Fix challenge validation panic when follow-up hits ALLOW (#1278)

* fix(localization): correct formatting of Swedish loading message * fix(main): correct formatting and improve readability in main.go * fix(challenge): add difficulty and policy rule hash to challenge metadata * docs(challenge): fix panic when validating challenges in privacy-mode browsers
2025-11-14 16:51:48 -08:00 · 2025-11-14 16:51:48 -08:00 · 97ba84e26d
commit 97ba84e26d
parent 68fcc0c44f
7 changed files with 126 additions and 23 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -117,10 +117,12 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}

 	chall := challenge.Challenge{
-		ID:         id.String(),
-		Method:     rule.Challenge.Algorithm,
-		RandomData: fmt.Sprintf("%x", randomData),
-		IssuedAt:   time.Now(),
+		ID:             id.String(),
+		Method:         rule.Challenge.Algorithm,
+		RandomData:     fmt.Sprintf("%x", randomData),
+		IssuedAt:       time.Now(),
+		Difficulty:     rule.Challenge.Difficulty,
+		PolicyRuleHash: rule.Hash(),
 		Metadata: map[string]string{
 			"User-Agent": r.Header.Get("User-Agent"),
 			"X-Real-Ip":  r.Header.Get("X-Real-Ip"),
@ -137,6 +139,44 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	return &chall, err
 }

+func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
+	if chall == nil {
+		return rule
+	}
+
+	if rule == nil {
+		rule = &policy.Bot{
+			Rules: &checker.List{},
+		}
+	}
+
+	if chall.Difficulty == 0 {
+		// fall back to whatever the policy currently says or the global default
+		if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
+			chall.Difficulty = rule.Challenge.Difficulty
+		} else {
+			chall.Difficulty = s.policy.DefaultDifficulty
+		}
+	}
+
+	if rule.Challenge == nil {
+		lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
+		rule.Challenge = &config.ChallengeRules{}
+	}
+
+	if rule.Challenge.Difficulty == 0 {
+		rule.Challenge.Difficulty = chall.Difficulty
+	}
+	if rule.Challenge.ReportAs == 0 {
+		rule.Challenge.ReportAs = chall.Difficulty
+	}
+	if rule.Challenge.Algorithm == "" {
+		rule.Challenge.Algorithm = chall.Method
+	}
+
+	return rule
+}
+
 func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
 	s.maybeReverseProxy(w, r, true)
 }
@ -461,6 +501,8 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	rule = s.hydrateChallengeRule(rule, chall, lg)
+
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
 		lg.Error("check failed", "err", err)