feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms
Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b0f3bc61d
commit
1e1888625d
14 changed files with 70 additions and 1 deletions
|
|
@ -53,6 +53,12 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if !validateAltcha(r) {
|
||||
csrfToken, _ := setCSRFToken(w)
|
||||
displayTmplError(w, http.StatusForbidden, "change.html", map[string]interface{}{"error": "Invalid or missing altcha response. Please try again.", "csrf_token": csrfToken})
|
||||
return
|
||||
}
|
||||
|
||||
renderError := func(status int, msg string) {
|
||||
csrfToken, _ := setCSRFToken(w)
|
||||
displayTmplError(w, status, "change.html", map[string]interface{}{"error": msg, "csrf_token": csrfToken})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue