feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms

Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 15:24:59 +07:00 · 2026-03-06 15:24:59 +07:00 · 1e1888625d
commit 1e1888625d
parent 7b0f3bc61d
14 changed files with 70 additions and 1 deletions
--- a/static/reset.html
+++ b/static/reset.html
@ -15,6 +15,9 @@
    <div class="form-group">
      <input name="new2password" required="" class="form-control" id="input_3" type="password" placeholder="Retype new password">
    </div>
+    <div class="form-group">
+      <altcha-widget challengeurl="altcha-challenge"></altcha-widget>
+    </div>
    <button class="btn btn-primary" type="submit">Reset my password</button>
  </form>
 {{template "footer"}}