lib/anubis.go

@@ -117,12 +117,10 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}
 
 	chall := challenge.Challenge{
-		ID:             id.String(),
+		ID:         id.String(),
-		Method:         rule.Challenge.Algorithm,
+		Method:     rule.Challenge.Algorithm,
-		RandomData:     fmt.Sprintf("%x", randomData),
+		RandomData: fmt.Sprintf("%x", randomData),
-		IssuedAt:       time.Now(),
+		IssuedAt:   time.Now(),
-		Difficulty:     rule.Challenge.Difficulty,
-		PolicyRuleHash: rule.Hash(),
 		Metadata: map[string]string{
 			"User-Agent": r.Header.Get("User-Agent"),
 			"X-Real-Ip":  r.Header.Get("X-Real-Ip"),
@@ -139,44 +137,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	return &chall, err
 }
 
-func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
-	if chall == nil {
-		return rule
-	}
-
-	if rule == nil {
-		rule = &policy.Bot{
-			Rules: &checker.List{},
-		}
-	}
-
-	if chall.Difficulty == 0 {
-		// fall back to whatever the policy currently says or the global default
-		if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
-			chall.Difficulty = rule.Challenge.Difficulty
-		} else {
-			chall.Difficulty = s.policy.DefaultDifficulty
-		}
-	}
-
-	if rule.Challenge == nil {
-		lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
-		rule.Challenge = &config.ChallengeRules{}
-	}
-
-	if rule.Challenge.Difficulty == 0 {
-		rule.Challenge.Difficulty = chall.Difficulty
-	}
-	if rule.Challenge.ReportAs == 0 {
-		rule.Challenge.ReportAs = chall.Difficulty
-	}
-	if rule.Challenge.Algorithm == "" {
-		rule.Challenge.Algorithm = chall.Method
-	}
-
-	return rule
-}
-
 func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
 	s.maybeReverseProxy(w, r, true)
 }
@@ -501,8 +461,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	rule = s.hydrateChallengeRule(rule, chall, lg)
-
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
 		lg.Error("check failed", "err", err)

lib/anubis_test.go

@@ -2,7 +2,6 @@ package lib
 
 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -19,10 +18,8 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/store"
 	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )
 
@@ -1030,59 +1027,6 @@ func TestPassChallengeXSS(t *testing.T) {
 	})
 }
 
-func TestPassChallengeNilRuleChallengeFallback(t *testing.T) {
-	pol := loadPolicies(t, "testdata/zero_difficulty.yaml", 0)
-
-	srv := spawnAnubis(t, Options{
-		Next:   http.NewServeMux(),
-		Policy: pol,
-	})
-
-	allowThreshold, err := policy.ParsedThresholdFromConfig(config.Threshold{
-		Name: "allow-all",
-		Expression: &config.ExpressionOrList{
-			Expression: "true",
-		},
-		Action: config.RuleAllow,
-	})
-	if err != nil {
-		t.Fatalf("can't compile test threshold: %v", err)
-	}
-	srv.policy.Thresholds = []*policy.Threshold{allowThreshold}
-	srv.policy.Bots = nil
-
-	chall := challenge.Challenge{
-		ID:         "test-challenge",
-		Method:     "metarefresh",
-		RandomData: "apple cider",
-		IssuedAt:   time.Now().Add(-5 * time.Second),
-		Difficulty: 1,
-	}
-
-	j := store.JSON[challenge.Challenge]{Underlying: srv.store}
-	if err := j.Set(context.Background(), "challenge:"+chall.ID, chall, time.Minute); err != nil {
-		t.Fatalf("can't insert challenge into store: %v", err)
-	}
-
-	req := httptest.NewRequest(http.MethodGet, "https://example.com"+anubis.APIPrefix+"pass-challenge", nil)
-	q := req.URL.Query()
-	q.Set("redir", "/")
-	q.Set("id", chall.ID)
-	q.Set("challenge", chall.RandomData)
-	req.URL.RawQuery = q.Encode()
-	req.Header.Set("X-Real-Ip", "203.0.113.4")
-	req.Header.Set("User-Agent", "NilChallengeTester/1.0")
-	req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: chall.ID})
-
-	rr := httptest.NewRecorder()
-
-	srv.PassChallenge(rr, req)
-
-	if rr.Code != http.StatusFound {
-		t.Fatalf("expected redirect when validating challenge, got %d", rr.Code)
-	}
-}
-
 func TestXForwardedForNoDoubleComma(t *testing.T) {
 	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))

lib/challenge/challenge.go

@@ -4,12 +4,10 @@ import "time"
 
 // Challenge is the metadata about a single challenge issuance.
 type Challenge struct {
-	ID             string            `json:"id"`                       // UUID identifying the challenge
+	ID         string            `json:"id"`         // UUID identifying the challenge
-	Method         string            `json:"method"`                   // Challenge method
+	Method     string            `json:"method"`     // Challenge method
-	RandomData     string            `json:"randomData"`               // The random data the client processes
+	RandomData string            `json:"randomData"` // The random data the client processes
-	IssuedAt       time.Time         `json:"issuedAt"`                 // When the challenge was issued
+	IssuedAt   time.Time         `json:"issuedAt"`   // When the challenge was issued
-	Metadata       map[string]string `json:"metadata"`                 // Challenge metadata such as IP address and user agent
+	Metadata   map[string]string `json:"metadata"`   // Challenge metadata such as IP address and user agent
-	Spent          bool              `json:"spent"`                    // Has the challenge already been solved?
+	Spent      bool              `json:"spent"`      // Has the challenge already been solved?
-	Difficulty     int               `json:"difficulty,omitempty"`     // Difficulty that was in effect when issued
-	PolicyRuleHash string            `json:"policyRuleHash,omitempty"` // Hash of the policy rule that issued this challenge
 }

lib/challenge/challengetest/challengetest.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/google/uuid"
@@ -20,6 +19,5 @@ func New(t *testing.T) *challenge.Challenge {
 		ID:         id.String(),
 		RandomData: randomData,
 		IssuedAt:   time.Now(),
-		Difficulty: anubis.DefaultDifficulty,
 	}
 }

lib/localization/localization_test.go

@@ -31,7 +31,7 @@ func TestLocalizationService(t *testing.T) {
 		"vi":    "Đang nạp...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
-		"sv":    "Laddar...",
+		"sv" : "Laddar...",
 	}
 
 	var keys []string

package-lock.json

@@ -16,7 +16,7 @@
         "cssnano": "^7.1.2",
         "cssnano-preset-advanced": "^7.0.10",
         "esbuild": "^0.25.12",
-        "playwright": "^1.52.0",
+        "playwright": "^1.56.0",
         "postcss-cli": "^11.0.1",
         "postcss-import": "^16.1.1",
         "postcss-import-url": "^7.2.0",
@@ -1603,13 +1603,13 @@
       }
     },
     "node_modules/playwright": {
-      "version": "1.52.0",
+      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.52.0.tgz",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz",
-      "integrity": "sha512-JAwMNMBlxJ2oD1kce4KPtMkDeKGHQstdpFPcPH3maElAXon/QZeTvtsfXmTMRyO9TslfoYOXkSsvao2nE1ilTw==",
+      "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright-core": "1.52.0"
+        "playwright-core": "1.56.1"
       },
       "bin": {
         "playwright": "cli.js"
@@ -1622,9 +1622,9 @@
       }
     },
     "node_modules/playwright-core": {
-      "version": "1.52.0",
+      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.52.0.tgz",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
-      "integrity": "sha512-l2osTgLXSMeuLZOML9qYODUQoPPnUsKsb5/P6LJ2e6uPKXUdPK5WYhN4z03G+YNbWmGDY4YENauNu4ZKczreHg==",
+      "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {

package.json

@@ -21,7 +21,7 @@
     "cssnano": "^7.1.2",
     "cssnano-preset-advanced": "^7.0.10",
     "esbuild": "^0.25.12",
-    "playwright": "^1.52.0",
+    "playwright": "^1.56.0",
     "postcss-cli": "^11.0.1",
     "postcss-import": "^16.1.1",
     "postcss-import-url": "^7.2.0",
@@ -31,4 +31,4 @@
     "@aws-crypto/sha256-js": "^5.2.0",
     "preact": "^10.27.2"
   }
-}
+}