Feature: Proof of Work captcha

composer.json

@@ -46,6 +46,7 @@
     "require": {
         "php": ">=8.1",
         "ahand/mobileesp": "dev-master",
+        "altcha-org/altcha": "^1.1",
         "apereo/phpcas": "1.6.1",
         "browscap/browscap-php": "^7.2",
         "cap60552/php-sip2": "1.0.0",

config/vufind/config.ini

@@ -2508,10 +2508,12 @@ validateHierarchySequences = true
 ; your instance.
 ;[Captcha]
 ; Valid type values:
+; - altcha (proof of work bot deterrent)
 ; - dumb (ask the user to reverse a random string; only recommended for testing)
 ; - image (generate a local image for the user to interpret)
 ; - interval (allow an action after a specified time has elapsed from session start
 ;   or previous action)
+; - pow (proof of work bot deterrent)
 ; - recaptcha (use Google's ReCaptcha service)
 ; If multiple values are given, the user will be able to pick their favorite.
 ; See below for additional type-specific settings.
@@ -2526,6 +2528,25 @@ validateHierarchySequences = true
 ;       form-by-form basis with the useCaptcha setting in FeedbackForms.yaml.
 ;forms = *
 
+
+; Altcha
+altcha_secret = "secret hmac hey that should be a long hash"
+
+; Altcha Challenge Options
+; @link https://github.com/altcha-org/altcha-lib-php/blob/main/src/ChallengeOptions.php
+; - Hashing algorithm to use (`SHA-1`, `SHA-256`, `SHA-512`, default: `SHA-256`).
+;altcha_algorithm = 'SHA-256'
+; - Maximum number for the random number generator (default: 1000000)
+;altcha_max_number = 1000000
+; - Length of the random salt (default: 12 bytes).
+;altcha_salt_len = 12
+; - Optional interval to generate expiration time for the challenge.
+;   MUST be valid string for DateInterval::createFromDateString.
+;altcha_expires_interval =
+; - Optional URL-encoded query parameters.
+;altcha_params =
+
+
 ; Image options, see:
 ;      https://docs.laminas.dev/laminas-captcha/adapters/#laminascaptchaimage
 ;image_length = 8
@@ -2542,6 +2563,12 @@ validateHierarchySequences = true
 ; action_interval):
 ;time_from_session_start = 0
 
+; Proof of Work options
+; PHP and JS both natively support sha1, sha256, sha384, sha512.
+;pow_hash = sha256
+; number of leading zeroes required; default: 5
+;pow_difficulty = 5
+
 ; See http://www.google.com/recaptcha for more information on reCAPTCHA and to
 ; create keys for your domain. Make sure that SSL settings are correct in the
 ; [Http] section, or your Captcha may not work.

config/vufind/contentsecuritypolicy.ini

@@ -44,8 +44,11 @@ script-src[] = "https:"
 connect-src[] = "'self'"
 ; If you are using Google Analytics, uncomment the line below
 ;connect-src[] = "https://*.google-analytics.com"
-; worker-src required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
+; worker-src (permission to load web worker JS files)
+; (blob) required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
 worker-src[] = "blob:"
+; (self) required for proof of work (PoW) Captcha web wworker
+worker-src[] = "'self'"
 style-src[] = "'self'"
 style-src[] = "'unsafe-inline'"
 img-src[] = "'self'"

module/VuFind/src/VuFind/Captcha/Altcha.php

@@ -0,0 +1,110 @@
+<?php
+
+/**
+ * Altcha proof-of-work CAPTCHA.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org Main Page
+ */
+
+namespace VuFind\Captcha;
+
+use AltchaOrg\Altcha\ChallengeOptions;
+use AltchaOrg\Altcha\Hasher\Algorithm;
+use Laminas\Mvc\Controller\Plugin\Params;
+
+/**
+ * Altcha proof-of-work CAPTCHA.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class Altcha extends AbstractBase
+{
+    /**
+     * Constructor
+     *
+     * @param AltchaOrg\Altcha\Altcha $altcha Required HMAC key for challenge calculation and solution verification.
+     * @param Algorithm               $algorithm  Hashing algorithm to use (`SHA-1`, `SHA-256`, `SHA-512`, default: `SHA-256`).
+     * @param int                     $maxNumber  Maximum number for the random number generator (default: 1,000,000)
+     * @param null|\DateTimeInterface $expires    Optional expiration time for the challenge.
+     * @param ChallengeParams         $params     Optional URL-encoded query parameters.
+     * @param int<1, max>             $saltLength Length of the random salt (default: 12 bytes).
+     */
+    public function __construct(
+        protected AltchaOrg\Altcha\Altcha $altcha,
+        // Options for creation of a new challenge
+        protected Algorithm $algorithm = Algorithm::SHA256,
+        protected ?\DateTimeInterface $expires = null,
+        protected array $params = [],
+    ) {
+    }
+
+    /**
+     * Get list of URLs with JS dependencies to load for the active CAPTCHA type.
+     *
+     * @return array
+     */
+    public function getJsIncludes(): array
+    {
+        return ['vendor/altcha.js', 'vendor/altcha-i18n.js'];
+    }
+
+    /**
+     * Generate challenge
+     *
+     * @return Challenge
+     */
+    public function getChallenge()
+    {
+        $options = new ChallengeOptions(
+            algorithm: $this->algorithm,
+            maxNumber: $this->maxNumber,
+            expires: $this->expires,
+            params: $this->params,
+            saltLength: $this->saltLength,
+        );
+
+        return json_encode($this->altcha->createChallenge($options));
+    }
+
+    /**
+     * Pull the captcha field from controller params and check them for accuracy
+     * We pull from the form in case config changed since challenge was sent
+     *
+     * @param Params $params Controller params
+     *
+     * @return bool
+     */
+    public function verify(Params $params): bool
+    {
+        $encoded = $params->fromPost('altcha', null);
+        $json = base64_decode($encoded);
+        $payload = json_decode($json, true);
+
+        return $this->altcha->verifySolution($payload, checkExpires: true);
+    }
+}

module/VuFind/src/VuFind/Captcha/AltchaFactory.php

@@ -0,0 +1,105 @@
+<?php
+
+/**
+ * Factory for Altcha proof-of-work CAPTCHA module.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+
+namespace VuFind\Captcha;
+
+use AltchaOrg\Altcha\Hasher\Algorithm;
+use Laminas\ServiceManager\Exception\ServiceNotCreatedException;
+use Laminas\ServiceManager\Exception\ServiceNotFoundException;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerExceptionInterface as ContainerException;
+use Psr\Container\ContainerInterface;
+
+/**
+ * Altcha proof-of-work CAPTCHA factory.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class AltchaFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param ContainerInterface $container     Service manager
+     * @param string             $requestedName Service being created
+     * @param null|array         $options       Extra options (optional)
+     *
+     * @return object
+     *
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     * creating a service.
+     * @throws ContainerException&\Throwable if any other error occurs
+     */
+    public function __invoke(
+        ContainerInterface $container,
+        $requestedName,
+        ?array $options = null
+    ) {
+        if (!empty($options)) {
+            throw new \Exception('Unexpected options passed to factory.');
+        }
+
+        $config = $container
+            ->get(\VuFind\Config\PluginManager::class)
+            ->get('config');
+
+        $secret = $config->Captcha->altcha_secret ?? null;
+
+        if (empty($secret)) {
+            throw new \Exception('Secret key needed for Altcha. See config.ini.');
+        }
+
+        $algorithm = Algorithm::from($config->Captcha->altcha_algorithm ?? 'SHA-256');
+        $max_number = $config->Captcha->altcha_max_number ?? 100000;
+        $salt_len = $config->Captcha->altcha_salt_len ?? 12;
+        $expires_interval = $config->Captcha->altcha_expires_interval ?? null;
+        $params = $config->Captcha->altcha_params ?? [];
+
+        $expires = !empty($expires_interval)
+            ? (new \DateTimeImmutable())->add(new \DateInterval($expires_interval))
+            : null;
+
+        $altcha = new AltchaOrg\Altcha\Altcha($secret);
+
+        return new $requestedName(
+            $altcha,
+            // challenge options
+            $algorithm,
+            $max_number,
+            $expires,
+            $params,
+            $salt_len,
+        );
+    }
+}

module/VuFind/src/VuFind/Captcha/PluginManager.php

@@ -48,10 +48,12 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
      * @var array
      */
     protected $aliases = [
+        'altcha' => Altcha::class,
         'demo' => Demo::class,
         'dumb' => Dumb::class,
         'image' => Image::class,
         'interval' => Interval::class,
+        'pow' => PoW::class,
         'recaptcha' => ReCaptcha::class,
     ];
 
@@ -61,10 +63,12 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
      * @var array
      */
     protected $factories = [
+        Altcha::class => AltchaFactory::class,
         Demo::class => InvokableFactory::class,
         Dumb::class => DumbFactory::class,
         Image::class => ImageFactory::class,
         Interval::class => IntervalFactory::class,
+        PoW::class => PoWFactory::class,
         ReCaptcha::class => ReCaptchaFactory::class,
     ];