From 08ac545567ec0730e9873798da354bad979d5358 Mon Sep 17 00:00:00 2001
From: chris <chris@chrisedwards.tech>
Date: Sat, 13 Jun 2026 19:11:19 -0400
Subject: [PATCH] Harden ALTCHA: raise cost and add expiration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cost 100 → 50000: was solvable in milliseconds by a bot, now takes
~1-2s in a real browser, making mass automation impractical.

expiresAt 10min: embeds expiry in the HMAC-signed challenge so the
server rejects replayed tokens without needing to store seen challenges.

ALTCHA_HMAC_KEY must be set to a strong secret in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 main-site/server.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/main-site/server.js b/main-site/server.js
index 3320ea2..7395380 100644
--- a/main-site/server.js
+++ b/main-site/server.js
@@ -106,7 +106,8 @@ apiRouter.get('/altcha', async (req, res) => {
     try {
         const challenge = await createChallenge({
             algorithm: 'SHA-256',
-            cost: 100,
+            cost: 50000,
+            expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
             deriveKey: altchaSha.deriveKey,
             hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production',
         });