feat: add bot-id support #1112
feat: add bot-id support #1112
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds bot detection and protection to the application using the botid package (v1.5.10). The integration aims to protect API endpoints and routes from automated bot traffic.
- Integrates botid library at both the Next.js config level and individual API routes
- Adds bot detection check to the Resend webhook handler
- Includes client-side instrumentation for route protection
Reviewed Changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds botid dependency (^1.5.10) |
| pnpm-lock.yaml | Updates lock file with botid package resolution and dependencies |
| next.config.mjs | Wraps config with withBotId HOC; adds picsum.photos to image domains (unrelated); duplicate images.unsplash.com entry |
| src/pages/api/inbound_webhooks/resend.ts | Adds bot detection check before processing webhook requests |
| src/utils/resend.test.ts | Refactors Resend mock from arrow function to regular function for proper context binding |
| instrumentation-client.ts | New file configuring client-side bot protection for various routes |
| next-env.d.ts | Auto-generated Next.js type definition update |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // After signature verification, check for bot traffic | ||
| const verification = await checkBotId({ | ||
| advancedOptions: { | ||
| headers: req.headers, | ||
| }, | ||
| }); | ||
| if (verification.isBot) { | ||
| console.warn('Bot detected attempting to access webhook'); | ||
| return res.status(403).json({ error: 'Access denied' }); | ||
| } |
There was a problem hiding this comment.
Bot detection should not be applied to webhook endpoints. Webhooks are server-to-server communications from Resend, not user-initiated requests. The signature verification on line 70 already ensures the request came from Resend. Bot detection is designed to protect against malicious client traffic (browsers, scripts) but is inappropriate for authenticated webhooks where the caller is a trusted server. This will likely result in false positives and could block legitimate webhook events from being processed.
| { | ||
| protocol: 'https', | ||
| hostname: 'images.unsplash.com', | ||
| hostname: 'picsum.photos', |
There was a problem hiding this comment.
This change appears unrelated to adding bot-id support. The hostname is being changed from 'images.unsplash.com' to 'picsum.photos', but this modification is not mentioned in the PR description and doesn't relate to the bot detection feature. If this is an intentional change, it should be in a separate PR or explained in the PR description. Note that the codebase still references unsplash.com URLs in multiple content files and the old hostname 'images.unsplash.com' is still in the remotePatterns list (line 65).
1 participant
No description provided.