Pierre-Olivier Mercier
28f55960de
Integrate go-altcha to protect login, change password, lost password, and reset password forms against automated submissions. Serves the altcha widget JS from the embedded library, exposes a challenge endpoint, validates responses server-side with replay prevention, and updates the CSP to allow self-hosted scripts and WebAssembly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
27 lines
693 B
Go
27 lines
693 B
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
goaltcha "github.com/k42-software/go-altcha"
|
|
altchahttp "github.com/k42-software/go-altcha/http"
|
|
)
|
|
|
|
func serveAltchaJS(w http.ResponseWriter, r *http.Request) {
|
|
altchahttp.ServeJavascript(w, r)
|
|
}
|
|
|
|
func serveAltchaChallenge(w http.ResponseWriter, r *http.Request) {
|
|
challenge := goaltcha.NewChallenge()
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.Header().Set("Cache-Control", "private, no-cache, no-store, must-revalidate")
|
|
_, _ = w.Write([]byte(challenge.Encode()))
|
|
}
|
|
|
|
func validateAltcha(r *http.Request) bool {
|
|
encoded := r.PostFormValue("altcha")
|
|
if encoded == "" {
|
|
return false
|
|
}
|
|
return goaltcha.ValidateResponse(encoded, true)
|
|
}
|