feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms

Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 15:24:59 +07:00 · 2026-03-06 15:24:59 +07:00 · 28f55960de
commit 28f55960de
parent 7b0f3bc61d
14 changed files with 70 additions and 1 deletions
--- a/static/lost.html
+++ b/static/lost.html
@ -7,6 +7,9 @@
    <div class="form-group">
      <input name="login" required="" class="form-control" id="input_0" type="text" placeholder="Login" autofocus>
    </div>
+    <div class="form-group">
+      <altcha-widget challengeurl="altcha-challenge"></altcha-widget>
+    </div>
    <button class="btn btn-primary" type="submit">Reset my password</button>
    <a href="/change" class="btn btn-outline-success">Just want to change your password?</a>
  </form>