chore: release v1.20.0-pre1

Signed-off-by: Xe Iaso <[email protected]>

Author: Xe

VERSION

@@ -1 +1 @@
-1.19.1
+1.20.0-pre1

docs/docs/CHANGELOG.md

@@ -11,25 +11,136 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.20.0: Thancred Waters
+
+The big ticket items are as follows:
+
+- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
+- Implement request "weight", allowing administrators to customize the behaviour of Anubis based on specific criteria
+- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
+- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
 - Move Open Graph configuration [to the policy file](./admin/configuration/open-graph.mdx)
-- Enable support for default Open Graph metadata
+- Enable support for Open Graph metadata to be returned by default instead of doing lookups against the target
+- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
+- Refactor challenge presentation logic to use a challenge registry
+- Allow challenge implementations to register HTTP routes
+
+A lot of performance improvements have been made:
+
+- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
+- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
 - Replace cidranger with bart for IP range checking, improving IP matching performance by 3-20x with zero heap
   allocations
+
+And some cleanups/refactors were added:
+
 - Remove the unused `/test-error` endpoint and update the testing endpoint `/make-challenge` to only be enabled in
   development
 - Add `--xff-strip-private` flag/envvar to toggle skipping X-Forwarded-For private addresses or not
-- Requests can have their weight be adjusted, if a request weighs zero or less than it is allowed through
-- Refactor challenge presentation logic to use a challenge registry
-- Allow challenge implementations to register HTTP routes
-- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
 - Bump AI-robots.txt to version 1.37
 - Make progress bar styling more compatible (UXP, etc)
-- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
 - Add `--strip-base-prefix` flag/envvar to strip the base prefix from request paths when forwarding to target servers
-- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
-- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
-- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
-- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
+
+Request weight is one of the biggest ticket features in Anubis. This enables Anubis to be much closer to a Web Application Firewall and when combined with custom thresholds allows administrators to have Anubis take advanced reactions. For more information about request weight, see [the request weight section](./admin/policies.mdx#request-weight) of the policy file documentation.
+
+TL;DR when you have one or more WEIGHT rules like this:
+
+```yaml
+bots:
+  - name: gitea-session-token
+    action: WEIGH
+    expression:
+      all:
+        - '"Cookie" in headers'
+        - headers["Cookie"].contains("i_love_gitea=")
+    # Remove 5 weight points
+    weight:
+      adjust: -5
+```
+
+You can configure custom thresholds like this:
+
+```yaml
+thresholds:
+  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
+    expression: weight < 0 # a feather weighs zero units
+    action: ALLOW # Allow the traffic through
+
+  # For clients that had some weight reduced through custom rules, give them a
+  # lightweight challenge.
+  - name: mild-suspicion
+    expression:
+      all:
+        - weight >= 0
+        - weight < 10
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
+      algorithm: metarefresh
+      difficulty: 1
+      report_as: 1
+
+  # For clients that are browser-like but have either gained points from custom
+  # rules or report as a standard browser.
+  - name: moderate-suspicion
+    expression:
+      all:
+        - weight >= 10
+        - weight < 20
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+      algorithm: fast
+      difficulty: 2 # two leading zeros, very fast for most clients
+      report_as: 2
+
+  # For clients that are browser like and have gained many points from custom
+  # rules
+  - name: extreme-suspicion
+    expression: weight >= 20
+    action: CHALLENGE
+    challenge:
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+      algorithm: fast
+      difficulty: 4
+      report_as: 4
+```
+
+These thresholds apply when no other `ALLOW`, `DENY`, or `CHALLENGE` rule matches the request. `WEIGHT` rules add and remove request weight as needed:
+
+```yaml
+bots:
+  - name: gitea-session-token
+    action: WEIGH
+    expression:
+      all:
+        - '"Cookie" in headers'
+        - headers["Cookie"].contains("i_love_gitea=")
+    # Remove 5 weight points
+    weight:
+      adjust: -5
+
+  - name: bot-like-user-agent
+    action: WEIGH
+    expression: '"Bot" in userAgent'
+    # Add 5 weight points
+    weight:
+      adjust: 5
+```
+
+Of note: the default "generic browser" rule assigns 10 weight points:
+
+```yaml
+# Generic catchall rule
+- name: generic-browser
+  user_agent_regex: >-
+    Mozilla|Opera
+  action: WEIGH
+  weight:
+    adjust: 10
+```
+
+Adjust this as you see fit.
 
 ## v1.19.1: Jenomis cen Lexentale - Echo 1
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.19.1",
+  "version": "1.20.0-pre1",
   "description": "",
   "main": "index.js",
   "scripts": {