feat(lib): ensure that clients store cookies (#501)

* feat(lib): ensure that clients store cookies

If a client is misconfigured and does not store cookies, then they can
get into a proof of work death spiral with Anubis. This fixes the
problem by setting a test cookie whenever the user gets hit with a
challenge page. If the test cookie is not there at challenge pass time,
then they are blocked. Administrators will also get a log message
explaining that the user intentionally broke cookie support and that this
behavior is not an Anubis bug.

Additionally, this ensures that clients being shown a challenge support
gzip-compressed responses by showing the challenge page at gzip level 1.
This level is intentionally chosen in order to minimize system impacts.

The ClearCookie function is made more generic to account for cookie
names as an argument. A correlating SetCookie function was also added to
make it easier to set cookies.

* chore(lib): clean up test code

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

lib/http.go

@@ -1,19 +1,34 @@
 package lib
 
 import (
+	"math/rand"
 	"net/http"
 	"slices"
+	"strings"
 	"time"
 
+	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/a-h/templ"
 )
 
-func (s *Server) ClearCookie(w http.ResponseWriter) {
+func (s *Server) SetCookie(w http.ResponseWriter, name, value, path string) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     s.cookieName,
+		Name:        name,
+		Value:       value,
+		Expires:     time.Now().Add(s.opts.CookieExpiration),
+		SameSite:    http.SameSiteLaxMode,
+		Domain:      s.opts.CookieDomain,
+		Partitioned: s.opts.CookiePartitioned,
+		Path:        path,
+	})
+}
+
+func (s *Server) ClearCookie(w http.ResponseWriter, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
 		Value:    "",
 		Expires:  time.Now().Add(-1 * time.Hour),
 		MaxAge:   -1,
@@ -38,6 +53,10 @@ func (t UnixRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	return t.Transport.RoundTrip(req)
 }
 
+func randomChance(n int) bool {
+	return rand.Intn(n) == 0
+}
+
 func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *policy.Bot, returnHTTPStatusOnly bool) {
 	if returnHTTPStatusOnly {
 		w.WriteHeader(http.StatusUnauthorized)
@@ -47,6 +66,11 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 
 	lg := internal.GetRequestLogger(r)
 
+	if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") && randomChance(64) {
+		lg.Error("client was given a challenge but does not in fact support gzip compression")
+		s.respondWithError(w, r, "Client Error: Please ensure your browser is up to date and try again later.")
+	}
+
 	challenge := s.challengeFor(r, rule.Challenge.Difficulty)
 
 	var ogTags map[string]string = nil
@@ -58,6 +82,8 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 		}
 	}
 
+	s.SetCookie(w, anubis.TestCookieName, challenge, "")
+
 	component, err := web.BaseWithChallengeAndOGTags("Making sure you're not a bot!", web.Index(), challenge, rule.Challenge, ogTags)
 	if err != nil {
 		lg.Error("render failed, please open an issue", "err", err) // This is likely a bug in the template. Should never be triggered as CI tests for this.
@@ -65,10 +91,10 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 		return
 	}
 
-	handler := internal.NoStoreCache(templ.Handler(
+	handler := internal.GzipMiddleware(1, internal.NoStoreCache(templ.Handler(
 		component,
 		templ.WithStatus(s.opts.Policy.StatusCodes.Challenge),
-	))
+	)))
 	handler.ServeHTTP(w, r)
 }