SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity
Files
d8c4d9fc5a62741f0c4c2b692a3a94874714bbcc
GoToSocial/web/source/nollamasworker/index.js
kim d8c4d9fc5a [feature] proof of work scraper deterrence (#4043) 
This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase.

Todo:
- ~~add configuration option so this is disabled by default~~
- ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~
- ~~use our standard templating mechanism going through apiutil helper func~~
- ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized
- ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier
- ~~theme / make look nice??~~
- ~~add a spinner~~
- ~~add entry in example configuration~~
- ~~add documentation~~

Verification page originally based on https://github.com/LucienV1/powtect

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043
Reviewed-by: tobi <tsmethurst@noreply.codeberg.org>
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>
2025-04-28 20:12:27 +00:00

54 lines
1.8 KiB
JavaScript
Raw Blame History

/*
GoToSocial
Copyright (C) GoToSocial Authors admin@gotosocial.org
SPDX-License-Identifier: AGPL-3.0-or-later
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
onmessage = async function(e) {
console.log('worker started'); // eslint-disable-line no-console
const challenge = e.data.challenge;
const textEncoder = new TextEncoder();
// Get difficulty and generate the expected
// zero ASCII prefix to check for in hashes.
const difficultyStr = e.data.difficulty;
const difficulty = parseInt(difficultyStr, 10);
const zeroPrefix = '0'.repeat(difficulty);
let nonce = 0;
while (true) { // eslint-disable-line no-constant-condition
// Create possible solution string from challenge + nonce.
const solution = textEncoder.encode(challenge + nonce.toString());
// Generate SHA256 hashsum of solution string and hex encode the result.
const hashBuffer = await crypto.subtle.digest('SHA-256', solution);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
// Check if the hex encoded hash has
// difficulty defined zeroes prefix.
if (hashHex.startsWith(zeroPrefix)) {
postMessage({ nonce: nonce, done: true });
break;
}
// Iter.
nonce++;
}
};
Reference in New Issue View Git Blame Copy Permalink