🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

bbas-devicer

Package Overview
Dependencies
Maintainers
1
Versions
4
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

bbas-devicer

Bot Blocking & Anti-Scrape Middleware for the FP-Devicer Intelligence Suite

latest
npmnpm
Version
0.2.1
Version published
Weekly downloads
7
-41.67%
Maintainers
1
Weekly downloads
 
Created
Source

bbas-devicer

Bot Blocking & Anti-Scrape Middleware for the FP-Devicer Intelligence Suite.
Developed by Gateway Corporate Solutions.

Overview

bbas-devicer enriches every DeviceManager.identify() call with a bot score and action decision — classifying each request as a real browser, a headless browser, a scraper, or a known crawler, and emitting an allow / challenge / block decision based on a configurable rule engine.

What it does

StepDescription
UA analysisClassifies the User-Agent string against 38 known patterns: headless browsers, scrapers, HTTP clients, and legitimate crawlers.
Header analysisChecks for missing required browser headers (accept, accept-language, accept-encoding), scraper debug headers, absent sec-fetch-* headers, and suspicious header ordering.
VelocityComputes a sliding-window request rate and flags devices that exceed the configured threshold.
Cross-plugin enrichmentOn Pro/Enterprise, reads ip-devicer (Tor, VPN, proxy, hosting, AI agent) and tls-devicer / peer-devicer signals to augment the score.
ScoringProduces a composite bot score (0–100) from up to 13 named factors.
Rule engineEvaluates a priority-sorted rule list; first match wins. Ships with sensible defaults and supports fully custom rules.

Installation

Install bbas-devicer as a standalone package:

npm install bbas-devicer

Install bbas-devicer with FP-Devicer:

npm install devicer.js bbas-devicer

Install the full Devicer Intelligence Suite meta-package:

npm install @gatewaycorporate/devicer-intel

Optional peer dependencies (install the ones matching your storage choice):

npm install better-sqlite3   # SQLite adapter
npm install ioredis           # Redis adapter
npm install pg                # PostgreSQL adapter

Quick start

import { DeviceManager }  from 'devicer.js';
import { IpManager }      from 'ip-devicer';
import { TlsManager }     from 'tls-devicer';
import {
  BbasManager,
  createBbasMiddleware,
} from 'bbas-devicer';

// ── Initialise plugins ──────────────────────────────────────
const deviceManager = new DeviceManager({ /* … */ });

const ipManager   = new IpManager({ licenseKey: process.env.DEVICER_LICENSE_KEY });
const tlsManager  = new TlsManager({ licenseKey: process.env.DEVICER_LICENSE_KEY });
const bbasManager = new BbasManager({ licenseKey: process.env.DEVICER_LICENSE_KEY });

// Register ip-devicer and tls-devicer FIRST so their enrichmentInfo
// is available when bbas-devicer runs (post-processor ordering matters).
ipManager.registerWith(deviceManager);
tlsManager.registerWith(deviceManager);
bbasManager.registerWith(deviceManager);   // ← bbas runs last

await Promise.all([
  ipManager.init(),
  tlsManager.init(),
  bbasManager.init(),
]);

// ── Express middleware ──────────────────────────────────────
app.use(createBbasMiddleware(bbasManager, { mode: 'observe' }));

// ── In your route handler ────────────────────────────────────
app.post('/identify', async (req, res) => {
  const result = await deviceManager.identify(req.body, req.bbasContext);
  // result.bbasEnrichment  — full enrichment payload
  // result.bbasDecision    — 'allow' | 'challenge' | 'block'
  res.json(result);
});

Storage adapters

AdapterImportUse case
In-memory (default)built-inDev / testing / single-process
SQLitecreateSqliteBbasStorageSingle-process production
PostgreSQLcreatePostgresBbasStorageMulti-process / HA
RediscreateRedisBbasStorageDistributed / low-latency
import { createSqliteBbasStorage } from 'bbas-devicer';

const bbasManager = new BbasManager({
  licenseKey: process.env.DEVICER_LICENSE_KEY,
  storage: createSqliteBbasStorage('/data/bbas.db'),
});

Scoring factors

The bot score is an additive sum capped at 100:

FactorPointsTier
headless_browser45Free
known_scraper_ua40Free
missing_browser_headers30Free
velocity_exceeded25Free
suspicious_header_order15Free
known_crawler5Free
tor_exit_node40Pro+
tls_mismatch25Pro+
vpn_proxy20Pro+
hosting_ip15Pro+
ai_agent15Pro+
high_peer_taint15Pro+
rdap_suspect10Pro+

Default rules

Rules are evaluated in ascending priority order; first match wins.

Rule namePriorityConditionAction
tor_block100isTor === trueblock
headless_block200headless_browser factor presentblock
velocity_block300velocity_exceeded factor presentblock
scraper_ua_challenge400known_scraper_ua factor presentchallenge
high_score_block500botScore >= 75block
mid_score_challenge600botScore >= 50challenge

Custom rules with priority < 100 run before all defaults.

import { BbasManager, mergeRules, DEFAULT_RULES } from 'bbas-devicer';

const bbasManager = new BbasManager({
  rules: mergeRules(
    [
      {
        name: 'block_my_bad_asn',
        priority: 50,
        condition: (e) => e.crossPluginSignals?.rdapAsnOrg?.includes('BadASN') ?? false,
        action: 'block',
      },
    ],
    DEFAULT_RULES,
  ),
});

Plugin pipeline

bbas-devicer registers as a DeviceManager post-processor named 'bbas'. It should run after ip-devicer, tls-devicer, and peer-devicer so it can read their cached enrichment data for the cross-plugin scoring factors:

identify(payload, context)
   │
  ├─ network bundle reference
  │  ├─ 'ip'   post-processor  (ip-devicer)
  │  │      └─> enrichmentInfo.details.ip.isTor / isVpn / riskScore / …
  │  └─ 'tls'  post-processor  (tls-devicer)
  │         └─> enrichmentInfo.details.tls.consistencyScore / factors
   │
   ├─ 'peer' post-processor  (peer-devicer)
   │      └─> enrichmentInfo.details.peer.taintScore
   │
   └─ 'bbas' post-processor  (bbas-devicer)  ← register last
          ├─ analyzes UA, headers, velocity
          ├─ reads cross-plugin signals (Pro+)
          ├─ computes bot score + runs rule engine
          └─> result.bbasEnrichment + result.bbasDecision

Enrichment result shape

{
  bbasDecision: 'allow' | 'challenge' | 'block',

  bbasEnrichment: {
    botScore:        number;     // 0–100, higher = more likely a bot
    botFactors:      string[];   // fired factor keys
    decision:        BotDecision;
    uaClassification: {
      isBot:      boolean;
      isHeadless: boolean;
      isCrawler:  boolean;
      botKind?:   'headless' | 'scraper' | 'http-client' | 'crawler';
      uaString:   string;
    };
    headerAnomalies: {
      missingBrowserHeaders: boolean;
      suspiciousHeaderOrder: boolean;
      anomalyFactors:        string[];
    };
    velocitySignals: {
      requestCount:      number;
      windowMs:          number;
      requestsPerMinute: number;
      exceedsThreshold:  boolean;
    };
    crossPluginSignals?: {          // Pro/Enterprise only
      isTor?:               boolean;
      isVpn?:               boolean;
      isProxy?:             boolean;
      isHosting?:           boolean;
      isAiAgent?:           boolean;
      aiAgentProvider?:     string;
      tlsConsistencyScore?: number;
      peerTaintScore?:      number;
      rdapAsnOrg?:          string;
    };
    consistencyScore: number;       // 0–100
  },
}

Middleware options

createBbasMiddleware(manager, {
  mode: 'observe' | 'block',  // default: 'observe'
})

In 'observe' mode the middleware only attaches req.bbasContext and defers the decision to after identify(). In 'block' mode the same context is attached — the actual block/challenge response is applied at the application layer using result.bbasDecision.

License tiers

TierPriceDevicesScoring factors
Free$010,000UA, headers, velocity
Pro$49 / moUnlimitedAll 13 factors incl. cross-plugin
Enterprise$299 / moUnlimitedAll 13 factors incl. cross-plugin

You can obtain a license key through polar.sh here.

Without a key the library runs on the free tier automatically and logs a warning at startup.

API reference

This project uses TypeDoc and publishes documentation at gatewaycorporate.github.io/bbas-devicer.

License

Business Source License 1.1 — see license.txt.

Keywords

bot-detection

FAQs

Package last updated on 05 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts