[feature] update proof-of-work to allow setting required rounds (#4186)

# Description

This updates our proof-of-work middleware, NoLLaMas, to work on a more easily configurable algorithm (thank you f0x for bringing this to my attention!). Instead of requiring that a solution with pre-determined number of '0' chars be found, it now pre-computes a result with a pre-determined nonce value that it expects the client to iterate up-to. (though with some level of jitter applied, to prevent it being too-easily gamed). This allows the user to configure roughly how many hash-encode rounds they want their clients to have to complete.

## Checklist

- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [x] I/we have commented the added code, particularly in hard-to-understand areas.
- [x] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [x] I/we have run tests and they pass locally with the changes.
- [x] I/we have run `go fmt ./...` and `golangci-lint run`.

Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4186
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>

docs/advanced/scraper_deterrence.md

@@ -1,9 +1,9 @@
 # Scraper Deterrence
 
 GoToSocial provides an optional proof-of-work based scraper and automated HTTP client deterrence that can be enabled on profile and status web views. The way
-it works is that it generates a unique but deterministic challenge for each incoming HTTP request based on client information and current time, that-is a hex encoded SHA256 hash, and asks the client to find an addition to a portion of this that will generate a hex encoded SHA256 hash with a pre-determined number of leading '0' characters. This is served to the client as a minimal holding page with a single JavaScript worker that computes a solution to this.
+it works is that it generates a unique but deterministic challenge for each incoming HTTP request based on client information and current time, that-is a hex encoded SHA256 hash. It then asks the client to find an integer addition to a portion of this that will generate an expected encoded hash result. This is served to the client as a minimal holding page with a single JavaScript worker that computes a solution to this.
 
-The number of required leading '0' characters can be configured to your liking, where higher values take longer to solve, and lower values take less. But this is not exact, as the challenges themselves are random, so you can only effect the **average amount of time** it may take. If your challenges take too long to solve, you may deter users from accessing your web pages. And conversely, the longer it takes for a solution to be found, the more you'll be incurring costs for scrapers (and in some cases, causing their operation to time-out). That balance is up to you to configure, hence why this is an advanced feature.
+The number of hash encode rounds the client is required to complete may be configured, where high values will take the client longer to find a solution and vice-versa. We also instill a certain amount of jitter to make it harder for scrapers to "game" the algorithm. If your challenges take too long to solve, you may deter users from accessing your web pages. And conversely, the longer it takes for a solution to be found, the more you'll be incurring costs for scrapers (and in some cases, causing their operation to time-out). That balance is up to you to configure, hence why this is an advanced feature.
 
 Once a solution to this challenge has been provided, by refreshing the page with the solution in the query parameter, GoToSocial will verify this solution and on success will return the expected profile / status page with a cookie that provides challenge-less access to the instance for up-to the next hour.
 

example/config.yaml

@@ -1307,10 +1307,9 @@ advanced-header-filter-mode: ""
 advanced-scraper-deterrence-enabled: false
 
 # Uint. Allows tweaking the difficulty of the proof-of-work algorithm
-# used in the scraper deterrence. This determines how many leading '0'
-# characters are required to be generated in each solution. Higher
-# values will on-average take longer to find solutions for, and the
-# inverse is also true.
+# used in the scraper deterrence. This determines roughly how many hash
+# encode rounds we require the client to complete to find a solution.
+# Higher values will take longer to find solutions for, and vice-versa.
 #
 # The downside is that if your deterrence takes too long to solve,
 # it may deter some users from viewing your web status / profile page.
@@ -1321,6 +1320,6 @@ advanced-scraper-deterrence-enabled: false
 # For more details please check the documentation at:
 # https://docs.gotosocial.org/en/latest/advanced/scraper_deterrence
 #
-# Examples: [3, 4, 5]
-# Default: 4
-advanced-scraper-deterrence-difficulty: 4
+# Examples: [50000, 100000, 500000]
+# Default: 100000
+advanced-scraper-deterrence-difficulty: 100000

go.mod

@@ -15,6 +15,7 @@ require (
 	code.superseriousbusiness.org/exif-terminator v0.11.0
 	code.superseriousbusiness.org/httpsig v1.4.0
 	code.superseriousbusiness.org/oauth2/v4 v4.8.0
+	codeberg.org/gruf/go-bitutil v1.1.0
 	codeberg.org/gruf/go-bytesize v1.0.3
 	codeberg.org/gruf/go-byteutil v1.3.0
 	codeberg.org/gruf/go-cache/v3 v3.6.1

go.sum

@@ -10,6 +10,8 @@ code.superseriousbusiness.org/httpsig v1.4.0 h1:g9+KQMoTG0oR0II5gYb5pVVdNjbc7Cii
 code.superseriousbusiness.org/httpsig v1.4.0/go.mod h1:i2AKpj/WbA/o/UTvia9TAREzt0jP1AH3T1Uxjyhdzlw=
 code.superseriousbusiness.org/oauth2/v4 v4.8.0 h1:4LVXoPJXKgmDfwDegzBQPNpsdleMaL6YmDgFi6UDgEE=
 code.superseriousbusiness.org/oauth2/v4 v4.8.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors=
+codeberg.org/gruf/go-bitutil v1.1.0 h1:U1Q+A1mtnPk+npqYrlRBc9ar2C5hYiBd17l1Wrp2Bt8=
+codeberg.org/gruf/go-bitutil v1.1.0/go.mod h1:rGibFevYTQfYKcPv0Df5KpG8n5xC3AfD4d/UgYeoNy0=
 codeberg.org/gruf/go-bytesize v1.0.3 h1:Tz8tCxhPLeyM5VryuBNjUHgKmLj4Bx9RbPaUSA3qg6g=
 codeberg.org/gruf/go-bytesize v1.0.3/go.mod h1:n/GU8HzL9f3UNp/mUKyr1qVmTlj7+xacpp0OHfkvLPs=
 codeberg.org/gruf/go-byteutil v1.3.0 h1:nRqJnCcRQ7xbfU6azw7zOzJrSMDIJHBqX6FL9vEMYmU=

internal/config/config.go

@@ -280,6 +280,6 @@ type ThrottlingConfig struct {
 }
 
 type ScraperDeterrenceConfig struct {
-	Enabled    bool  `name:"enabled"    usage:"Enable proof-of-work based scraper deterrence on profile / status pages"`
-	Difficulty uint8 `name:"difficulty" usage:"The proof-of-work difficulty, which determines how many leading zeros to try solve in hash solutions."`
+	Enabled    bool   `name:"enabled"    usage:"Enable proof-of-work based scraper deterrence on profile / status pages"`
+	Difficulty uint32 `name:"difficulty" usage:"The proof-of-work difficulty, which determines roughly how many hash-encode rounds required of each client."`
 }

internal/config/defaults.go

@@ -149,7 +149,7 @@ var Defaults = Configuration{
 
 		ScraperDeterrence: ScraperDeterrenceConfig{
 			Enabled:    false,
-			Difficulty: 4,
+			Difficulty: 100000,
 		},
 	},
 

internal/config/helpers.gen.go

@@ -144,7 +144,7 @@ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) {
 	flags.Int("advanced-throttling-multiplier", cfg.Advanced.Throttling.Multiplier, "Multiplier to use per cpu for http request throttling. 0 or less turns throttling off.")
 	flags.Duration("advanced-throttling-retry-after", cfg.Advanced.Throttling.RetryAfter, "Retry-After duration response to send for throttled requests.")
 	flags.Bool("advanced-scraper-deterrence-enabled", cfg.Advanced.ScraperDeterrence.Enabled, "Enable proof-of-work based scraper deterrence on profile / status pages")
-	flags.Uint8("advanced-scraper-deterrence-difficulty", cfg.Advanced.ScraperDeterrence.Difficulty, "The proof-of-work difficulty, which determines how many leading zeros to try solve in hash solutions.")
+	flags.Uint32("advanced-scraper-deterrence-difficulty", cfg.Advanced.ScraperDeterrence.Difficulty, "The proof-of-work difficulty, which determines how many leading zeros to try solve in hash solutions.")
 	flags.StringSlice("http-client-allow-ips", cfg.HTTPClient.AllowIPs, "")
 	flags.StringSlice("http-client-block-ips", cfg.HTTPClient.BlockIPs, "")
 	flags.Duration("http-client-timeout", cfg.HTTPClient.Timeout, "")
@@ -1356,9 +1356,9 @@ func (cfg *Configuration) UnmarshalMap(cfgmap map[string]any) error {
 
 	if ival, ok := cfgmap["advanced-scraper-deterrence-difficulty"]; ok {
 		var err error
-		cfg.Advanced.ScraperDeterrence.Difficulty, err = cast.ToUint8E(ival)
+		cfg.Advanced.ScraperDeterrence.Difficulty, err = cast.ToUint32E(ival)
 		if err != nil {
-			return fmt.Errorf("error casting %#v -> uint8 for 'advanced-scraper-deterrence-difficulty': %w", ival, err)
+			return fmt.Errorf("error casting %#v -> uint32 for 'advanced-scraper-deterrence-difficulty': %w", ival, err)
 		}
 	}
 
@@ -4799,7 +4799,7 @@ func AdvancedScraperDeterrenceDifficultyFlag() string {
 }
 
 // GetAdvancedScraperDeterrenceDifficulty safely fetches the Configuration value for state's 'Advanced.ScraperDeterrence.Difficulty' field
-func (st *ConfigState) GetAdvancedScraperDeterrenceDifficulty() (v uint8) {
+func (st *ConfigState) GetAdvancedScraperDeterrenceDifficulty() (v uint32) {
 	st.mutex.RLock()
 	v = st.config.Advanced.ScraperDeterrence.Difficulty
 	st.mutex.RUnlock()
@@ -4807,7 +4807,7 @@ func (st *ConfigState) GetAdvancedScraperDeterrenceDifficulty() (v uint8) {
 }
 
 // SetAdvancedScraperDeterrenceDifficulty safely sets the Configuration value for state's 'Advanced.ScraperDeterrence.Difficulty' field
-func (st *ConfigState) SetAdvancedScraperDeterrenceDifficulty(v uint8) {
+func (st *ConfigState) SetAdvancedScraperDeterrenceDifficulty(v uint32) {
 	st.mutex.Lock()
 	defer st.mutex.Unlock()
 	st.config.Advanced.ScraperDeterrence.Difficulty = v
@@ -4815,12 +4815,12 @@ func (st *ConfigState) SetAdvancedScraperDeterrenceDifficulty(v uint8) {
 }
 
 // GetAdvancedScraperDeterrenceDifficulty safely fetches the value for global configuration 'Advanced.ScraperDeterrence.Difficulty' field
-func GetAdvancedScraperDeterrenceDifficulty() uint8 {
+func GetAdvancedScraperDeterrenceDifficulty() uint32 {
 	return global.GetAdvancedScraperDeterrenceDifficulty()
 }
 
 // SetAdvancedScraperDeterrenceDifficulty safely sets the value for global configuration 'Advanced.ScraperDeterrence.Difficulty' field
-func SetAdvancedScraperDeterrenceDifficulty(v uint8) {
+func SetAdvancedScraperDeterrenceDifficulty(v uint32) {
 	global.SetAdvancedScraperDeterrenceDifficulty(v)
 }
 

internal/middleware/nollamas.go

@@ -26,6 +26,7 @@ import (
 	"hash"
 	"io"
 	"net/http"
+	"strconv"
 	"time"
 
 	apimodel "code.superseriousbusiness.org/gotosocial/internal/api/model"
@@ -35,6 +36,7 @@ import (
 	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
 	"code.superseriousbusiness.org/gotosocial/internal/log"
 	"code.superseriousbusiness.org/gotosocial/internal/oauth"
+	"codeberg.org/gruf/go-bitutil"
 	"codeberg.org/gruf/go-byteutil"
 	"github.com/gin-gonic/gin"
 )
@@ -60,49 +62,79 @@ func NoLLaMas(
 		return func(*gin.Context) {}
 	}
 
-	seed := make([]byte, 32)
+	var seed [32]byte
 
 	// Read random data for the token seed.
-	_, err := io.ReadFull(rand.Reader, seed)
+	_, err := io.ReadFull(rand.Reader, seed[:])
 	if err != nil {
 		panic(err)
 	}
 
 	// Configure nollamas.
 	var nollamas nollamas
-	nollamas.seed = seed
+	nollamas.entropy = seed
 	nollamas.ttl = time.Hour
-	nollamas.diff = config.GetAdvancedScraperDeterrenceDifficulty()
+	nollamas.rounds = config.GetAdvancedScraperDeterrenceDifficulty()
 	nollamas.getInstanceV1 = getInstanceV1
 	nollamas.policy = cookiePolicy
 	return nollamas.Serve
 }
 
+// i.e. hash slice length.
+const hashLen = sha256.Size
+
+// i.e. hex.EncodedLen(hashLen).
+const encodedHashLen = 2 * hashLen
+
 // hashWithBufs encompasses a hash along
 // with the necessary buffers to generate
 // a hashsum and then encode that sum.
 type hashWithBufs struct {
 	hash hash.Hash
-	hbuf []byte
-	ebuf []byte
+	hbuf [hashLen]byte
+	ebuf [encodedHashLen]byte
+}
+
+// write is a passthrough to hash.Hash{}.Write().
+func (h *hashWithBufs) write(b []byte) {
+	_, _ = h.hash.Write(b)
+}
+
+// writeString is a passthrough to hash.Hash{}.Write([]byte(s)).
+func (h *hashWithBufs) writeString(s string) {
+	_, _ = h.hash.Write(byteutil.S2B(s))
+}
+
+// EncodedSum returns the hex encoded sum of hash.Sum().
+func (h *hashWithBufs) EncodedSum() string {
+	_ = h.hash.Sum(h.hbuf[:0])
+	hex.Encode(h.ebuf[:], h.hbuf[:])
+	return string(h.ebuf[:])
+}
+
+// Reset will reset hash and buffers.
+func (h *hashWithBufs) Reset() {
+	h.ebuf = [encodedHashLen]byte{}
+	h.hbuf = [hashLen]byte{}
+	h.hash.Reset()
 }
 
 type nollamas struct {
 	// our instance cookie policy.
 	policy apiutil.CookiePolicy
 
-	// unique token seed
+	// unique entropy
 	// to prevent hashes
 	// being guessable
-	seed []byte
+	entropy [32]byte
 
 	// success cookie TTL
 	ttl time.Duration
 
-	// algorithm difficulty knobs.
-	// diff determines the number
-	// of leading zeroes required.
-	diff uint8
+	// rounds determines roughly how
+	// many hash-encode rounds each
+	// client is required to complete.
+	rounds uint32
 
 	// extra fields required for
 	// our template rendering.
@@ -134,18 +166,8 @@ func (m *nollamas) Serve(c *gin.Context) {
 		return
 	}
 
-	// i.e. outputted hash slice length.
-	const hashLen = sha256.Size
-
-	// i.e. hex.EncodedLen(hashLen).
-	const encodedHashLen = 2 * hashLen
-
-	// Prepare hash + buffers.
-	hash := hashWithBufs{
-		hash: sha256.New(),
-		hbuf: make([]byte, 0, hashLen),
-		ebuf: make([]byte, encodedHashLen),
-	}
+	// Prepare new hash with buffers.
+	hash := hashWithBufs{hash: sha256.New()}
 
 	// Extract client fingerprint data.
 	userAgent := c.GetHeader("User-Agent")
@@ -153,15 +175,7 @@ func (m *nollamas) Serve(c *gin.Context) {
 
 	// Generate a unique token for this request,
 	// only valid for a period of now +- m.ttl.
-	token := m.token(&hash, userAgent, clientIP)
-
-	// For unique challenge string just use a
-	// single portion of their 'success' token.
-	// SHA256 is not yet cracked, this is not an
-	// application of a hash requiring serious
-	// cryptographic security and it rotates on
-	// a TTL basis, so it should be fine.
-	challenge := token[:len(token)/4]
+	token := m.getToken(&hash, userAgent, clientIP)
 
 	// Check for a provided success token.
 	cookie, _ := c.Cookie("gts-nollamas")
@@ -169,8 +183,8 @@ func (m *nollamas) Serve(c *gin.Context) {
 	// Check whether passed cookie
 	// is the expected success token.
 	if subtle.ConstantTimeCompare(
-		byteutil.S2B(token),
 		byteutil.S2B(cookie),
+		byteutil.S2B(token),
 	) == 1 {
 
 		// They passed us a valid, expected
@@ -185,10 +199,15 @@ func (m *nollamas) Serve(c *gin.Context) {
 	// handlers from being called.
 	c.Abort()
 
+	// Generate challenge for this unique (yet deterministic) token,
+	// returning seed, wanted 'challenge' result and expected solution.
+	seed, challenge, solution := m.getChallenge(&hash, token)
+
 	// Prepare new log entry.
 	l := log.WithContext(ctx).
 		WithField("userAgent", userAgent).
-		WithField("challenge", challenge)
+		WithField("seed", seed).
+		WithField("rounds", solution)
 
 	// Extract and parse query.
 	query := c.Request.URL.Query()
@@ -196,32 +215,28 @@ func (m *nollamas) Serve(c *gin.Context) {
 	// Check query to see if an in-progress
 	// challenge solution has been provided.
 	nonce := query.Get("nollamas_solution")
-	if nonce == "" || len(nonce) > 20 {
+	if nonce == "" {
 
-		// noting that here, 20 is
-		// max integer string len.
-		//
-		// An invalid solution string, just
-		// present them with new challenge.
+		// No solution given, likely new client!
+		// Simply present them with challenge.
+		m.renderChallenge(c, seed, challenge)
 		l.Info("posing new challenge")
-		m.renderChallenge(c, challenge)
 		return
 	}
 
-	// Reset the hash.
-	hash.hash.Reset()
+	// Check nonce matches expected.
+	if subtle.ConstantTimeCompare(
+		byteutil.S2B(solution),
+		byteutil.S2B(nonce),
+	) != 1 {
 
-	// Check challenge+nonce as possible solution.
-	if !m.checkChallenge(&hash, challenge, nonce) {
-
-		// They failed challenge,
-		// re-present challenge page.
-		l.Info("invalid solution provided")
-		m.renderChallenge(c, challenge)
+		// Their nonce failed, re-challenge them.
+		m.renderChallenge(c, challenge, solution)
+		l.Infof("invalid solution provided: %s", nonce)
 		return
 	}
 
-	l.Infof("challenge passed: %s", nonce)
+	l.Info("challenge passed")
 
 	// Drop solution query and encode.
 	query.Del("nollamas_solution")
@@ -233,7 +248,7 @@ func (m *nollamas) Serve(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, c.Request.URL.RequestURI())
 }
 
-func (m *nollamas) renderChallenge(c *gin.Context, challenge string) {
+func (m *nollamas) renderChallenge(c *gin.Context, seed, challenge string) {
 	// Fetch current instance information for templating vars.
 	instance, errWithCode := m.getInstanceV1(c.Request.Context())
 	if errWithCode != nil {
@@ -252,8 +267,8 @@ func (m *nollamas) renderChallenge(c *gin.Context, challenge string) {
 			"/assets/Fork-Awesome/css/fork-awesome.min.css",
 		},
 		Extra: map[string]any{
-			"challenge":  challenge,
-			"difficulty": m.diff,
+			"seed":      seed,
+			"challenge": challenge,
 		},
 		Javascript: []apiutil.JavascriptEntry{
 			{
@@ -264,23 +279,25 @@ func (m *nollamas) renderChallenge(c *gin.Context, challenge string) {
 	})
 }
 
-func (m *nollamas) token(hash *hashWithBufs, userAgent, clientIP string) string {
-	// Use our unique seed to seed hash,
+// getToken generates a unique yet deterministic token for given HTTP request
+// details, seeded by runtime generated entropy data and ttl rounded timestamp.
+func (m *nollamas) getToken(hash *hashWithBufs, userAgent, clientIP string) string {
+
+	// Reset before
+	// using hash.
+	hash.Reset()
+
+	// Use our unique entropy to seed hash,
 	// to ensure we have cryptographically
 	// unique, yet deterministic, tokens
 	// generated for a given http client.
-	hash.hash.Write(m.seed)
-
-	// Include difficulty level in
-	// hash input data so if config
-	// changes then token invalidates.
-	hash.hash.Write([]byte{m.diff})
+	hash.write(m.entropy[:])
 
 	// Also seed the generated input with
 	// current time rounded to TTL, so our
 	// single comparison handles expiries.
 	now := time.Now().Round(m.ttl).Unix()
-	hash.hash.Write([]byte{
+	hash.write([]byte{
 		byte(now >> 56),
 		byte(now >> 48),
 		byte(now >> 40),
@@ -291,37 +308,78 @@ func (m *nollamas) token(hash *hashWithBufs, userAgent, clientIP string) string
 		byte(now),
 	})
 
-	// Finally, append unique client request data.
-	hash.hash.Write(byteutil.S2B(userAgent))
-	hash.hash.Write(byteutil.S2B(clientIP))
+	// Append client request data.
+	hash.writeString(userAgent)
+	hash.writeString(clientIP)
 
-	// Return hex encoded hash output.
-	hash.hbuf = hash.hash.Sum(hash.hbuf[:0])
-	hex.Encode(hash.ebuf, hash.hbuf)
-	return string(hash.ebuf)
+	// Return hex encoded hash.
+	return hash.EncodedSum()
 }
 
-func (m *nollamas) checkChallenge(hash *hashWithBufs, challenge, nonce string) bool {
-	// Hash and encode input challenge with
-	// proposed nonce as a possible solution.
-	hash.hash.Write(byteutil.S2B(challenge))
-	hash.hash.Write(byteutil.S2B(nonce))
-	hash.hbuf = hash.hash.Sum(hash.hbuf[:0])
-	hex.Encode(hash.ebuf, hash.hbuf)
-	solution := hash.ebuf
+// getChallenge prepares a new challenge given the deterministic input token for this request.
+// it will return an input seed string, a challenge string which is the end result the client
+// should be looking for, and the solution for this such that challenge = hex(sha256(seed + solution)).
+// the solution will always be a string-encoded 64bit integer calculated from m.rounds + random jitter.
+func (m *nollamas) getChallenge(hash *hashWithBufs, token string) (seed, challenge, solution string) {
 
-	// Compiler bound-check hint.
-	if len(solution) < int(m.diff) {
-		panic(gtserror.New("BCE"))
+	// For their unique seed string just use a
+	// single portion of their 'success' token.
+	// SHA256 is not yet cracked, this is not an
+	// application of a hash requiring serious
+	// cryptographic security and it rotates on
+	// a TTL basis, so it should be fine.
+	seed = token[:len(token)/4]
+
+	// BEFORE resetting the hash, get the last
+	// two bytes of NON-hex-encoded data from
+	// token generation to use for random jitter.
+	// This is taken from the end of the hash as
+	// this is the "unseen" end part of token.
+	//
+	// (if we used hex-encoded data it would
+	// only ever be '0-9' or 'a-z' ASCII chars).
+	//
+	// Security-wise, same applies as-above.
+	jitter := int16(hash.hbuf[len(hash.hbuf)-2]) |
+		int16(hash.hbuf[len(hash.hbuf)-1])<<8
+
+	var rounds int64
+	switch {
+	// For some small percentage of
+	// clients we purposely low-ball
+	// their rounds required, to make
+	// it so gaming it with a starting
+	// nonce value may suddenly fail.
+	case jitter%37 == 0:
+		rounds = int64(m.rounds/10) + int64(jitter/10)
+	case jitter%31 == 0:
+		rounds = int64(m.rounds/5) + int64(jitter/5)
+	case jitter%29 == 0:
+		rounds = int64(m.rounds/3) + int64(jitter/3)
+	case jitter%13 == 0:
+		rounds = int64(m.rounds/2) + int64(jitter/2)
+
+	// Determine an appropriate number of hash rounds
+	// we want the client to perform on input seed. This
+	// is determined as configured m.rounds +- jitter.
+	// This will be the 'solution' to create 'challenge'.
+	default:
+		rounds = int64(m.rounds) + int64(jitter) //nolint:gosec
 	}
 
-	// Check that the first 'diff'
-	// many chars are indeed zeroes.
-	for i := range m.diff {
-		if solution[i] != '0' {
-			return false
-		}
-	}
+	// Encode (positive) determined hash rounds as string.
+	solution = strconv.FormatInt(bitutil.Abs64(rounds), 10)
 
-	return true
+	// Reset before
+	// using hash.
+	hash.Reset()
+
+	// Calculate the expected result
+	// of hex(sha256(seed + solution)),
+	// i.e. the proposed 'challenge'.
+	hash.writeString(seed)
+	hash.writeString(solution)
+	challenge = hash.EncodedSum()
+
+	return
 }

internal/middleware/nollamas_test.go

@@ -95,41 +95,39 @@ func testNoLLaMasMiddleware(t *testing.T, e *gin.Engine, userAgent string) {
 		panic(err)
 	}
 
+	var seed string
 	var challenge string
-	var difficulty uint64
 
 	// Parse output body and find the challenge / difficulty.
 	for _, line := range strings.Split(string(b), "\n") {
 		line = strings.TrimSpace(line)
 		switch {
+		case strings.HasPrefix(line, "data-nollamas-seed=\""):
+			line = line[20:]
+			line = line[:len(line)-1]
+			seed = line
 		case strings.HasPrefix(line, "data-nollamas-challenge=\""):
 			line = line[25:]
 			line = line[:len(line)-1]
 			challenge = line
-		case strings.HasPrefix(line, "data-nollamas-difficulty=\""):
-			line = line[26:]
-			line = line[:len(line)-1]
-			var err error
-			difficulty, err = strconv.ParseUint(line, 10, 8)
-			assert.NoError(t, err)
 		}
 	}
 
 	// Ensure valid posed challenge.
-	assert.NotZero(t, difficulty)
 	assert.NotEmpty(t, challenge)
+	assert.NotEmpty(t, seed)
 
 	// Prepare a test request for gin engine.
 	r = httptest.NewRequest("GET", "/", nil)
 	r.Header.Set("User-Agent", userAgent)
 	rw = httptest.NewRecorder()
 
-	// Now compute and set solution query paramater.
-	solution := computeSolution(challenge, difficulty)
-	r.URL.RawQuery = "nollamas_solution=" + solution
-
+	t.Logf("seed=%s", seed)
 	t.Logf("challenge=%s", challenge)
-	t.Logf("difficulty=%d", difficulty)
+
+	// Now compute and set solution query paramater.
+	solution := computeSolution(seed, challenge)
+	r.URL.RawQuery = "nollamas_solution=" + solution
 	t.Logf("solution=%s", solution)
 
 	// Pass req through
@@ -152,17 +150,14 @@ func testNoLLaMasMiddleware(t *testing.T, e *gin.Engine, userAgent string) {
 }
 
 // computeSolution does the functional equivalent of our nollamas workerTask.js.
-func computeSolution(challenge string, diff uint64) string {
-outer:
+func computeSolution(seed, challenge string) string {
 	for i := 0; ; i++ {
 		solution := strconv.Itoa(i)
-		combined := challenge + solution
+		combined := seed + solution
 		hash := sha256.Sum256(byteutil.S2B(combined))
 		encoded := hex.EncodeToString(hash[:])
-		for i := range diff {
-			if encoded[i] != '0' {
-				continue outer
-			}
+		if encoded != challenge {
+			continue
 		}
 		return solution
 	}

test/envparsing.sh

@@ -20,7 +20,7 @@ EXPECT=$(cat << "EOF"
         "127.0.0.1/32"
     ],
     "advanced-rate-limit-requests": 6969,
-    "advanced-scraper-deterrence-difficulty": 5,
+    "advanced-scraper-deterrence-difficulty": 500000,
     "advanced-scraper-deterrence-enabled": true,
     "advanced-sender-multiplier": -1,
     "advanced-throttling-multiplier": -1,
@@ -309,7 +309,7 @@ GTS_SYSLOG_ADDRESS='127.0.0.1:6969' \
 GTS_ADVANCED_COOKIES_SAMESITE='strict' \
 GTS_ADVANCED_RATE_LIMIT_EXCEPTIONS="192.0.2.0/24,127.0.0.1/32" \
 GTS_ADVANCED_RATE_LIMIT_REQUESTS=6969 \
-GTS_ADVANCED_SCRAPER_DETERRENCE_DIFFICULTY=5 \
+GTS_ADVANCED_SCRAPER_DETERRENCE_DIFFICULTY=500000 \
 GTS_ADVANCED_SCRAPER_DETERRENCE_ENABLED=true \
 GTS_ADVANCED_SENDER_MULTIPLIER=-1 \
 GTS_ADVANCED_THROTTLING_MULTIPLIER=-1 \

testrig/config.go

@@ -178,7 +178,7 @@ func testDefaults() config.Configuration {
 
 			ScraperDeterrence: config.ScraperDeterrenceConfig{
 				Enabled:    envBool("GTS_ADVANCED_SCRAPER_DETERRENCE_ENABLED", false),
-				Difficulty: uint8(envInt("GTS_ADVANCED_SCRAPER_DETERRENCE_DIFFICULTY", 4)), //nolint
+				Difficulty: uint32(envInt("GTS_ADVANCED_SCRAPER_DETERRENCE_DIFFICULTY", 100000)), //nolint
 			},
 		},
 

vendor/codeberg.org/gruf/go-bitutil/LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2022 gruf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

vendor/codeberg.org/gruf/go-bitutil/README.md

@@ -0,0 +1,3 @@
+# go-bitutil
+
+This library provides helpful methods and types for performing typical bitwise operations on integers, e.g. packing/unpacking, bit flags.

vendor/codeberg.org/gruf/go-bitutil/abs.go

@@ -0,0 +1,29 @@
+package bitutil
+
+// Abs8 returns the absolute value of i (calculated without branching).
+func Abs8(i int8) int8 {
+	const bits = 8
+	u := uint64(i >> (bits - 1))
+	return (i ^ int8(u)) + int8(u&1)
+}
+
+// Abs16 returns the absolute value of i (calculated without branching).
+func Abs16(i int16) int16 {
+	const bits = 16
+	u := uint64(i >> (bits - 1))
+	return (i ^ int16(u)) + int16(u&1)
+}
+
+// Abs32 returns the absolute value of i (calculated without branching).
+func Abs32(i int32) int32 {
+	const bits = 32
+	u := uint64(i >> (bits - 1))
+	return (i ^ int32(u)) + int32(u&1)
+}
+
+// Abs64 returns the absolute value of i (calculated without branching).
+func Abs64(i int64) int64 {
+	const bits = 64
+	u := uint64(i >> (bits - 1))
+	return (i ^ int64(u)) + int64(u&1)
+}

vendor/codeberg.org/gruf/go-bitutil/flag.tpl

@@ -0,0 +1,117 @@
+package bitutil
+
+import (
+    "strings"
+    "unsafe"
+)
+
+{{ range $idx, $size := . }}
+
+// Flags{{ $size.Size }} is a type-casted unsigned integer with helper
+// methods for easily managing up to {{ $size.Size }} bit-flags.
+type Flags{{ $size.Size }} uint{{ $size.Size }}
+
+// Get will fetch the flag bit value at index 'bit'.
+func (f Flags{{ $size.Size }}) Get(bit uint8) bool {
+    mask := Flags{{ $size.Size }}(1) << bit
+    return (f & mask != 0)
+}
+
+// Set will set the flag bit value at index 'bit'.
+func (f Flags{{ $size.Size }}) Set(bit uint8) Flags{{ $size.Size }} {
+    mask := Flags{{ $size.Size }}(1) << bit
+    return f | mask
+}
+
+// Unset will unset the flag bit value at index 'bit'.
+func (f Flags{{ $size.Size }}) Unset(bit uint8) Flags{{ $size.Size }} {
+    mask := Flags{{ $size.Size }}(1) << bit
+    return f & ^mask
+}
+
+{{ range $idx := $size.Bits }}
+
+// Get{{ $idx }} will fetch the flag bit value at index {{ $idx }}.
+func (f Flags{{ $size.Size }}) Get{{ $idx }}() bool {
+    const mask = Flags{{ $size.Size }}(1) << {{ $idx }}
+    return (f & mask != 0)
+}
+
+// Set{{ $idx }} will set the flag bit value at index {{ $idx }}.
+func (f Flags{{ $size.Size }}) Set{{ $idx }}() Flags{{ $size.Size }} {
+    const mask = Flags{{ $size.Size }}(1) << {{ $idx }}
+    return f | mask
+}
+
+// Unset{{ $idx }} will unset the flag bit value at index {{ $idx }}.
+func (f Flags{{ $size.Size }}) Unset{{ $idx }}() Flags{{ $size.Size }} {
+    const mask = Flags{{ $size.Size }}(1) << {{ $idx }}
+    return f & ^mask
+}
+
+{{ end }}
+
+// String returns a human readable representation of Flags{{ $size.Size }}.
+func (f Flags{{ $size.Size }}) String() string {
+    var (
+        i   int
+        val bool
+        buf []byte
+    )
+
+    // Make a prealloc est. based on longest-possible value
+    const prealloc = 1+(len("false ")*{{ $size.Size }})-1+1
+    buf = make([]byte, prealloc)
+
+    buf[i] = '{'
+    i++
+
+    {{ range $idx := .Bits }}
+    val = f.Get{{ $idx }}()
+    i += copy(buf[i:], bool2str(val))
+    buf[i] = ' '
+    i++
+    {{ end }}
+
+    buf[i-1] = '}'
+    buf = buf[:i]
+
+    return *(*string)(unsafe.Pointer(&buf))
+}
+
+// GoString returns a more verbose human readable representation of Flags{{ $size.Size }}.
+func (f Flags{{ $size.Size }})GoString() string {
+    var (
+        i   int
+        val bool
+        buf []byte
+    )
+
+    // Make a prealloc est. based on longest-possible value
+    const prealloc = len("bitutil.Flags{{ $size.Size }}{")+(len("{{ sub $size.Size 1 }}=false ")*{{ $size.Size }})-1+1
+    buf = make([]byte, prealloc)
+
+    i += copy(buf[i:], "bitutil.Flags{{ $size.Size }}{")
+
+    {{ range $idx := .Bits }}
+    val = f.Get{{ $idx }}()
+    i += copy(buf[i:], "{{ $idx }}=")
+    i += copy(buf[i:], bool2str(val))
+    buf[i] = ' '
+    i++
+    {{ end }}
+ 
+    buf[i-1] = '}'
+    buf = buf[:i]
+
+    return *(*string)(unsafe.Pointer(&buf))
+}
+
+{{ end }}
+
+func bool2str(b bool) string {
+    if b {
+        return "true"
+    }
+    return "false"
+}

vendor/codeberg.org/gruf/go-bitutil/flag_test.tpl

@@ -0,0 +1,98 @@
+package bitutil_test
+
+import (
+    "strings"
+    "testing"
+
+    "codeberg.org/gruf/go-bytes"
+)
+
+{{ range $idx, $size := . }}
+
+func TestFlags{{ $size.Size }}Get(t *testing.T) {
+    var mask, flags bitutil.Flags{{ $size.Size }}
+
+    {{ range $idx := $size.Bits }}
+
+    mask = bitutil.Flags{{ $size.Size }}(1) << {{ $idx }}
+
+    flags = 0
+
+    flags |= mask
+    if !flags.Get({{ $idx }}) {
+        t.Error("failed .Get() set Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    flags = ^bitutil.Flags{{ $size.Size }}(0)
+
+    flags &= ^mask
+    if flags.Get({{ $idx }}) {
+        t.Error("failed .Get() unset Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    flags = 0
+
+    flags |= mask
+    if !flags.Get{{ $idx }}() {
+        t.Error("failed .Get{{ $idx }}() set Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    flags = ^bitutil.Flags{{ $size.Size }}(0)
+
+    flags &= ^mask
+    if flags.Get{{ $idx }}() {
+        t.Error("failed .Get{{ $idx }}() unset Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    {{ end }}
+}
+
+func TestFlags{{ $size.Size }}Set(t *testing.T) {
+    var mask, flags bitutil.Flags{{ $size.Size }}
+
+    {{ range $idx := $size.Bits }}
+
+    mask = bitutil.Flags{{ $size.Size }}(1) << {{ $idx }}
+
+    flags = 0
+
+    flags = flags.Set({{ $idx }})
+    if flags & mask == 0 {
+        t.Error("failed .Set() Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    flags = 0
+
+    flags = flags.Set{{ $idx }}()
+    if flags & mask == 0 {
+        t.Error("failed .Set{{ $idx }}() Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    {{ end }}
+}
+
+func TestFlags{{ $size.Size }}Unset(t *testing.T) {
+    var mask, flags bitutil.Flags{{ $size.Size }}
+
+    {{ range $idx := $size.Bits }}
+
+    mask = bitutil.Flags{{ $size.Size }}(1) << {{ $idx }}
+
+    flags = ^bitutil.Flags{{ $size.Size }}(0)
+
+    flags = flags.Unset({{ $idx }})
+    if flags & mask != 0 {
+        t.Error("failed .Unset() Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    flags = ^bitutil.Flags{{ $size.Size }}(0)
+
+    flags = flags.Unset{{ $idx }}()
+    if flags & mask != 0 {
+        t.Error("failed .Unset{{ $idx }}() Flags{{ $size.Size }} bit at index {{ $idx }}")
+    }
+
+    {{ end }}
+}
+
+{{ end }}

vendor/codeberg.org/gruf/go-bitutil/pack.go

@@ -0,0 +1,85 @@
+package bitutil
+
+// PackInt8s will pack two signed 8bit integers into an unsigned 16bit integer.
+func PackInt8s(i1, i2 int8) uint16 {
+	const bits = 8
+	const mask = (1 << bits) - 1
+	return uint16(i1)<<bits | uint16(i2)&mask
+}
+
+// UnpackInt8s will unpack two signed 8bit integers from an unsigned 16bit integer.
+func UnpackInt8s(i uint16) (int8, int8) {
+	const bits = 8
+	const mask = (1 << bits) - 1
+	return int8(i >> bits), int8(i & mask)
+}
+
+// PackInt16s will pack two signed 16bit integers into an unsigned 32bit integer.
+func PackInt16s(i1, i2 int16) uint32 {
+	const bits = 16
+	const mask = (1 << bits) - 1
+	return uint32(i1)<<bits | uint32(i2)&mask
+}
+
+// UnpackInt16s will unpack two signed 16bit integers from an unsigned 32bit integer.
+func UnpackInt16s(i uint32) (int16, int16) {
+	const bits = 16
+	const mask = (1 << bits) - 1
+	return int16(i >> bits), int16(i & mask)
+}
+
+// PackInt32s will pack two signed 32bit integers into an unsigned 64bit integer.
+func PackInt32s(i1, i2 int32) uint64 {
+	const bits = 32
+	const mask = (1 << bits) - 1
+	return uint64(i1)<<bits | uint64(i2)&mask
+}
+
+// UnpackInt32s will unpack two signed 32bit integers from an unsigned 64bit integer.
+func UnpackInt32s(i uint64) (int32, int32) {
+	const bits = 32
+	const mask = (1 << bits) - 1
+	return int32(i >> bits), int32(i & mask)
+}
+
+// PackUint8s will pack two unsigned 8bit integers into an unsigned 16bit integer.
+func PackUint8s(u1, u2 uint8) uint16 {
+	const bits = 8
+	const mask = (1 << bits) - 1
+	return uint16(u1)<<bits | uint16(u2)&mask
+}
+
+// UnpackUint8s will unpack two unsigned 8bit integers from an unsigned 16bit integer.
+func UnpackUint8s(u uint16) (uint8, uint8) {
+	const bits = 8
+	const mask = (1 << bits) - 1
+	return uint8(u >> bits), uint8(u & mask)
+}
+
+// PackUint16s will pack two unsigned 16bit integers into an unsigned 32bit integer.
+func PackUint16s(u1, u2 uint16) uint32 {
+	const bits = 16
+	const mask = (1 << bits) - 1
+	return uint32(u1)<<bits | uint32(u2)&mask
+}
+
+// UnpackUint16s will unpack two unsigned 16bit integers from an unsigned 32bit integer.
+func UnpackUint16s(u uint32) (uint16, uint16) {
+	const bits = 16
+	const mask = (1 << bits) - 1
+	return uint16(u >> bits), uint16(u & mask)
+}
+
+// PackUint32s will pack two unsigned 32bit integers into an unsigned 64bit integer.
+func PackUint32s(u1, u2 uint32) uint64 {
+	const bits = 32
+	const mask = (1 << bits) - 1
+	return uint64(u1)<<bits | uint64(u2)&mask
+}
+
+// UnpackUint32s will unpack two unsigned 32bit integers from an unsigned 64bit integer.
+func UnpackUint32s(u uint64) (uint32, uint32) {
+	const bits = 32
+	const mask = (1 << bits) - 1
+	return uint32(u >> bits), uint32(u & mask)
+}

vendor/codeberg.org/gruf/go-bitutil/test.tpl

@@ -0,0 +1,60 @@
+package atomics_test
+
+import (
+    "atomic"
+    "unsafe"
+    "testing"
+
+    "codeberg.org/gruf/go-atomics"
+)
+
+func Test{{ .Name }}StoreLoad(t *testing.T) {
+    for _, test := range {{ .Name }}Tests {
+        val := atomics.New{{ .Name }}()
+
+        val.Store(test.V1)
+
+        if !({{ call .Compare "val.Load()" "test.V1" }}) {
+            t.Fatalf("failed testing .Store and .Load: expect=%v actual=%v", val.Load(), test.V1)
+        }
+
+        val.Store(test.V2)
+
+        if !({{ call .Compare "val.Load()" "test.V2" }}) {
+            t.Fatalf("failed testing .Store and .Load: expect=%v actual=%v", val.Load(), test.V2)
+        }
+    }
+}
+
+func Test{{ .Name }}CAS(t *testing.T) {
+    for _, test := range {{ .Name }}Tests {
+        val := atomics.New{{ .Name }}()
+
+        val.Store(test.V1)
+
+        if val.CAS(test.V2, test.V1) {
+            t.Fatalf("failed testing negative .CAS: test=%+v state=%v", test, val.Load())
+        }
+
+        if !val.CAS(test.V1, test.V2) {
+            t.Fatalf("failed testing positive .CAS: test=%+v state=%v", test, val.Load())
+        }
+    }
+}
+
+func Test{{ .Name }}Swap(t *testing.T) {
+    for _, test := range {{ .Name }}Tests {
+        val := atomics.New{{ .Name }}()
+
+        val.Store(test.V1)
+
+        if !({{ call .Compare "val.Swap(test.V2)" "test.V1" }}) {
+            t.Fatal("failed testing .Swap")
+        }
+
+        if !({{ call .Compare "val.Swap(test.V1)" "test.V2" }}) {
+            t.Fatal("failed testing .Swap")
+        }
+    }
+}
+

vendor/modules.txt

@@ -215,6 +215,9 @@ code.superseriousbusiness.org/oauth2/v4/generates
 code.superseriousbusiness.org/oauth2/v4/manage
 code.superseriousbusiness.org/oauth2/v4/models
 code.superseriousbusiness.org/oauth2/v4/server
+# codeberg.org/gruf/go-bitutil v1.1.0
+## explicit; go 1.19
+codeberg.org/gruf/go-bitutil
 # codeberg.org/gruf/go-bytesize v1.0.3
 ## explicit; go 1.17
 codeberg.org/gruf/go-bytesize

web/source/nollamas/index.js

@@ -43,18 +43,18 @@ document.addEventListener("DOMContentLoaded", function() {
 
 	// Read the challenge and difficulty from
 	// data attributes on the nollamas section.
+	const seed = nollamas.dataset.nollamasSeed;
 	const challenge = nollamas.dataset.nollamasChallenge;
-	const difficulty = nollamas.dataset.nollamasDifficulty;
 
-	console.log("challenge:", challenge);     // eslint-disable-line no-console
-	console.log("difficulty:", difficulty); // eslint-disable-line no-console
+	console.log("seed:", seed);           // eslint-disable-line no-console
+	console.log("challenge:", challenge); // eslint-disable-line no-console
 
 	// Prepare the worker with task function.
 	const worker = new Worker("/assets/dist/nollamasworker.js");
 	const startTime = performance.now();
 	worker.postMessage({
 		challenge: challenge,
-		difficulty: difficulty,
+		seed:      seed,
 	});
 
 	// Set the main worker function.

web/source/nollamasworker/index.js

@@ -19,32 +19,22 @@
 
 import sha256 from "./sha256";
 
-let compute = async function(challengeStr, diffStr) {
+let compute = async function(seedStr, challengeStr) {
 	const textEncoder = new TextEncoder();
 
-	// Get difficulty1 as number and generate
-	// expected zero ASCII prefix to check for.
-	const diff1 = parseInt(diffStr, 10);
-	const zeros = "0".repeat(diff1);
-
-	// Calculate hex encoded prefix required to check solution, where we
-	// need diff1 no. chars in hex, and hex encoding doubles input length.
-	const prefixLen = diff1 / 2 + (diff1 % 2 != 0 ? 2 : 0);
-
 	let nonce = 0;
 	while (true) { // eslint-disable-line no-constant-condition
 
 		// Create possible solution string from challenge string + nonce.
-		const solution = textEncoder.encode(challengeStr + nonce.toString());
+		const solution = textEncoder.encode(seedStr + nonce.toString());
 
-		// Generate SHA256 hashsum of solution string, and hex encode the
-		// necessary prefix length we need to check for a valid solution.
-		const prefixArray = Array.from(sha256(solution).slice(0, prefixLen));
-		const prefixHex = prefixArray.map(b => b.toString(16).padStart(2, "0")).join("");
+		// Generate hex encoded SHA256 hashsum of solution.
+		const hashArray = Array.from(sha256(solution));
+		const hashAsHex = hashArray.map(b => b.toString(16).padStart(2, "0")).join("");
 
-		// Check if the hex encoded hash has
-		// difficulty defined zeroes prefix.
-		if (prefixHex.startsWith(zeros)) {
+		// Check whether hex encoded
+		// solution matches challenge.
+		if (hashAsHex == challengeStr) {
 			return nonce;
 		}
 
@@ -56,11 +46,8 @@ let compute = async function(challengeStr, diffStr) {
 onmessage = async function(e) {
 	console.log('worker started'); // eslint-disable-line no-console
 
-	const challenge = e.data.challenge;
-	const difficulty = e.data.difficulty;
-
-	// Compute the nonce that produces solution with args.
-	let nonce = await compute(challenge, difficulty);
+	// Compute nonce value that produces 'challenge' for seed.
+	let nonce = await compute(e.data.seed, e.data.challenge);
 
 	// Post the solution nonce back to caller.
 	postMessage({ nonce: nonce, done: true });

web/template/nollamas.tmpl

@@ -20,8 +20,8 @@
 {{- with . }}
 <main>
     <section class="nollamas"
+        data-nollamas-seed="{{ .seed }}"
         data-nollamas-challenge="{{ .challenge }}"
-        data-nollamas-difficulty="{{ .difficulty }}"
     >
         <h1>Checking you're not a creepy crawler...</h1>
         <noscript>