From 25d677cbba9fa63bcd59d185ddfb0466afd9b12e Mon Sep 17 00:00:00 2001
From: Xe Iaso <xe.iaso@techaro.lol>
Date: Fri, 17 Oct 2025 19:32:24 -0400
Subject: [PATCH] fix(algorithms/fast): fix fast challenge on insecure contexts
 (#1198)

* fix(algorithms/fast): fix fast challenge on insecure contexts

Closes #1192

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: update CHANGELOG

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 docs/docs/CHANGELOG.md    | 1 +
 web/js/algorithms/fast.ts | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 56e3cb5..0807463 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Document missing environment variables in installation guide: `SLOG_LEVEL`, `COOKIE_PREFIX`, `FORCED_LANGUAGE`, and `TARGET_DISABLE_KEEPALIVE` ([#1086](https://github.com/TecharoHQ/anubis/pull/1086)).
 - Add validation warning when persistent storage is used without setting signing keys.
 - Fixed `robots2policy` to properly group consecutive user agents into `any:` instead of only processing the last one ([#925](https://github.com/TecharoHQ/anubis/pull/925)).
+- Make the `fast` algorithm prefer purejs when running in an insecure context.
 - Add the [`s3api` storage backend](./admin/policies.mdx#s3api) to allow Anubis to use S3 API compatible object storage as its storage backend.
 - Fix a "stutter" in the cookie name prefix so the auth cookie is named `techaro.lol-anubis-auth` instead of `techaro.lol-anubis-auth-auth`.
 - Make `cmd/containerbuild` support commas for separating elements of the `--docker-tags` argument as well as newlines.
diff --git a/web/js/algorithms/fast.ts b/web/js/algorithms/fast.ts
index 178cef8..6330da5 100644
--- a/web/js/algorithms/fast.ts
+++ b/web/js/algorithms/fast.ts
@@ -18,7 +18,12 @@ export default function process(
 ): Promise<string> {
   console.debug("fast algo");
 
-  let workerMethod = window.crypto !== undefined ? "webcrypto" : "purejs";
+  // Choose worker based on secure context.
+  // Use the WebCrypto worker if the page is a secure context; otherwise fall back to pure‑JS.
+  let workerMethod: "webcrypto" | "purejs" = "purejs";
+  if (window.isSecureContext) {
+    workerMethod = "webcrypto";
+  }
 
   if (navigator.userAgent.includes("Firefox") || navigator.userAgent.includes("Goanna")) {
     console.log("Firefox detected, using pure-JS fallback");
@@ -82,4 +87,4 @@ export default function process(
       workers.push(worker);
     }
   });
-}
\ No newline at end of file
+}