Add ability to include IPs in challenge hash generation, to lock cookies to IPs (like the pre-sig mode)

README.MD

@@ -34,6 +34,7 @@ Add some env vars to docker-compose file:
 - HMAC_COOKIE_SECRET - different random string, a salt for pow cookies
 - RAY_ID - string to identify the HAProxy node by
 - BUCKET_DURATION - how long between bucket changes, invalidating cookies
+- CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit
 - BACKEND_NAME - Optional, name of backend to build from hosts.map
 - SERVER_PREFIX - Optional, prefix of server names used in server-template
 

docker-compose.yml

@@ -36,6 +36,7 @@ services:
       - BUCKET_DURATION=43200
       - BACKEND_NAME=servers
       - SERVER_PREFIX=websrv
+      #- CHALLENGE_INCLUDES_IP=1
   nginx:
     ports:
       - 81:80

src/libs/utils.lua

@@ -2,6 +2,7 @@ local _M = {}
 
 local sha = require("sha")
 local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION"))
+local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP")
 
 function _M.generate_secret(context, salt, user_key, is_applet)
 
@@ -9,6 +10,12 @@ function _M.generate_secret(context, salt, user_key, is_applet)
 	local start_sec = core.now()['sec']
 	local bucket = start_sec - (start_sec % secret_bucket_duration)
 
+	-- optional IP to lock challenges/user_keys to IP (for clearnet or single-onion aka 99% of cases)
+	local ip = ""
+	if challenge_includes_ip then
+		ip = context.sf:src()
+	end
+
 	-- user agent to counter very dumb spammers
 	local user_agent = ""
 	if is_applet == true then
@@ -19,7 +26,7 @@ function _M.generate_secret(context, salt, user_key, is_applet)
 		user_agent = context.sf:req_fhdr('user-agent') or ""
 	end
 
-	return sha.sha256(salt .. bucket .. user_key .. user_agent)
+	return sha.sha256(salt .. bucket .. ip .. user_key .. user_agent)
 
 end