feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms
Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7b0f3bc61d
commit
1e1888625d
14 changed files with 70 additions and 1 deletions
5
reset.go
5
reset.go
|
|
@ -44,6 +44,11 @@ func resetPassword(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if !validateAltcha(r) {
|
||||
renderError(http.StatusForbidden, "Invalid or missing altcha response. Please try again.")
|
||||
return
|
||||
}
|
||||
|
||||
// Check the two new passwords are identical
|
||||
if r.PostFormValue("newpassword") != r.PostFormValue("new2password") {
|
||||
renderError(http.StatusNotAcceptable, "New passwords are not identical. Please retry.")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue