feat(lib): use new challenge creation flow

Previously Anubis constructed challenge strings from request metadata. This was a good idea in spirit, but has turned out to be a very bad idea in practice. This new flow reuses the Store facility to dynamically create challenge values with completely random data. This is a fairly big rewrite of how Anubis processes challenges. Right now it defaults to using the in-memory storage backend, but on-disk (boltdb) and valkey-based adaptors will come soon. Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-11 19:18:46 +00:00 · 2025-07-02 23:56:15 +00:00
parent e5c39facfe
commit def6f2dc90
14 changed files with 211 additions and 165 deletions
--- a/lib/challenge/proofofwork/proofofwork.go
+++ b/lib/challenge/proofofwork/proofofwork.go
@@ -9,7 +9,6 @@ import (
 	"strings"

 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/challenge"
 	chall "github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/TecharoHQ/anubis/web"
@@ -31,7 +30,7 @@ func (i *Impl) Setup(mux *http.ServeMux) {

 func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *chall.IssueInput) (templ.Component, error) {
 	loc := localization.GetLocalizer(r)
-	component, err := web.BaseWithChallengeAndOGTags(loc.T("making_sure_not_bot"), web.Index(loc), in.Impressum, in.Challenge, in.Rule.Challenge, in.OGTags, loc)
+	component, err := web.BaseWithChallengeAndOGTags(loc.T("making_sure_not_bot"), web.Index(loc), in.Impressum, in.Challenge.RandomData, in.Rule.Challenge, in.OGTags, loc)
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
 	}
@@ -39,9 +38,9 @@ func (i *Impl) Issue(r *http.Request, lg *slog.Logger, in *chall.IssueInput) (te
 	return component, nil
 }

-func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
+func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
 	rule := in.Rule
-	challenge := in.Challenge
+	challenge := in.Challenge.RandomData

 	nonceStr := r.FormValue("nonce")
 	if nonceStr == "" {
--- a/lib/challenge/proofofwork/proofofwork_test.go
+++ b/lib/challenge/proofofwork/proofofwork_test.go
@@ -127,15 +127,22 @@ func TestBasic(t *testing.T) {
 			i.Setup(http.NewServeMux())

 			inp := &challenge.IssueInput{
-				Rule:      bot,
-				Challenge: cs.challengeStr,
+				Rule: bot,
+				Challenge: &challenge.Challenge{
+					RandomData: cs.challengeStr,
+				},
 			}

 			if _, err := i.Issue(cs.req, lg, inp); err != nil {
 				t.Errorf("can't issue challenge: %v", err)
 			}

-			if err := i.Validate(cs.req, lg, &challenge.ValidateInput{Rule: bot, Challenge: cs.challengeStr}); !errors.Is(err, cs.err) {
+			if err := i.Validate(cs.req, lg, &challenge.ValidateInput{
+				Rule: bot,
+				Challenge: &challenge.Challenge{
+					RandomData: cs.challengeStr,
+				},
+			}); !errors.Is(err, cs.err) {
 				t.Errorf("got wrong error from Validate, got %v but wanted %v", err, cs.err)
 			}
 		})