feat: add bot-id support #1112
feat: add bot-id support #1112
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds bot detection and protection to the application using the botid package (v1.5.10). The integration aims to protect API endpoints and routes from automated bot traffic.
- Integrates botid library at both the Next.js config level and individual API routes
- Adds bot detection check to the Resend webhook handler
- Includes client-side instrumentation for route protection
Reviewed Changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds botid dependency (^1.5.10) |
| pnpm-lock.yaml | Updates lock file with botid package resolution and dependencies |
| next.config.mjs | Wraps config with withBotId HOC; adds picsum.photos to image domains (unrelated); duplicate images.unsplash.com entry |
| src/pages/api/inbound_webhooks/resend.ts | Adds bot detection check before processing webhook requests |
| src/utils/resend.test.ts | Refactors Resend mock from arrow function to regular function for proper context binding |
| instrumentation-client.ts | New file configuring client-side bot protection for various routes |
| next-env.d.ts | Auto-generated Next.js type definition update |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Example: Protect webhook endpoints | ||
| { path: '/api/inbound_webhooks/resend', method: 'POST' }, | ||
|
|
There was a problem hiding this comment.
Protecting the webhook endpoint /api/inbound_webhooks/resend from the client-side doesn't make sense because:
- Webhooks are server-to-server communications initiated by Resend, not by browsers
- Client-side bot protection cannot intercept or validate server-to-server requests
- The actual bot protection is already implemented on the server side (in the API route handler)
This route should be removed from the client-side protection list. Client-side protection should only be used for routes that browsers directly access.
| // Example: Protect webhook endpoints | |
| { path: '/api/inbound_webhooks/resend', method: 'POST' }, |
| // Verify this request is not from a bot | ||
| const verification = await checkBotId(); | ||
| if (verification.isBot) { | ||
| console.warn('Bot detected attempting to access webhook'); | ||
| return res.status(403).json({ error: 'Access denied' }); | ||
| } |
There was a problem hiding this comment.
The bot detection check is performed before webhook signature verification. This creates a security concern because:
- Attackers can bypass signature verification by being flagged as a bot
- The webhook signature verification (line 77) validates that the request actually came from Resend
Consider moving the bot check after the signature verification to ensure all requests are authenticated first. The order should be:
- Verify webhook signature
- Check for bot traffic
- Process the webhook
| } | ||
|
|
||
| // Verify this request is not from a bot | ||
| const verification = await checkBotId(); |
There was a problem hiding this comment.
The checkBotId() function is called without passing any request context. Depending on the botid library's API, this function may need the request object or headers to properly detect bots based on user-agent, IP address, or other request metadata.
Please verify that checkBotId() can access request context through Next.js internals, or update the call to pass the necessary request information: checkBotId(req) or similar.
| const verification = await checkBotId(); | |
| const verification = await checkBotId(req); |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
No description provided.