Merge branch 'master' into kikeflare

src/scripts/hcaptcha.lua

@@ -5,15 +5,35 @@ local utils = require("utils")
 local cookie = require("cookie")
 local json = require("json")
 local sha = require("sha")
+local randbytes = require("randbytes")
+--require("print_r")
 
-local captcha_secret = os.getenv("HCAPTCHA_SECRET")
-local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY")
-local hcaptcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
+local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET")
+local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") or os.getenv("RECAPTCHA_SITEKEY")
+local captcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
 local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
+local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
 local ray_id = os.getenv("RAY_ID")
 
-local captcha_provider_domain = "hcaptcha.com"
 local captcha_map = Map.new("/etc/haproxy/ddos.map", Map._str);
+local captcha_provider_domain = ""
+local captcha_classname = ""
+local captcha_script_src = ""
+local captcha_siteverify_path = ""
+local captcha_backend_name = ""
+if os.getenv("HCAPTCHA_SITEKEY") then
+	captcha_provider_domain = "hcaptcha.com"
+	captcha_classname = "h-captcha"
+	captcha_script_src = "https://hcaptcha.com/1/api.js"
+	captcha_siteverify_path = "/siteverify"
+	captcha_backend_name = "hcaptcha"
+else
+	captcha_provider_domain = "www.google.com"
+	captcha_classname = "g-recaptcha"
+	captcha_script_src = "https://www.google.com/recaptcha/api.js"
+	captcha_siteverify_path = "/recaptcha/api/siteverify"
+	captcha_backend_name = "recaptcha"
+end
 
 function _M.setup_servers()
 	local backend_name = os.getenv("BACKEND_NAME")
@@ -50,7 +70,7 @@ local body_template = [[
 		<style>
 			:root{--text-color:#c5c8c6;--bg-color:#1d1f21}
 			@media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
-			.h-captcha{min-height:85px;display:block}
+			.h-captcha,.g-recaptcha{min-height:85px;display:block}
 			.red{color:red;font-weight:bold}
 			a,a:visited{color:var(--text-color)}
 			body,html{height:100%%}
@@ -83,7 +103,7 @@ local body_template = [[
 			<p>Security and Performance by <a href="https://BasedFlare.com">BasedFlare</a></p>
 			<p>Node: <code>%s</code></p>
 		</footer>
-		<script src="/js/sha1.js"></script>
+		<script src="/js/challenge.js"></script>
 	</body>
 </html>
 ]]
@@ -121,14 +141,14 @@ local pow_section_template = [[
 		</div>
 ]]
 
--- message, hcaptcha form and submit button
+-- message, captcha form and submit button
 local captcha_section_template = [[
 		<h3>
 			Please solve the captcha to continue.
 		</h3>
 		<form class="jsonly" method="POST">
-			<div class="h-captcha" data-sitekey="%s"></div>
-			<script src="https://hcaptcha.com/1/api.js" async defer></script>
+			<div class="%s" data-sitekey="%s"></div>
+			<script src="%s" async defer></script>
 			<input type="submit" value="Calculating proof of work..." disabled>
 		</form>
 ]]
@@ -138,8 +158,15 @@ function _M.view(applet)
 	local response_status_code
 	if applet.method == "GET" then
 
-		-- get challenge string for proof of work
-		generated_work = utils.generate_secret(applet, pow_cookie_secret, true, "")
+		-- get the user_key#challenge#sig
+		local user_key = sha.bin_to_hex(randbytes(16))
+		local challenge_hash = utils.generate_secret(applet, pow_cookie_secret, user_key, true)
+		local signature = sha.hmac(sha.sha256, hmac_cookie_secret, user_key .. challenge_hash)
+		local combined_challenge = user_key .. "#" .. challenge_hash .. "#" .. signature
+		-- print_r(user_key)
+		-- print_r(challenge_hash)
+		-- print_r(signature)
+		-- print_r(combined_challenge)
 
 		-- define body sections
 		local site_name_body = ""
@@ -157,53 +184,54 @@ function _M.view(applet)
 		if captcha_map_lookup == 2 then
 			captcha_enabled = true
 		end
-		--
 
 		-- pow at least is always enabled when reaching bot-check page
 		site_name_body = string.format(site_name_section_template, host)
 		if captcha_enabled then
-			captcha_body = string.format(captcha_section_template, captcha_sitekey)
+			captcha_body = string.format(captcha_section_template, captcha_classname, captcha_sitekey, captcha_script_src)
 		else
 			pow_body = pow_section_template
-			noscript_extra_body = string.format(noscript_extra_template, generated_work)
+			noscript_extra_body = string.format(noscript_extra_template, combined_challenge)
 		end
 
 		-- sub in the body sections
-		response_body = string.format(body_template, generated_work, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
+		response_body = string.format(body_template, combined_challenge, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
 		response_status_code = 403
 	elseif applet.method == "POST" then
 		local parsed_body = url.parseQuery(applet.receive(applet))
-		if parsed_body["h-captcha-response"] then
-			local hcaptcha_url = string.format(
-				"https://%s/siteverify",
-				core.backends["hcaptcha"].servers["hcaptcha"]:get_addr()
+		local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"]
+		if user_captcha_response then
+			local captcha_url = string.format(
+				"https://%s%s",
+				core.backends[captcha_backend_name].servers[captcha_backend_name]:get_addr(),
+				captcha_siteverify_path
 			)
-			local hcaptcha_body = url.buildQuery({
+			local captcha_body = url.buildQuery({
 				secret=captcha_secret,
-				response=parsed_body["h-captcha-response"]
+				response=user_captcha_response
 			})
 			local httpclient = core.httpclient()
 			local res = httpclient:post{
-				url=hcaptcha_url,
-				body=hcaptcha_body,
+				url=captcha_url,
+				body=captcha_body,
 				headers={
 					[ "host" ] = { captcha_provider_domain },
 					[ "content-type" ] = { "application/x-www-form-urlencoded" }
 				}
 			}
 			local status, api_response = pcall(json.decode, res.body)
-			--require("print_r")
-			--print_r(hcaptcha_body)
-			--print_r(res)
-			--print_r(api_response)
 			if not status then
 				api_response = {}
 			end
 			if api_response.success == true then
-				local floating_hash = utils.generate_secret(applet, hcaptcha_cookie_secret, true, nil)
+				-- for captcha, they dont need to solve a POW but we check the user_hash and sig later
+				local user_key = sha.bin_to_hex(randbytes(16))
+				local user_hash = utils.generate_secret(applet, captcha_cookie_secret, user_key, true)
+				local signature = sha.hmac(sha.sha256, hmac_cookie_secret, user_key .. user_hash)
+				local combined_cookie = user_key .. "#" .. user_hash .. "#" .. signature
 				applet:add_header(
 					"set-cookie",
-					string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", floating_hash)
+					string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", combined_cookie)
 				)
 			end
 		end
@@ -236,26 +264,57 @@ function _M.decide_checks_necessary(txn)
 	-- otherwise, domain+path was set to 0 (whitelist) or there is no entry in the map
 end
 
--- check if captcha token is valid, separate secret from POW
+-- check if captcha cookie is valid, separate secret from POW
 function _M.check_captcha_status(txn)
 	local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-	local expected_cookie = utils.generate_secret(txn, hcaptcha_cookie_secret, false, nil)
-	if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then
+	local received_captcha_cookie = parsed_request_cookies["z_ddos_captcha"] or ""
+	local split_cookie = utils.split(received_captcha_cookie, "#")
+	if #split_cookie ~= 3 then
+		return
+	end
+	local given_user_key = split_cookie[1]
+	local given_user_hash = split_cookie[2]
+	local given_signature = split_cookie[3]
+	-- regenerate the user hash and compare it
+	local generated_user_hash = utils.generate_secret(txn, captcha_cookie_secret, given_user_key, false)
+	if generated_user_hash ~= given_user_hash then
+		return
+	end
+	-- regenerate the signature and compare it
+	local generated_signature = sha.hmac(sha.sha256, hmac_cookie_secret, given_user_key .. given_user_hash)
+	if given_signature == generated_signature then
 		return txn:set_var("txn.captcha_passed", true)
 	end
 end
 
--- check if pow token is valid
+-- check if pow cookie is valid
 function _M.check_pow_status(txn)
 	local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-	if parsed_request_cookies["z_ddos_pow"] then
-		local generated_work = utils.generate_secret(txn, pow_cookie_secret, false, "")
-		local iterations = parsed_request_cookies["z_ddos_pow"]
-		local completed_work = sha.sha1(generated_work .. iterations)
-		local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2
-		if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^)
-			return txn:set_var("txn.pow_passed", true)
-		end
+	local received_pow_cookie = parsed_request_cookies["z_ddos_pow"] or ""
+	-- split the cookie up
+	local split_cookie = utils.split(received_pow_cookie, "#")
+	if #split_cookie ~= 4 then
+		return
+	end
+	local given_user_key = split_cookie[1]
+	local given_challenge_hash = split_cookie[2]
+	local given_signature = split_cookie[3]
+	local given_nonce = split_cookie[4]
+	-- regenerate the challenge and compare it
+	local generated_challenge_hash = utils.generate_secret(txn, pow_cookie_secret, given_user_key, false)
+	if given_challenge_hash ~= generated_challenge_hash then
+		return
+	end
+	-- regenerate the signature and compare it
+	local generated_signature = sha.hmac(sha.sha256, hmac_cookie_secret, given_user_key .. given_challenge_hash)
+	if given_signature ~= generated_signature then
+		return
+	end
+	-- check the work
+	local completed_work = sha.sha256(generated_challenge_hash .. given_nonce)
+	local challenge_offset = tonumber(generated_challenge_hash:sub(1,1),16) * 2
+	if completed_work:sub(challenge_offset+1, challenge_offset+4) == '0041' then -- i dont know lua properly :^)
+		return txn:set_var("txn.pow_passed", true)
 	end
 end