feat(web/js): add wasm client side runner

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-10 10:38:45 +00:00 · 2025-09-28 02:21:11 +00:00
parent 03a6c07c73
commit a63cbc7ced
14 changed files with 670 additions and 7 deletions
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -37,6 +37,7 @@ import (
 	_ "github.com/TecharoHQ/anubis/lib/challenge/metarefresh"
 	_ "github.com/TecharoHQ/anubis/lib/challenge/preact"
 	_ "github.com/TecharoHQ/anubis/lib/challenge/proofofwork"
+	_ "github.com/TecharoHQ/anubis/lib/challenge/wasm"
 )

 var (
--- a/lib/challenge/preact/js/app.tsx
+++ b/lib/challenge/preact/js/app.tsx
@@ -1,6 +1,6 @@
 import { render, h, Fragment } from "preact";
 import { useState, useEffect } from "preact/hooks";
-import { g, j, r, u, x } from "./xeact.js";
+import { g, j, r, u, x } from "../../../../web/lib/xeact";
 import { Sha256 } from "@aws-crypto/sha256-js";

 /** @jsx h */
--- a/lib/challenge/preact/js/xeact.js
+++ b/lib/challenge/preact/js/xeact.js
@@ -1,129 +0,0 @@
-/**
- * Creates a DOM element, assigns the properties of `data` to it, and appends all `children`.
- *
- * @type{function(string|Function, Object=, Node|Array.<Node|string>=)}
- */
-const h = (name, data = {}, children = []) => {
-  const result =
-    typeof name == "function" ? name(data) : Object.assign(document.createElement(name), data);
-  if (!Array.isArray(children)) {
-    children = [children];
-  }
-  result.append(...children);
-  return result;
-};
-
-/**
- * Create a text node.
- *
- * Equivalent to `document.createTextNode(text)`
- *
- * @type{function(string): Text}
- */
-const t = (text) => document.createTextNode(text);
-
-/**
- * Remove all child nodes from a DOM element.
- *
- * @type{function(Node)}
- */
-const x = (elem) => {
-  while (elem.lastChild) {
-    elem.removeChild(elem.lastChild);
-  }
-};
-
-/**
- * Get all elements with the given ID.
- *
- * Equivalent to `document.getElementById(name)`
- *
- * @type{function(string): HTMLElement}
- */
-const g = (name) => document.getElementById(name);
-
-/**
- * Get all elements with the given class name.
- *
- * Equivalent to `document.getElementsByClassName(name)`
- *
- * @type{function(string): HTMLCollectionOf.<Element>}
- */
-const c = (name) => document.getElementsByClassName(name);
-
-/** @type{function(string): HTMLCollectionOf.<Element>} */
-const n = (name) => document.getElementsByName(name);
-
-/**
- * Get all elements matching the given HTML selector.
- *
- * Matches selectors with `document.querySelectorAll(selector)`
- *
- * @type{function(string): Array.<HTMLElement>}
- */
-const s = (selector) => Array.from(document.querySelectorAll(selector));
-
-/**
- * Generate a relative URL from `url`, appending all key-value pairs from `params` as URL-encoded parameters.
- *
- * @type{function(string=, Object=): string}
- */
-const u = (url = "", params = {}) => {
-  let result = new URL(url, window.location.href);
-  Object.entries(params).forEach((kv) => {
-    let [k, v] = kv;
-    result.searchParams.set(k, v);
-  });
-  return result.toString();
-};
-
-/**
- * Takes a callback to run when all DOM content is loaded.
- *
- * Equivalent to `window.addEventListener('DOMContentLoaded', callback)`
- *
- * @type{function(function())}
- */
-const r = (callback) => window.addEventListener("DOMContentLoaded", callback);
-
-/**
- * Allows a stateful value to be tracked by consumers.
- *
- * This is the Xeact version of the React useState hook.
- *
- * @type{function(any): [function(): any, function(any): void]}
- */
-const useState = (value = undefined) => {
-  return [
-    () => value,
-    (x) => {
-      value = x;
-    },
-  ];
-};
-
-/**
- * Debounce an action for up to ms milliseconds.
- *
- * @type{function(number): function(function(any): void)}
- */
-const d = (ms) => {
-  let debounceTimer = null;
-  return (f) => {
-    clearTimeout(debounceTimer);
-    debounceTimer = setTimeout(f, ms);
-  };
-};
-
-/**
- * Parse the contents of a given HTML page element as JSON and
- * return the results.
- * 
- * This is useful when using templ to pass complicated data from
- * the server to the client via HTML[1].
- * 
- * [1]: https://templ.guide/syntax-and-usage/script-templates/#pass-server-side-data-to-the-client-in-a-html-attribute
- */
-const j = (id) => JSON.parse(g(id).textContent);
-
-export { h, t, x, g, j, c, n, u, s, r, useState, d };
--- a/lib/challenge/wasm/proofofwork.go
+++ b/lib/challenge/wasm/proofofwork.go
@@ -0,0 +1,81 @@
+package wasm
+
+import (
+	"crypto/subtle"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/TecharoHQ/anubis/internal"
+	chall "github.com/TecharoHQ/anubis/lib/challenge"
+	"github.com/TecharoHQ/anubis/lib/localization"
+	"github.com/a-h/templ"
+)
+
+//go:generate go tool github.com/a-h/templ/cmd/templ generate
+
+func init() {
+	chall.Register("argon2id", &Impl{Algorithm: "argon2id"})
+	chall.Register("sha256", &Impl{Algorithm: "sha256"})
+}
+
+type Impl struct {
+	Algorithm string
+}
+
+func (i *Impl) Setup(mux *http.ServeMux) {}
+
+func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *chall.IssueInput) (templ.Component, error) {
+	loc := localization.GetLocalizer(r)
+	return page(loc), nil
+}
+
+func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
+	rule := in.Rule
+	challenge := in.Challenge.RandomData
+
+	nonceStr := r.FormValue("nonce")
+	if nonceStr == "" {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w nonce", chall.ErrMissingField))
+	}
+
+	nonce, err := strconv.Atoi(nonceStr)
+	if err != nil {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: nonce: %w", chall.ErrInvalidFormat, err))
+
+	}
+
+	elapsedTimeStr := r.FormValue("elapsedTime")
+	if elapsedTimeStr == "" {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w elapsedTime", chall.ErrMissingField))
+	}
+
+	elapsedTime, err := strconv.ParseFloat(elapsedTimeStr, 64)
+	if err != nil {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: elapsedTime: %w", chall.ErrInvalidFormat, err))
+	}
+
+	response := r.FormValue("response")
+	if response == "" {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
+	}
+
+	calcString := fmt.Sprintf("%s%d", challenge, nonce)
+	calculated := internal.SHA256sum(calcString)
+
+	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted response %s but got %s", chall.ErrFailed, calculated, response))
+	}
+
+	// compare the leading zeroes
+	if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted %d leading zeros but got %s", chall.ErrFailed, rule.Challenge.Difficulty, response))
+	}
+
+	lg.Debug("challenge took", "elapsedTime", elapsedTime)
+	chall.TimeTaken.WithLabelValues(i.Algorithm).Observe(elapsedTime)
+
+	return nil
+}
--- a/lib/challenge/wasm/proofofwork.templ
+++ b/lib/challenge/wasm/proofofwork.templ
@@ -0,0 +1,44 @@
+package wasm
+
+import (
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/lib/localization"
+)
+
+templ page(localizer *localization.SimpleLocalizer) {
+	<div class="centered-div">
+		<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<p id="status">{ localizer.T("loading") }</p>
+		<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
+		<div id="progress" role="progressbar" aria-labelledby="status">
+			<div class="bar-inner"></div>
+		</div>
+		<details>
+			if anubis.UseSimplifiedExplanation {
+				<p>
+					{ localizer.T("simplified_explanation") }
+				</p>
+			} else {
+				<p>
+					{ localizer.T("ai_companies_explanation") }
+				</p>
+				<p>
+					{ localizer.T("anubis_compromise") }
+				</p>
+				<p>
+					{ localizer.T("hack_purpose") }
+				</p>
+				<p>
+					{ localizer.T("jshelter_note") }
+				</p>
+			}
+		</details>
+		<noscript>
+			<p>
+				{ localizer.T("javascript_required") }
+			</p>
+		</noscript>
+		<div id="testarea"></div>
+	</div>
+}
--- a/lib/challenge/wasm/proofofwork_templ.go
+++ b/lib/challenge/wasm/proofofwork_templ.go
@@ -0,0 +1,190 @@
+// Code generated by templ - DO NOT EDIT.
+
+// templ: version: v0.3.924
+package wasm
+
+//lint:file-ignore SA4006 This context is only used if a nested component is present.
+
+import "github.com/a-h/templ"
+import templruntime "github.com/a-h/templ/runtime"
+
+import (
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/lib/localization"
+)
+
+func page(localizer *localization.SimpleLocalizer) templ.Component {
+	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
+		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
+			return templ_7745c5c3_CtxErr
+		}
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templruntime.GetBuffer(templ_7745c5c3_W)
+		if !templ_7745c5c3_IsBuffer {
+			defer func() {
+				templ_7745c5c3_BufErr := templruntime.ReleaseBuffer(templ_7745c5c3_Buffer)
+				if templ_7745c5c3_Err == nil {
+					templ_7745c5c3_Err = templ_7745c5c3_BufErr
+				}
+			}()
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var1 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var1 == nil {
+			templ_7745c5c3_Var1 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var2 string
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 165}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "\"> <img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var3 string
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 11, Col: 174}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 3, "\"><p id=\"status\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var4 string
+		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("loading"))
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 12, Col: 41}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</p><script async type=\"module\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var5 string
+		templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 136}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var5))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "\"></script><div id=\"progress\" role=\"progressbar\" aria-labelledby=\"status\"><div class=\"bar-inner\"></div></div><details>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if anubis.UseSimplifiedExplanation {
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var6 string
+			templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("simplified_explanation"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 20, Col: 44}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 7, "</p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+		} else {
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 8, "<p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var7 string
+			templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("ai_companies_explanation"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 24, Col: 46}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 9, "</p><p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var8 string
+			templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("anubis_compromise"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 27, Col: 39}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 10, "</p><p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var9 string
+			templ_7745c5c3_Var9, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("hack_purpose"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 30, Col: 34}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var9))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 11, "</p><p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var10 string
+			templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("jshelter_note"))
+			if templ_7745c5c3_Err != nil {
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 33, Col: 35}
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 12, "</p>")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 13, "</details><noscript><p>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var11 string
+		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("javascript_required"))
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 39, Col: 40}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 14, "</p></noscript><div id=\"testarea\"></div></div>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		return nil
+	})
+}
+
+var _ = templruntime.GeneratedTemplate
--- a/lib/challenge/wasm/proofofwork_test.go
+++ b/lib/challenge/wasm/proofofwork_test.go
@@ -0,0 +1,151 @@
+package wasm
+
+import (
+	"errors"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/TecharoHQ/anubis/lib/challenge"
+	"github.com/TecharoHQ/anubis/lib/policy"
+	"github.com/TecharoHQ/anubis/lib/policy/config"
+)
+
+func mkRequest(t *testing.T, values map[string]string) *http.Request {
+	t.Helper()
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	q := req.URL.Query()
+
+	for k, v := range values {
+		q.Set(k, v)
+	}
+
+	req.URL.RawQuery = q.Encode()
+
+	return req
+}
+
+func TestBasic(t *testing.T) {
+	i := &Impl{Algorithm: "fast"}
+	bot := &policy.Bot{
+		Challenge: &config.ChallengeRules{
+			Algorithm:  "fast",
+			Difficulty: 0,
+			ReportAs:   0,
+		},
+	}
+	const challengeStr = "hunter"
+	const response = "2652bdba8fb4d2ab39ef28d8534d7694c557a4ae146c1e9237bd8d950280500e"
+
+	for _, cs := range []struct {
+		name         string
+		req          *http.Request
+		err          error
+		challengeStr string
+	}{
+		{
+			name: "allgood",
+			req: mkRequest(t, map[string]string{
+				"nonce":       "0",
+				"elapsedTime": "69",
+				"response":    response,
+			}),
+			err:          nil,
+			challengeStr: challengeStr,
+		},
+		{
+			name:         "no-params",
+			req:          mkRequest(t, map[string]string{}),
+			err:          challenge.ErrMissingField,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "missing-nonce",
+			req: mkRequest(t, map[string]string{
+				"elapsedTime": "69",
+				"response":    response,
+			}),
+			err:          challenge.ErrMissingField,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "missing-elapsedTime",
+			req: mkRequest(t, map[string]string{
+				"nonce":    "0",
+				"response": response,
+			}),
+			err:          challenge.ErrMissingField,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "missing-response",
+			req: mkRequest(t, map[string]string{
+				"nonce":       "0",
+				"elapsedTime": "69",
+			}),
+			err:          challenge.ErrMissingField,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "wrong-nonce-format",
+			req: mkRequest(t, map[string]string{
+				"nonce":       "taco",
+				"elapsedTime": "69",
+				"response":    response,
+			}),
+			err:          challenge.ErrInvalidFormat,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "wrong-elapsedTime-format",
+			req: mkRequest(t, map[string]string{
+				"nonce":       "0",
+				"elapsedTime": "taco",
+				"response":    response,
+			}),
+			err:          challenge.ErrInvalidFormat,
+			challengeStr: challengeStr,
+		},
+		{
+			name: "invalid-response",
+			req: mkRequest(t, map[string]string{
+				"nonce":       "0",
+				"elapsedTime": "69",
+				"response":    response,
+			}),
+			err:          challenge.ErrFailed,
+			challengeStr: "Tacos are tasty",
+		},
+	} {
+		t.Run(cs.name, func(t *testing.T) {
+			lg := slog.With()
+
+			i.Setup(http.NewServeMux())
+
+			inp := &challenge.IssueInput{
+				Rule: bot,
+				Challenge: &challenge.Challenge{
+					RandomData: cs.challengeStr,
+				},
+			}
+
+			if _, err := i.Issue(httptest.NewRecorder(), cs.req, lg, inp); err != nil {
+				t.Errorf("can't issue challenge: %v", err)
+			}
+
+			if err := i.Validate(cs.req, lg, &challenge.ValidateInput{
+				Rule: bot,
+				Challenge: &challenge.Challenge{
+					RandomData: cs.challengeStr,
+				},
+			}); !errors.Is(err, cs.err) {
+				t.Errorf("got wrong error from Validate, got %v but wanted %v", err, cs.err)
+			}
+		})
+	}
+}