From 8b1e89cf04abd2ebb193ea1fef8103f2fd7ac7e6 Mon Sep 17 00:00:00 2001
From: chris <chris@chrisedwards.tech>
Date: Sat, 13 Jun 2026 19:23:55 -0400
Subject: [PATCH] Lower ALTCHA cost to 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

50000 was taking >1 minute on some devices. 2000 should be ~1-2s in
most browsers while still being meaningful work for bots. The HMAC
key and expiration are the real security — cost is just friction.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 main-site/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main-site/server.js b/main-site/server.js
index 7395380..c2f1612 100644
--- a/main-site/server.js
+++ b/main-site/server.js
@@ -106,7 +106,7 @@ apiRouter.get('/altcha', async (req, res) => {
     try {
         const challenge = await createChallenge({
             algorithm: 'SHA-256',
-            cost: 50000,
+            cost: 2000,
             expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
             deriveKey: altchaSha.deriveKey,
             hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production',