[mod] botdetection - improve ip_limit and link_token methods

- counting requests in LONG_WINDOW and BURST_WINDOW is not needed when the
  request is validated by the link_token method [1]

- renew a ping-key on validation [2], this is needed for infinite scrolling,
  where no new token (CSS) is loaded. / this does not fix the BURST_MAX issue in
  the vanilla limiter

- normalize the counter names of the ip_limit method to 'ip_limit.*'

- just integrate the ip_limit method straight forward in the limiter plugin /
  non intermediate code --> ip_limit now returns None or a werkzeug.Response
  object that can be passed by the plugin to the flask application / non
  intermediate code that returns a tuple

[1] https://github.com/searxng/searxng/pull/2357#issuecomment-1566113277
[2] https://github.com/searxng/searxng/pull/2357#discussion_r1208542206
[3] https://github.com/searxng/searxng/pull/2357#issuecomment-1566125979

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>

1 files changed, 32 insertions, 11 deletions

diff --git a/searx/botdetection/link_token.py b/searx/botdetection/link_token.py
index 8ef215f6c..376d06d61 100644
--- a/searx/botdetection/link_token.py
+++ b/searx/botdetection/link_token.py
@@ -47,15 +47,24 @@ from searx.redislib import secret_hash
 TOKEN_LIVE_TIME = 600
 """Livetime (sec) of limiter's CSS token."""
 
+PING_LIVE_TIME = 3600
+"""Livetime (sec) of the ping-key from a client (request)"""
+
 PING_KEY = 'SearXNG_limiter.ping'
+"""Prefix of all ping-keys generated by :py:obj:`get_ping_key`"""
+
 TOKEN_KEY = 'SearXNG_limiter.token'
+"""Key for which the current token is stored in the DB"""
 
 logger = logger.getChild('botdetection.link_token')
 
 
-def is_suspicious(request: flask.Request):
+def is_suspicious(request: flask.Request, renew: bool = False):
     """Checks if there is a valid ping for this request, if not this request is
-    rated as *suspicious*"""
+    rated as *suspicious*.  If a valid ping exists and argument ``renew`` is
+    ``True`` the expire time of this ping is reset to :py:obj:`PING_LIVE_TIME`.
+
+    """
     redis_client = redisdb.client()
     if not redis_client:
         return False
@@ -69,12 +78,19 @@ def is_suspicious(request: flask.Request):
         )
         return True
 
-    logger.debug("found ping for this request: %s", ping_key)
+    if renew:
+        redis_client.set(ping_key, 1, ex=PING_LIVE_TIME)
+
+    logger.debug("found ping for client request: %s", ping_key)
     return False
 
 
 def ping(request: flask.Request, token: str):
-    """This function is called by a request to URL ``/client<token>.css``"""
+    """This function is called by a request to URL ``/client<token>.css``.  If
+    ``token`` is valid a :py:obj:`PING_KEY` for the client is stored in the DB.
+    The expire time of this ping-key is :py:obj:`PING_LIVE_TIME`.
+
+    """
     redis_client = redisdb.client()
     if not redis_client:
         return
@@ -82,19 +98,24 @@ def ping(request: flask.Request, token: str):
         return
     ping_key = get_ping_key(request)
     logger.debug("store ping for: %s", ping_key)
-    redis_client.set(ping_key, 1, ex=TOKEN_LIVE_TIME)
+    redis_client.set(ping_key, 1, ex=PING_LIVE_TIME)
 
 
 def get_ping_key(request: flask.Request):
-    """Generates a hashed key that fits (more or less) to a request.  At least
-    X-Forwarded-For_ is needed to be able to assign the request to an IP.
+    """Generates a hashed key that fits (more or less) to a client (request).
+    At least X-Forwarded-For_ is needed to be able to assign the request to an
+    IP.
 
     """
-    return secret_hash(
+    return (
         PING_KEY
-        + request.headers.get('X-Forwarded-For', '')
-        + request.headers.get('Accept-Language', '')
-        + request.headers.get('User-Agent', '')
+        + "["
+        + secret_hash(
+            request.headers.get('X-Forwarded-For', '')
+            + request.headers.get('Accept-Language', '')
+            + request.headers.get('User-Agent', '')
+        )
+        + "]"
     )