fix(web): embed challenge ID into generated pages

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-11 02:58:49 +00:00 · 2025-08-02 20:10:57 +00:00
parent 5831002762
commit 02fc1079cc
9 changed files with 57 additions and 59 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -92,15 +92,10 @@ func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
 }

 func (s *Server) getChallenge(r *http.Request) (*challenge.Challenge, error) {
-	ckies := r.CookiesNamed(anubis.TestCookieName)
-	if len(ckies) == 0 {
-		return nil, store.ErrNotFound
-	}
-
+	id := r.FormValue("id")
 	j := store.JSON[challenge.Challenge]{Underlying: s.store}

-	ckie := ckies[0]
-	chall, err := j.Get(r.Context(), "challenge:"+ckie.Value)
+	chall, err := j.Get(r.Context(), "challenge:"+id)

 	return &chall, err
 }
--- a/lib/challenge/metarefresh/metarefresh.go
+++ b/lib/challenge/metarefresh/metarefresh.go
@@ -31,6 +31,7 @@ func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *challenge.IssueInput)
 	q := u.Query()
 	q.Set("redir", r.URL.String())
 	q.Set("challenge", in.Challenge.RandomData)
+	q.Set("id", in.Challenge.ID)
 	u.RawQuery = q.Encode()

 	loc := localization.GetLocalizer(r)
--- a/lib/challenge/proofofwork/proofofwork.go
+++ b/lib/challenge/proofofwork/proofofwork.go
@@ -25,9 +25,7 @@ type Impl struct {
 	Algorithm string
 }

-func (i *Impl) Setup(mux *http.ServeMux) {
-	/* no implementation required */
-}
+func (i *Impl) Setup(mux *http.ServeMux) {}

 func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *chall.IssueInput) (templ.Component, error) {
 	loc := localization.GetLocalizer(r)
--- a/lib/http.go
+++ b/lib/http.go
@@ -179,12 +179,15 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}

-	page, err := web.BaseWithChallengeAndOGTags(localizer.T("making_sure_not_bot"), component, in.Impressum, in.Challenge.RandomData, in.Rule.Challenge, in.OGTags, localizer)
-	if err != nil {
-		lg.Error("[unexpected] challenge page render failed, please open an issue", "err", err) // This is likely a bug in the template. Should never be triggered as CI tests for this.
-		s.respondWithError(w, r, fmt.Sprintf("%s \"RenderIndex\"", localizer.T("internal_server_error")))
-		return
-	}
+	page := web.BaseWithChallengeAndOGTags(
+		localizer.T("making_sure_not_bot"),
+		component,
+		s.policy.Impressum,
+		chall,
+		in.Rule.Challenge,
+		in.OGTags,
+		localizer,
+	)

 	handler := internal.GzipMiddleware(1, internal.NoStoreCache(templ.Handler(
 		page,