feat(bot): add pointer mismatch and resolution checks#99
Conversation
|
Warning Review limit reached
More reviews will be available in 25 minutes and 19 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR adds two desktop-oriented bot-detection signals to ChangesDesktop bot detection
JSON serialization fixture
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/systemInfo.ts`:
- Around line 103-109: The desktop detection in isDesktop is too broad because
the navigator.userAgent regex matches Linux and can classify Android devices as
desktop, which then allows the strong:desktop-no-pointer-hover-mismatch signal
to fire on touch phones/tablets. Tighten the user-agent check in
src/systemInfo.ts by excluding Android/mobile UAs from the desktop branch or by
replacing the regex with a more precise desktop-only classifier before the
window.matchMedia checks, so the signal is only added for actual desktop
environments.
In `@test/e2e/cypress/e2e/unit/core.cy.js`:
- Around line 64-65: The Cypress checks in the core suite are bypassing the
readiness gate, so they can race against app initialization; update the affected
`cy.visit('/')` + `cy.window()` flows in the `core.cy.js` test cases to wait for
the existing `fingerprintOSSReady` helper before accessing `win.fingerprintOSS`.
Use the shared readiness mechanism already used elsewhere in the suite so the
assertions run only after the app is fully ready, including the other matching
block in the same file.
In `@test/e2e/cypress/e2e/unit/hash-serialization.cy.js`:
- Around line 26-28: The current hash check in generateJSON only verifies that
the hash key exists, so the test can pass even with an invalid value. Tighten
the assertion in the hash-serialization Cypress test around fp.generateJSON by
validating the hash content itself, not just presence, so serialization
regressions fail fast; use the generated result’s hash property and assert it is
a real non-empty string value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1dc693df-5771-4dd4-b26c-4e80aa5514fb
📒 Files selected for processing (3)
src/systemInfo.tstest/e2e/cypress/e2e/unit/core.cy.jstest/e2e/cypress/e2e/unit/hash-serialization.cy.js
81d8565 to
bacc322
Compare
|
@macroscope-app review |
|
Manual reviews triggered for commit All prior checks · these links stay valid even if you push more commits. |
|
Review started! I'm analyzing the changes now. Results will be posted as check runs and any findings will appear as review comments. |
ApprovabilityVerdict: Would Approve This PR adds new bot detection signals (pointer/hover mismatch, headless resolution) to an existing detection function. The changes are self-contained with test coverage, and the unresolved review comments are minor test improvement suggestions rather than substantive bugs. Macroscope would have approved this PR. Enable approvability here. |
|
Hi @unxpndnd1234, Thanks again for the excellent report. I've implemented and committed several improvements to address these headless and automation anomalies:
These additions should now correctly identify this automated profile in our bot detection engine and address the issues reported in #98. That said, browser fingerprinting can never provide 100% protection. Since the client environment is fully controlled by the visitor, advanced actors can spoof JS APIs, modify runtime properties, or patch prototypes to bypass client-side checks. The changes have been pushed and will be included in the next release. Closes #98. |
Add pointer/hover mismatch and headless resolution bot-detection signals to
detectBotdetectBotin systemInfo.ts to classify desktop environments (with a regex fallback if parsing fails).matchMedia; recordsstrong:desktop-no-pointer-hover-mismatchif(hover: none)is true or neither(pointer: fine)nor(pointer: coarse)matches.medium:desktop-default-headless-resolutionif matched.signalsarray,confidencescore, andisBotboolean.fetchGeolocationInfo().Macroscope summarized bacc322.