fix(config): deprecate the report_as field for challenges (#1311)

* fix(config): deprecate the report_as field for challenges This was a bad idea when it was added and it is irresponsible to continue to have it. It causes more UX problems than it fixes with slight of hand. Closes: #1310 Closes: #1307 Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(policy): use the new logger for config validation messages Signed-off-by: Xe Iaso <me@xeiaso.net> * docs(admin/thresholds): remove this report_as setting Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-11-25 23:25:17 -05:00 · 2025-11-25 23:25:17 -05:00 · 4ead3ed16e
commit 4ead3ed16e
parent 1f9c2272e6
21 changed files with 73 additions and 70 deletions
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -25,6 +25,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
 - Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))

+### Deprecate `report_as` in challenge configuration
+
+Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack:
+
+```yaml
+bots:
+  # Punish any bot with "bot" in the user-agent string
+  # This is known to have a high false-positive rate, use at your own risk
+  - name: generic-bot-catchall
+    user_agent_regex: (?i:bot|crawler)
+    action: CHALLENGE
+    challenge:
+      difficulty: 16 # impossible
+      report_as: 4 # lie to the operator
+      algorithm: slow # intentionally waste CPU cycles and time
+```
+
+This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this:
+
+```json
+{
+  "time": "2025-11-25T23:10:31.092201549-05:00",
+  "level": "WARN",
+  "source": {
+    "function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
+    "file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
+    "line": 201
+  },
+  "msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
+  "at": "config-validate",
+  "name": "mild-suspicion"
+}
+```
+
+To remove this warning, remove this setting from your policy file.
+
 ### Logging customization

 Anubis now supports the ability to log to multiple backends ("sinks"). This allows you to have Anubis [log to a file](./admin/policies.mdx#file-sink) instead of just logging to standard out. You can also customize the [logging level](./admin/policies.mdx#log-levels) in the policy file:
--- a/docs/docs/admin/configuration/challenges/metarefresh.mdx
+++ b/docs/docs/admin/configuration/challenges/metarefresh.mdx
@ -12,7 +12,6 @@ To use it in your Anubis configuration:
  action: CHALLENGE
  challenge:
    difficulty: 1 # Number of seconds to wait before refreshing the page
-    report_as: 4 # Unused by this challenge method
    algorithm: metarefresh # Specify a non-JS challenge method
 ```

--- a/docs/docs/admin/configuration/challenges/preact.mdx
+++ b/docs/docs/admin/configuration/challenges/preact.mdx
@ -12,7 +12,6 @@ To use it in your Anubis configuration:
  action: CHALLENGE
  challenge:
    difficulty: 1 # Number of seconds to wait before refreshing the page
-    report_as: 4 # Unused by this challenge method
    algorithm: preact
 ```

--- a/docs/docs/admin/configuration/thresholds.mdx
+++ b/docs/docs/admin/configuration/thresholds.mdx
@ -41,7 +41,6 @@ thresholds:
    challenge:
      algorithm: metarefresh
      difficulty: 1
-      report_as: 1

  - name: moderate-suspicion
    expression:
@ -52,7 +51,6 @@ thresholds:
    challenge:
      algorithm: fast
      difficulty: 2
-      report_as: 2

  - name: extreme-suspicion
    expression: weight >= 20
@ -60,7 +58,6 @@ thresholds:
    challenge:
      algorithm: fast
      difficulty: 4
-      report_as: 4
 ```

 This defines a suite of 4 thresholds:
@ -130,7 +127,6 @@ action: CHALLENGE
 challenge:
  algorithm: metarefresh
  difficulty: 1
-  report_as: 1
 ```

    </td>
--- a/docs/docs/admin/policies.mdx
+++ b/docs/docs/admin/policies.mdx
@ -84,7 +84,6 @@ This rule has been known to have a high false positive rate in testing. Please u
  action: CHALLENGE
  challenge:
    difficulty: 16 # impossible
-    report_as: 4 # lie to the operator
    algorithm: slow # intentionally waste CPU cycles and time
 ```

@ -93,7 +92,6 @@ Challenges can be configured with these settings:
 | Key          | Example  | Description                                                                                                                                                      |
 | :----------- | :------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `difficulty` | `4`      | The challenge difficulty (number of leading zeros) for proof-of-work. See [Why does Anubis use Proof-of-Work?](/docs/design/why-proof-of-work) for more details. |
-| `report_as`  | `4`      | What difficulty the UI should report to the user. Useful for messing with industrial-scale scraping efforts.                                                     |
 | `algorithm`  | `"fast"` | The challenge method to use. See [the list of challenge methods](./configuration/challenges/) for more information.                                              |

 ### Remote IP based filtering