vufind-org · crhallberg · Jul 21, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/composer.json b/composer.json
@@ -46,6 +46,7 @@
     "require": {
         "php": ">=8.1",
         "ahand/mobileesp": "dev-master",
+        "altcha-org/altcha": "^1.1",
         "apereo/phpcas": "1.6.1",
         "browscap/browscap-php": "^7.2",
         "cap60552/php-sip2": "1.0.0",

diff --git a/composer.lock b/composer.lock
diff --git a/config/vufind/config.ini b/config/vufind/config.ini
@@ -2512,6 +2512,7 @@ validateHierarchySequences = true
 ; - image (generate a local image for the user to interpret)
 ; - interval (allow an action after a specified time has elapsed from session start
 ;   or previous action)
+; - pow (proof of work bot deterent)
 ; - recaptcha (use Google's ReCaptcha service)
 ; If multiple values are given, the user will be able to pick their favorite.
 ; See below for additional type-specific settings.
@@ -2542,6 +2543,12 @@ validateHierarchySequences = true
 ; action_interval):
 ;time_from_session_start = 0
 
+; Proof of Work options
+; PHP and JS both natively support sha1, sha256, sha384, sha512.
+;pow_hash = sha256
+; number of leading zeroes required; default: 5
+;pow_difficulty = 5
+
 ; See http://www.google.com/recaptcha for more information on reCAPTCHA and to
 ; create keys for your domain. Make sure that SSL settings are correct in the
 ; [Http] section, or your Captcha may not work.

diff --git a/config/vufind/contentsecuritypolicy.ini b/config/vufind/contentsecuritypolicy.ini
@@ -44,8 +44,11 @@ script-src[] = "https:"
 connect-src[] = "'self'"
 ; If you are using Google Analytics, uncomment the line below
 ;connect-src[] = "https://*.google-analytics.com"
-; worker-src required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
+; worker-src (permission to load web worker JS files)
+; (blob) required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
 worker-src[] = "blob:"
+; (self) required for proof of work (PoW) Captcha web wworker
+worker-src[] = "'self'"
 style-src[] = "'self'"
 style-src[] = "'unsafe-inline'"
 img-src[] = "'self'"

diff --git a/module/VuFind/src/VuFind/Captcha/Altcha.php b/module/VuFind/src/VuFind/Captcha/Altcha.php
@@ -0,0 +1,119 @@
+<?php
+
+/**
+ * Altcha proof-of-work CAPTCHA.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org Main Page
+ */
+
+namespace VuFind\Captcha;
+
+use AltchaOrg\Altcha\Altcha as AltchaController;
+use AltchaOrg\Altcha\ChallengeOptions;
+use AltchaOrg\Altcha\Hasher\Algorithm;
+use Laminas\Mvc\Controller\Plugin\Params;
+
+use function intval;
+
+/**
+ * Altcha proof-of-work CAPTCHA.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class Altcha extends AbstractBase
+{
+    /**
+     * Constructor
+     *
+     * @param string                  $hmacKey Required HMAC key for challenge calculation and solution verification.
+     *
+     * @param Algorithm               $algorithm  Hashing algorithm to use (`SHA-1`, `SHA-256`, `SHA-512`, default: `SHA-256`).
+     * @param int                     $maxNumber  Maximum number for the random number generator (default: 1,000,000)
+     * @param null|\DateTimeInterface $expires    Optional expiration time for the challenge.
+     * @param ChallengeParams         $params     Optional URL-encoded query parameters.
+     * @param int<1, max>             $saltLength Length of the random salt (default: 12 bytes).
+     */
+    public function __construct(
+        protected string $hmacKey,
+        // Options for creation of a new challenge
+        protected Algorithm $algorithm = Algorithm::SHA256,
+        protected int $maxNumber = AltchaController::DEFAULT_MAX_NUMBER,
+        protected ?\DateTimeInterface $expires = null,
+        protected array $params = [],
+        protected int $saltLength = AltchaController::DEFAULT_SALT_LENGTH,
+    ) {
+    }
+
+    /**
+     * Get list of URLs with JS dependencies to load for the active CAPTCHA type.
+     *
+     * @return array
+     */
+    public function getJsIncludes(): array
+    {
+        return ['vendor/altcha.js', 'vendor/altcha-i18n.js'];
+    }
+
+    /**
+     * Generate challenge
+     *
+     * @return Challenge
+     */
+    public function getChallenge()
+    {
+        $altcha = new AltchaController($this->hmacKey);
+
+        $options = new ChallengeOptions(
+            algorithm: $this->algorithm,
+            maxNumber: $this->maxNumber,
+            expires: $this->expires,
+            params: $this->params,
+            saltLength: $this->saltLength,
+        );
+
+        return json_encode($altcha->createChallenge($options));
+    }
+
+    /**
+     * Pull the captcha field from controller params and check them for accuracy
+     * We pull from the form in case config changed since challenge was sent
+     *
+     * @param Params $params Controller params
+     *
+     * @return bool
+     */
+    public function verify(Params $params): bool
+    {
+        $encoded = $params->fromPost('altcha', null);
+        $json = base64_decode($encoded);
+        $payload = json_decode($json, true);
+
+        $altcha = new AltchaController($this->hmacKey);
+        return $altcha->verifySolution($payload, checkExpires: true);
+    }
+}
diff --git a/module/VuFind/src/VuFind/Captcha/AltchaFactory.php b/module/VuFind/src/VuFind/Captcha/AltchaFactory.php
@@ -0,0 +1,106 @@
+<?php
+
+/**
+ * Factory for Altcha proof-of-work CAPTCHA module.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+
+namespace VuFind\Captcha;
+
+use AltchaOrg\Altcha\Hasher\Algorithm;
+use Laminas\ServiceManager\Exception\ServiceNotCreatedException;
+use Laminas\ServiceManager\Exception\ServiceNotFoundException;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerExceptionInterface as ContainerException;
+use Psr\Container\ContainerInterface;
+
+use function in_array;
+use function intval;
+
+/**
+ * Altcha proof-of-work CAPTCHA factory.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class AltchaFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param ContainerInterface $container     Service manager
+     * @param string             $requestedName Service being created
+     * @param null|array         $options       Extra options (optional)
+     *
+     * @return object
+     *
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     * creating a service.
+     * @throws ContainerException&\Throwable if any other error occurs
+     */
+    public function __invoke(
+        ContainerInterface $container,
+        $requestedName,
+        ?array $options = null
+    ) {
+        if (!empty($options)) {
+            throw new \Exception('Unexpected options passed to factory.');
+        }
+
+        $config = $container
+            ->get(\VuFind\Config\PluginManager::class)
+            ->get('config');
-            ->get(\VuFind\Config\PluginManager::class)
-            ->get('config');
+            ->get(\VuFind\Config\ConfigManager::class)
+            ->getConfigArray('config');
-            ->get(\VuFind\Config\PluginManager::class)
-            ->get('config');
+            ->get(\VuFind\Config\ConfigManager::class)
+            ->getConfigArray('config');
+
+        $secret = $config->Captcha->altcha_secret ?? null;
+
+        if (empty($secret)) {
+            throw new \Exception('Secret key needed for Altcha. See config.ini.');
+        }
+
+        $algorithm = Algorithm::from($config->Captcha->altcha_algorithm ?? 'SHA-256');
+        $max_number = $config->Captcha->altcha_max_number ?? 100000;
+        $salt_len = $config->Captcha->altcha_salt_len ?? 12;
+        $expires_interval = $config->Captcha->altcha_expires_interval ?? null;
+        $params = $config->Captcha->altcha_params ?? [];
+
+        $expires = !empty($expires_interval)
+            ? (new \DateTimeImmutable())->add(new \DateInterval($expires_interval))
+            : null;
+
+        return new $requestedName(
+            $secret,
+            // challenge options
+            $algorithm,
+            $max_number,
+            $expires,
+            $params,
+            $salt_len,
+        );
+    }
+}
diff --git a/module/VuFind/src/VuFind/Captcha/PluginManager.php b/module/VuFind/src/VuFind/Captcha/PluginManager.php
@@ -48,10 +48,12 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
      * @var array
      */
     protected $aliases = [
+        'altcha' => Altcha::class,
         'demo' => Demo::class,
         'dumb' => Dumb::class,
         'image' => Image::class,
         'interval' => Interval::class,
+        'pow' => PoW::class,
         'recaptcha' => ReCaptcha::class,
     ];
 
@@ -61,10 +63,12 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
      * @var array
      */
     protected $factories = [
+        Altcha::class => AltchaFactory::class,
         Demo::class => InvokableFactory::class,
         Dumb::class => DumbFactory::class,
         Image::class => ImageFactory::class,
         Interval::class => IntervalFactory::class,
+        PoW::class => PoWFactory::class,
         ReCaptcha::class => ReCaptchaFactory::class,
     ];