feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms
Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b0f3bc61d
commit
1e1888625d
14 changed files with 70 additions and 1 deletions
27
altcha.go
Normal file
27
altcha.go
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
goaltcha "github.com/k42-software/go-altcha"
|
||||
altchahttp "github.com/k42-software/go-altcha/http"
|
||||
)
|
||||
|
||||
func serveAltchaJS(w http.ResponseWriter, r *http.Request) {
|
||||
altchahttp.ServeJavascript(w, r)
|
||||
}
|
||||
|
||||
func serveAltchaChallenge(w http.ResponseWriter, r *http.Request) {
|
||||
challenge := goaltcha.NewChallenge()
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.Header().Set("Cache-Control", "private, no-cache, no-store, must-revalidate")
|
||||
_, _ = w.Write([]byte(challenge.Encode()))
|
||||
}
|
||||
|
||||
func validateAltcha(r *http.Request) bool {
|
||||
encoded := r.PostFormValue("altcha")
|
||||
if encoded == "" {
|
||||
return false
|
||||
}
|
||||
return goaltcha.ValidateResponse(encoded, true)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue