chris/beachPartyBalloons
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden ALTCHA: raise cost and add expiration

Browse Source 
cost 100 → 50000: was solvable in milliseconds by a bot, now takes
~1-2s in a real browser, making mass automation impractical.

expiresAt 10min: embeds expiry in the HMAC-signed challenge so the
server rejects replayed tokens without needing to store seen challenges.

ALTCHA_HMAC_KEY must be set to a strong secret in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
chris 2026-06-13 19:11:19 -04:00
parent 10f9511c76
commit 08ac545567
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
main-site/server.js
View File

@ -106,7 +106,8 @@ apiRouter.get('/altcha', async (req, res) => {
try { try {
const challenge = await createChallenge({ const challenge = await createChallenge({
algorithm: 'SHA-256', algorithm: 'SHA-256',
cost: 100, cost: 50000,
expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
deriveKey: altchaSha.deriveKey, deriveKey: altchaSha.deriveKey,
hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production', hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production',
}); });