Skip to content

feat(bot): add pointer mismatch and resolution checks#99

Open
IntegerAlex wants to merge 1 commit into
mainfrom
feat/bot-detection-anomalies
Open

feat(bot): add pointer mismatch and resolution checks#99
IntegerAlex wants to merge 1 commit into
mainfrom
feat/bot-detection-anomalies

Conversation

@IntegerAlex

@IntegerAlex IntegerAlex commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Add pointer/hover mismatch and headless resolution bot-detection signals to detectBot

  • Adds Bowser-based UA parsing to detectBot in systemInfo.ts to classify desktop environments (with a regex fallback if parsing fails).
  • On desktop, checks for missing pointer/hover capabilities via matchMedia; records strong:desktop-no-pointer-hover-mismatch if (hover: none) is true or neither (pointer: fine) nor (pointer: coarse) matches.
  • On desktop, checks for an 800×600 screen resolution and records medium:desktop-default-headless-resolution if matched.
  • Both new signals feed into the existing confidence aggregation, affecting the returned signals array, confidence score, and isBot boolean.
  • Adds e2e tests covering both new signals and fixes the JSON serialization test to use an inline geo mock instead of calling fetchGeolocationInfo().

Macroscope summarized bacc322.

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@IntegerAlex, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 19 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dddb8581-c5a0-4b0d-8ffb-f37ea24de2f2

📥 Commits

Reviewing files that changed from the base of the PR and between 81d8565 and bacc322.

📒 Files selected for processing (3)
  • src/systemInfo.ts
  • test/e2e/cypress/e2e/unit/core.cy.js
  • test/e2e/cypress/e2e/unit/hash-serialization.cy.js
📝 Walkthrough

Walkthrough

This PR adds two desktop-oriented bot-detection signals to detectBot, expands Cypress coverage for the new result shape and signal cases, and switches one JSON serialization test to a fixed geolocation mock.

Changes

Desktop bot detection

Layer / File(s) Summary
Desktop signal checks
src/systemInfo.ts
detectBot adds user-agent, hover/pointer, and 800x600 screen checks that append new strong and medium signals.
Bot detection e2e cases
test/e2e/cypress/e2e/unit/core.cy.js
The Cypress suite checks the detectBot result shape and asserts the new desktop mismatch and resolution signals.

JSON serialization fixture

Layer / File(s) Summary
Deterministic geolocation input
test/e2e/cypress/e2e/unit/hash-serialization.cy.js
The JSON serialization test uses a fixed geolocation object instead of fetching one before calling generateJSON.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

Review effort 2/5

Poem

A rabbit hopped through signals bright,
Two desktop clues in afternoon light.
matchMedia twitched, the screen was set,
The hash still shone; the tests were met.
🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the new bot-detection pointer mismatch and resolution checks.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description matches the code changes, covering the new bot-detection signals and the updated tests.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/bot-detection-anomalies

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread src/systemInfo.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/systemInfo.ts`:
- Around line 103-109: The desktop detection in isDesktop is too broad because
the navigator.userAgent regex matches Linux and can classify Android devices as
desktop, which then allows the strong:desktop-no-pointer-hover-mismatch signal
to fire on touch phones/tablets. Tighten the user-agent check in
src/systemInfo.ts by excluding Android/mobile UAs from the desktop branch or by
replacing the regex with a more precise desktop-only classifier before the
window.matchMedia checks, so the signal is only added for actual desktop
environments.

In `@test/e2e/cypress/e2e/unit/core.cy.js`:
- Around line 64-65: The Cypress checks in the core suite are bypassing the
readiness gate, so they can race against app initialization; update the affected
`cy.visit('/')` + `cy.window()` flows in the `core.cy.js` test cases to wait for
the existing `fingerprintOSSReady` helper before accessing `win.fingerprintOSS`.
Use the shared readiness mechanism already used elsewhere in the suite so the
assertions run only after the app is fully ready, including the other matching
block in the same file.

In `@test/e2e/cypress/e2e/unit/hash-serialization.cy.js`:
- Around line 26-28: The current hash check in generateJSON only verifies that
the hash key exists, so the test can pass even with an invalid value. Tighten
the assertion in the hash-serialization Cypress test around fp.generateJSON by
validating the hash content itself, not just presence, so serialization
regressions fail fast; use the generated result’s hash property and assert it is
a real non-empty string value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1dc693df-5771-4dd4-b26c-4e80aa5514fb

📥 Commits

Reviewing files that changed from the base of the PR and between 7e52557 and 81d8565.

📒 Files selected for processing (3)
  • src/systemInfo.ts
  • test/e2e/cypress/e2e/unit/core.cy.js
  • test/e2e/cypress/e2e/unit/hash-serialization.cy.js

Comment thread src/systemInfo.ts Outdated
@IntegerAlex IntegerAlex force-pushed the feat/bot-detection-anomalies branch from 81d8565 to bacc322 Compare June 25, 2026 09:25
Repository owner deleted a comment from netlify Bot Jun 25, 2026
Repository owner deleted a comment from netlify Bot Jun 25, 2026
Repository owner deleted a comment from coderabbitai Bot Jun 25, 2026
@IntegerAlex

Copy link
Copy Markdown
Owner Author

@macroscope-app review

@macroscopeapp

macroscopeapp Bot commented Jun 25, 2026

Copy link
Copy Markdown

Manual reviews triggered for commit bacc322:

All prior checks · these links stay valid even if you push more commits.

@macroscopeapp

macroscopeapp Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review started! I'm analyzing the changes now. Results will be posted as check runs and any findings will appear as review comments.

@macroscopeapp

macroscopeapp Bot commented Jun 25, 2026

Copy link
Copy Markdown

Approvability

Verdict: Would Approve

This PR adds new bot detection signals (pointer/hover mismatch, headless resolution) to an existing detection function. The changes are self-contained with test coverage, and the unresolved review comments are minor test improvement suggestions rather than substantive bugs.

Macroscope would have approved this PR. Enable approvability here.

Repository owner deleted a comment from coderabbitai Bot Jun 25, 2026
Repository owner deleted a comment from coderabbitai Bot Jun 25, 2026
@IntegerAlex

Copy link
Copy Markdown
Owner Author

Hi @unxpndnd1234,

Thanks again for the excellent report.

I've implemented and committed several improvements to address these headless and automation anomalies:

  • Detect inconsistencies between desktop platforms and the absence of pointer/hover capabilities.
  • Flag default headless viewport sizes (e.g., 800×600) on desktop user agents.

These additions should now correctly identify this automated profile in our bot detection engine and address the issues reported in #98.

That said, browser fingerprinting can never provide 100% protection. Since the client environment is fully controlled by the visitor, advanced actors can spoof JS APIs, modify runtime properties, or patch prototypes to bypass client-side checks.

The changes have been pushed and will be included in the next release. Closes #98.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant