feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms
Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b0f3bc61d
commit
1e1888625d
14 changed files with 70 additions and 1 deletions
5
login.go
5
login.go
|
|
@ -53,6 +53,11 @@ func tryLogin(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if !validateAltcha(r) {
|
||||
displayTmplError(w, http.StatusForbidden, "login.html", map[string]interface{}{"error": "Invalid or missing altcha response. Please try again."})
|
||||
return
|
||||
}
|
||||
|
||||
if entries, err := login(r.PostFormValue("login"), r.PostFormValue("password")); err != nil {
|
||||
log.Println(err)
|
||||
displayTmplError(w, http.StatusInternalServerError, "login.html", map[string]interface{}{"error": err.Error()})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue