feat: Add comprehensive anti-spam and anti-bot protection system

Implement a multi-layered security system to protect WeWrite from spam,
bots, and abuse while minimizing friction for legitimate users.

Core Services:
- RiskScoringService: Central risk assessment engine that combines
  multiple signals (bot detection, IP reputation, account trust,
  behavioral analysis, velocity tracking) to calculate risk scores 0-100
- AccountSecurityService: Manages account trust levels, security events,
  and trust score calculations based on account age, verification status,
  and activity patterns
- ContentSpamDetectionService: Analyzes content for spam patterns using
  pattern matching and heuristics (link density, keyword stuffing, etc.)
- IPReputationService: Tracks IP reputation with geo-location awareness
  and VPN/proxy detection signals
- TurnstileVerificationService: Integrates Cloudflare Turnstile for
  CAPTCHA challenges (supports both visible and invisible modes)

Risk Level Thresholds:
- 0-30: ALLOW - No challenge required
- 31-60: SOFT CHALLENGE - Invisible Turnstile challenge
- 61-85: HARD CHALLENGE - Visible Turnstile challenge
- 86-100: BLOCK - Action blocked, logged for review

Rate Limiter Enhancements:
- Add Redis store support (Upstash) for distributed rate limiting
- Add tiered page creation limits based on account trust level
- Add reply rate limiting
- Add account creation rate limiting per IP

Admin Dashboard:
- Add RiskAssessmentSection component for user risk analysis
- Add RiskScoreBadge component for visual risk indicators
- Integrate risk assessment into user details drawer

API:
- Add /api/risk-assessment endpoint for risk evaluation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: sirjamesgray

app/admin/users/page.tsx

@@ -40,6 +40,7 @@ import { UserDetailsDrawer } from "../../components/admin/UserDetailsDrawer";
 import { DndProvider, useDrag, useDrop } from 'react-dnd';
 import { HTML5Backend } from 'react-dnd-html5-backend';
 import SimpleSparkline from "../../components/utils/SimpleSparkline";
+import { RiskScoreBadge } from "../../components/admin/RiskScoreBadge";
 
 type FinancialInfo = {
   hasSubscription: boolean;
@@ -72,8 +73,65 @@ type User = {
   referralSource?: string;
   pwaInstalled?: boolean;
   notificationSparkline?: number[];
+  riskScore?: number; // Calculated risk score (0-100)
 };
 
+/**
+ * Calculate a simple risk score based on available user data.
+ * This is a client-side approximation for display purposes.
+ * Full risk assessment uses the server-side RiskScoringService.
+ */
+function calculateClientRiskScore(user: User): number {
+  let score = 50; // Start at medium risk
+
+  // Account age reduces risk (max -30 points)
+  if (user.createdAt) {
+    const createdDate = user.createdAt?.toDate?.() || new Date(user.createdAt);
+    const ageInDays = Math.floor((Date.now() - createdDate.getTime()) / (1000 * 60 * 60 * 24));
+    if (ageInDays > 90) score -= 30;
+    else if (ageInDays > 30) score -= 20;
+    else if (ageInDays > 7) score -= 10;
+    else score += 10; // New accounts are higher risk
+  } else {
+    score += 10; // Unknown creation date
+  }
+
+  // Email verification reduces risk (-15 points)
+  if (user.emailVerified) {
+    score -= 15;
+  } else {
+    score += 5;
+  }
+
+  // Content creation shows engagement (-15 points max)
+  if (user.totalPages !== undefined) {
+    if (user.totalPages > 50) score -= 15;
+    else if (user.totalPages > 10) score -= 10;
+    else if (user.totalPages > 0) score -= 5;
+    else score += 5; // No content yet
+  }
+
+  // Subscription shows commitment (-10 points)
+  if (user.financial?.hasSubscription) {
+    score -= 10;
+  }
+
+  // Admin users are trusted (-20 points)
+  if (user.isAdmin) {
+    score -= 20;
+  }
+
+  // Recent login shows activity (-5 points)
+  if (user.lastLogin) {
+    const lastDate = user.lastLogin?.toDate?.() || new Date(user.lastLogin);
+    const daysSinceLogin = Math.floor((Date.now() - lastDate.getTime()) / (1000 * 60 * 60 * 24));
+    if (daysSinceLogin < 7) score -= 5;
+  }
+
+  // Clamp to 0-100
+  return Math.max(0, Math.min(100, score));
+}
+
 type Column = {
   id: string;
   label: string;
@@ -480,6 +538,19 @@ export default function AdminUsersPage({ drawerSubPath }: AdminUsersPageProps =
         )
       )
     },
+    {
+      id: "riskScore",
+      label: "Risk",
+      sortable: true,
+      minWidth: 80,
+      render: (u) => (
+        <RiskScoreBadge
+          score={u.riskScore ?? calculateClientRiskScore(u)}
+          size="sm"
+          showTooltip={true}
+        />
+      )
+    },
     {
       id: "referredBy",
       label: "Referred by",
@@ -697,6 +768,8 @@ export default function AdminUsersPage({ drawerSubPath }: AdminUsersPageProps =
         return u.emailVerified ? 1 : 0;
       case "admin":
         return u.isAdmin ? 1 : 0;
+      case "riskScore":
+        return u.riskScore ?? calculateClientRiskScore(u);
       case "referredBy":
         return u.referredBy ? 1 : 0;
       case "payouts":

app/api/risk-assessment/route.ts

@@ -0,0 +1,220 @@
+/**
+ * Risk Assessment API
+ *
+ * Provides risk scoring for actions to determine if challenges are needed.
+ *
+ * Endpoints:
+ * - POST /api/risk-assessment - Full risk assessment for an action
+ * - GET /api/risk-assessment?userId=xxx - Get user's risk level (admin only)
+ *
+ * @see app/services/RiskScoringService.ts
+ * @see docs/security/ANTI_SPAM_SYSTEM.md
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import {
+  RiskScoringService,
+  type ActionType,
+  type RiskAssessmentInput
+} from '../../services/RiskScoringService';
+import { getUserIdFromRequest, createErrorResponse } from '../auth-helper';
+import { getFirebaseAdmin } from '../../firebase/admin';
+import { getCollectionName } from '../../utils/environmentConfig';
+
+/**
+ * POST /api/risk-assessment
+ *
+ * Perform a risk assessment for an action.
+ * Used by client before sensitive actions to determine if challenge needed.
+ *
+ * Body:
+ * {
+ *   action: ActionType,
+ *   sessionData?: { duration: number, interactions: number, pageViews: number },
+ *   contentLength?: number,
+ *   hasLinks?: boolean,
+ *   linkCount?: number,
+ *   fingerprint?: object
+ * }
+ *
+ * Response:
+ * {
+ *   success: true,
+ *   data: {
+ *     score: number,
+ *     level: 'allow' | 'soft_challenge' | 'hard_challenge' | 'block',
+ *     recommendation: string,
+ *     reasons: string[],
+ *     shouldChallenge: boolean,
+ *     challengeType?: 'invisible' | 'visible'
+ *   }
+ * }
+ */
+export async function POST(request: NextRequest) {
+  try {
+    // Get client IP
+    const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+      || request.headers.get('x-real-ip')
+      || 'unknown';
+
+    // Get user agent
+    const userAgent = request.headers.get('user-agent') || '';
+
+    // Get authenticated user (optional)
+    const userId = await getUserIdFromRequest(request);
+
+    // Parse request body
+    let body: Partial<RiskAssessmentInput>;
+    try {
+      body = await request.json();
+    } catch {
+      return createErrorResponse('BAD_REQUEST', 'Invalid JSON body');
+    }
+
+    // Validate action type
+    const validActions: ActionType[] = [
+      'login', 'register', 'create_page', 'edit_page',
+      'create_reply', 'send_message', 'password_reset',
+      'email_change', 'account_delete'
+    ];
+
+    if (!body.action || !validActions.includes(body.action)) {
+      return createErrorResponse('BAD_REQUEST', `Invalid action. Must be one of: ${validActions.join(', ')}`);
+    }
+
+    // Build assessment input
+    const input: RiskAssessmentInput = {
+      action: body.action,
+      userId: userId || undefined,
+      ip,
+      userAgent,
+      fingerprint: body.fingerprint,
+      sessionData: body.sessionData,
+      contentLength: body.contentLength,
+      hasLinks: body.hasLinks,
+      linkCount: body.linkCount
+    };
+
+    // Perform risk assessment
+    const assessment = await RiskScoringService.assessRisk(input);
+
+    // Determine if challenge is needed
+    const shouldChallenge = assessment.level === 'soft_challenge' || assessment.level === 'hard_challenge';
+    const challengeType = assessment.level === 'soft_challenge' ? 'invisible' : assessment.level === 'hard_challenge' ? 'visible' : undefined;
+
+    return NextResponse.json({
+      success: true,
+      timestamp: new Date().toISOString(),
+      data: {
+        score: assessment.score,
+        level: assessment.level,
+        recommendation: assessment.recommendation,
+        reasons: assessment.reasons,
+        shouldChallenge,
+        challengeType,
+        // Don't expose full factors to client for security
+        factors: {
+          botDetection: { score: assessment.factors.botDetection.score },
+          accountTrust: { trustLevel: assessment.factors.accountTrust.trustLevel },
+          velocity: { exceededLimit: assessment.factors.velocity.exceededLimit }
+        }
+      }
+    });
+  } catch (error) {
+    console.error('[risk-assessment] Error:', error);
+    return createErrorResponse('INTERNAL_ERROR', 'Failed to assess risk');
+  }
+}
+
+/**
+ * GET /api/risk-assessment?userId=xxx
+ *
+ * Get risk level for a specific user.
+ * Admin only - used in admin dashboard.
+ *
+ * Query params:
+ * - userId: The user to get risk level for
+ *
+ * Response:
+ * {
+ *   success: true,
+ *   data: {
+ *     score: number,
+ *     level: string,
+ *     factors: RiskFactors,
+ *     lastAssessment?: Date,
+ *     history?: Array<{ timestamp, action, score, level, reasons }>
+ *   }
+ * }
+ */
+export async function GET(request: NextRequest) {
+  try {
+    // Require authentication
+    const adminUserId = await getUserIdFromRequest(request);
+    if (!adminUserId) {
+      return createErrorResponse('UNAUTHORIZED', 'Authentication required');
+    }
+
+    // Check admin permissions
+    const isAdmin = await checkIsAdmin(adminUserId);
+    if (!isAdmin) {
+      return createErrorResponse('FORBIDDEN', 'Admin access required');
+    }
+
+    // Get userId from query params
+    const { searchParams } = new URL(request.url);
+    const userId = searchParams.get('userId');
+
+    if (!userId) {
+      return createErrorResponse('BAD_REQUEST', 'userId query parameter required');
+    }
+
+    // Get user risk level
+    const riskLevel = await RiskScoringService.getUserRiskLevel(userId);
+
+    // Optionally get history
+    const includeHistory = searchParams.get('history') === 'true';
+    let history;
+    if (includeHistory) {
+      history = await RiskScoringService.getUserRiskHistory(userId, 10);
+    }
+
+    return NextResponse.json({
+      success: true,
+      timestamp: new Date().toISOString(),
+      data: {
+        userId,
+        score: riskLevel.score,
+        level: riskLevel.level,
+        factors: riskLevel.factors,
+        lastAssessment: riskLevel.lastAssessment?.toISOString(),
+        ...(history && { history })
+      }
+    });
+  } catch (error) {
+    console.error('[risk-assessment] GET Error:', error);
+    return createErrorResponse('INTERNAL_ERROR', 'Failed to get risk level');
+  }
+}
+
+/**
+ * Check if a user has admin permissions
+ */
+async function checkIsAdmin(userId: string): Promise<boolean> {
+  try {
+    const admin = getFirebaseAdmin();
+    if (!admin) {
+      // In development, check for dev admin
+      return userId === 'mP9yRa3nO6gS8wD4xE2hF5jK7m9N' || userId === 'dev_admin_user';
+    }
+
+    const db = admin.firestore();
+    const userDoc = await db.collection(getCollectionName('users')).doc(userId).get();
+    const userData = userDoc.data();
+
+    return userData?.role === 'admin' || userData?.isAdmin === true;
+  } catch (error) {
+    console.error('[risk-assessment] Error checking admin:', error);
+    return false;
+  }
+}