feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms

Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 15:24:59 +07:00 · 2026-03-06 15:24:59 +07:00 · 28f55960de
commit 28f55960de
parent 7b0f3bc61d
14 changed files with 70 additions and 1 deletions
--- a/lost.go
+++ b/lost.go
@ -107,6 +107,11 @@ func lostPassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if !validateAltcha(r) {
+		displayTmplError(w, http.StatusForbidden, "lost.html", map[string]interface{}{"error": "Invalid or missing altcha response. Please try again."})
+		return
+	}
+
 	// Connect to the LDAP server
 	conn, err := myLDAP.Connect()
 	if err != nil || conn == nil {