fix(challenge/metarefresh): ensure that clients have waited long enough (#1068)
Some admins have noticed that clients are not waiting the right amount of time in order to access a resource protected by the metarefresh challenge. This patch adds a check to make sure that clients have waited at least 95% (difficulty times 950 milliseconds instead of difficulity times 1000 milliseconds) of the time they should. If this scales, maybe time is the best way to go for Anubis in the near future instead of anything else computational. Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso
GitHub
parent
2704ba95d0
commit
f6e077c907
2 changed files with 9 additions and 1 deletions
|
|
@ -5,6 +5,7 @@ import (
|
|||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/TecharoHQ/anubis"
|
||||
"github.com/TecharoHQ/anubis/lib/challenge"
|
||||
|
|
@ -42,6 +43,12 @@ func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput)
|
|||
}
|
||||
|
||||
func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
|
||||
wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 950 * time.Millisecond)
|
||||
|
||||
if time.Now().Before(wantTime) {
|
||||
return challenge.NewError("validate", "insufficent time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
|
||||
}
|
||||
|
||||
gotChallenge := r.FormValue("challenge")
|
||||
|
||||
if subtle.ConstantTimeCompare([]byte(in.Challenge.RandomData), []byte(gotChallenge)) != 1 {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue