docs: unbreak links to the challenges category

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/expect.txt

@@ -141,6 +141,7 @@ httpdebug
 Huawei
 hypertext
 iaskspider
+iaso
 iat
 ifm
 Imagesift
@@ -204,7 +205,7 @@ nobots
 NONINFRINGEMENT
 nosleep
 OCOB
-ogtags
+ogtag
 omgili
 omgilibot
 openai
@@ -232,6 +233,7 @@ promauto
 promhttp
 proofofwork
 publicsuffix
+purejs
 pwcmd
 pwuser
 qualys
@@ -309,7 +311,6 @@ Varis
 Velen
 vendored
 vhosts
-videotest
 VKE
 Vultr
 waitloop

data/botPolicies.json

@@ -1,29 +0,0 @@
-{
-  "bots": [
-    {
-      "import": "(data)/bots/_deny-pathological.yaml"
-    },
-    {
-      "import": "(data)/meta/ai-block-aggressive.yaml"
-    },
-    {
-      "import": "(data)/crawlers/_allow-good.yaml"
-    },
-    {
-      "import": "(data)/bots/aggressive-brazilian-scrapers.yaml"
-    },
-    {
-      "import": "(data)/common/keep-internet-working.yaml"
-    },
-    {
-      "name": "generic-browser",
-      "user_agent_regex": "Mozilla|Opera",
-      "action": "CHALLENGE"
-    }
-  ],
-  "dnsbl": false,
-  "status_codes": {
-    "CHALLENGE": 200,
-    "DENY": 200
-  }
-}

data/embed.go

@@ -3,6 +3,6 @@ package data
 import "embed"
 
 var (
-	//go:embed botPolicies.yaml botPolicies.json all:apps all:bots all:clients all:common all:crawlers all:meta
+	//go:embed botPolicies.yaml all:apps all:bots all:clients all:common all:crawlers all:meta
 	BotPolicies embed.FS
 )

docs/blog/2025-06-27-release-1.20.0/index.mdx

@@ -161,7 +161,7 @@ One of the first issues in Anubis before it was moved to the [TecharoHQ org](htt
 
 When Anubis decides it needs to send a challenge to your browser, it sends a challenge page. Historically, this challenge page is [an HTML template](https://github.com/TecharoHQ/anubis/blob/main/web/index.templ) that kicks off some JavaScript, reads the challenge information out of the page body, and then solves it as fast as possible in order to let users see the website they want to visit.
 
-In v1.20.0, Anubis has a challenge registry to hold [different client challenge implementations](/docs/category/challenges). This allows us to implement anything we want as long as it can render a page to show a challenge and then check if the result is correct. This is going to be used to implement a WebAssembly-based proof of work option (one that will be way more efficient than the existing browser JS version), but as a proof of concept I implemented a simple challenge using [HTML `<meta refresh>`](https://en.wikipedia.org/wiki/Meta_refresh).
+In v1.20.0, Anubis has a challenge registry to hold [different client challenge implementations](/docs/admin/configuration/challenges/). This allows us to implement anything we want as long as it can render a page to show a challenge and then check if the result is correct. This is going to be used to implement a WebAssembly-based proof of work option (one that will be way more efficient than the existing browser JS version), but as a proof of concept I implemented a simple challenge using [HTML `<meta refresh>`](https://en.wikipedia.org/wiki/Meta_refresh).
 
 In my testing, this has worked with every browser I have thrown it at (including CLI browsers, the browser embedded in emacs, etc.). The default configuration of Anubis does use the [meta refresh challenge](/docs/admin/configuration/challenges/metarefresh) for [clients with a very low suspicion](/docs/admin/configuration/thresholds), but by default clients will be sent an [easy proof of work challenge](/docs/admin/configuration/challenges/proof-of-work).
 

docs/blog/2025-07-22-release-1.21.1/index.mdx

@@ -213,7 +213,7 @@ When combined with [weight thresholds](/docs/admin/configuration/thresholds), th
 
 ## Challenge flow v2
 
-The main goal of Anubis is to weigh the risks of incoming requests in order to protect upstream resources against abusive clients like badly written scrapers. In order to separate "good" clients (like users wanting to learn from a website's content) from "bad" clients, Anubis issues [challenges](/docs/category/challenges).
+The main goal of Anubis is to weigh the risks of incoming requests in order to protect upstream resources against abusive clients like badly written scrapers. In order to separate "good" clients (like users wanting to learn from a website's content) from "bad" clients, Anubis issues [challenges](/docs/admin/configuration/challenges/).
 
 Previously the Anubis challenge flow looked like this:
 

docs/docs/CHANGELOG.md

@@ -13,10 +13,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
+- Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
 - The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
 - [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
 - The [`segments`](./admin/configuration/expressions.mdx#segments) function was added for splitting a path into its slash-separated segments.
 - When issuing a challenge, Anubis stores information about that challenge into the store. That stored information is later used to validate challenge responses. This works around nondeterminism in bot rules. ([#917](https://github.com/TecharoHQ/anubis/issues/917))
+- When parsing [Open Graph tags](./admin/configuration/open-graph.mdx), add any URLs found in the responses to a temporary "allow cache" so that social preview images work.
+- Proof of work solving has had a complete overhaul and rethink based on feedback from browser engine developers, frontend experts, and overall performance profiling.
+- One of the biggest sources of lag in Firefox has been eliminated: the use of WebCrypto. Now whenever Anubis detects the client is using Firefox (or Pale Moon), it will swap over to a pure-JS implementation of SHA-256 for speed.
+- Optimize the performance of the pure-JS Anubis solver.
+- Web Workers are stored as dedicated JavaScript files in `static/js/workers/*.mjs`.
+- Pave the way for non-SHA256 solver methods and eventually one that uses WebAssembly (or WebAssembly code compiled to JS for those that disable WebAssembly).
+- Legacy JavaScript code has been eliminated.
+- The contact email in the LibreJS header has been changed.
+- The hard dependency on WebCrypto has been removed, allowing a proof of work challenge to work over plain (unencrypted) HTTP.
+- The legacy JSON based policy file example has been removed and all documentation for how to write a policy file in JSON has been deleted. JSON based policy files will still work, but YAML is the superior option for Anubis configuration.
+
+### Breaking changes
+
+- The "slow" frontend solver has been removed in order to reduce maintenance burden. Any existing uses of it will still work, but issue a warning upon startup asking administrators to upgrade to the "fast" frontend solver.
 
 ## v1.21.3: Minfilia Warde - Echo 3
 

docs/docs/admin/algorithm-selection.mdx

@@ -1,12 +0,0 @@
----
-title: Proof-of-Work Algorithm Selection
----
-
-Anubis offers two proof-of-work algorithms:
-
-- `"fast"`: highly optimized JavaScript that will run as fast as your computer lets it
-- `"slow"`: intentionally slow JavaScript that will waste time and memory
-
-The fast algorithm is used by default to limit impacts on users' computers. Administrators may configure individual bot policy rules to use the slow algorithm in order to make known malicious clients waitloop and do nothing useful.
-
-Generally, you should use the fast algorithm unless you have a good reason not to.

docs/docs/admin/configuration/challenges/_category_.json

@@ -1,8 +1,5 @@
 {
   "label": "Challenges",
   "position": 10,
-  "link": {
-    "type": "generated-index",
-    "description": "The different challenge methods that Anubis supports."
-  }
+  "link": null
 }

docs/docs/admin/configuration/challenges/index.mdx

@@ -0,0 +1,8 @@
+# Challenge Methods
+
+Anubis supports multiple challenge methods:
+
+- [Meta Refresh](./metarefresh.mdx)
+- [Proof of Work](./proof-of-work.mdx)
+
+Read the documentation to know which method is best for you.

docs/docs/admin/configuration/import.mdx

@@ -7,25 +7,6 @@ Anubis has the ability to let you import snippets of configuration into the main
 
 EG:
 
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-{
-  "bots": [
-    {
-      "import": "(data)/bots/ai-catchall.yaml"
-    },
-    {
-      "import": "(data)/bots/cloudflare-workers.yaml"
-    }
-  ]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
 ```yaml
 bots:
   # Pathological bots to deny
@@ -34,30 +15,8 @@ bots:
   - import: (data)/bots/cloudflare-workers.yaml
 ```
 
-</TabItem>
-</Tabs>
-
 Of note, a bot rule can either have inline bot configuration or import a bot config snippet. You cannot do both in a single bot rule.
 
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-{
-  "bots": [
-    {
-      "import": "(data)/bots/ai-catchall.yaml",
-      "name": "generic-browser",
-      "user_agent_regex": "Mozilla|Opera\n",
-      "action": "CHALLENGE"
-    }
-  ]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
 ```yaml
 bots:
   - import: (data)/bots/ai-catchall.yaml
@@ -67,9 +26,6 @@ bots:
     action: CHALLENGE
 ```
 
-</TabItem>
-</Tabs>
-
 This will return an error like this:
 
 ```text
@@ -83,30 +39,11 @@ Paths can either be prefixed with `(data)` to import from the [the data folder i
 
 You can also import from an imported file in case you want to import an entire folder of rules at once.
 
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-{
-  "bots": [
-    {
-      "import": "(data)/bots/_deny-pathological.yaml"
-    }
-  ]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
 ```yaml
 bots:
   - import: (data)/bots/_deny-pathological.yaml
 ```
 
-</TabItem>
-</Tabs>
-
 This lets you import an entire ruleset at once:
 
 ```yaml
@@ -124,22 +61,6 @@ Snippets can be written in either JSON or YAML, with a preference for YAML. When
 
 Here is an example snippet that allows [IPv6 Unique Local Addresses](https://en.wikipedia.org/wiki/Unique_local_address) through Anubis:
 
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-[
-  {
-    "name": "ipv6-ula",
-    "action": "ALLOW",
-    "remote_addresses": ["fc00::/7"]
-  }
-]
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
 ```yaml
 - name: ipv6-ula
   action: ALLOW
@@ -147,9 +68,6 @@ Here is an example snippet that allows [IPv6 Unique Local Addresses](https://en.
     - fc00::/7
 ```
 
-</TabItem>
-</Tabs>
-
 ## Extracting Anubis' embedded filesystem
 
 You can always extract the list of rules embedded into the Anubis binary with this command:

docs/docs/admin/frameworks/htmx.mdx

@@ -7,27 +7,6 @@ import TabItem from "@theme/TabItem";
 
 To work around this, you can make a custom [expression](../configuration/expressions.mdx) rule that allows HTMX requests if the user has passed a challenge in the past:
 
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-{
-  "name": "allow-htmx-iff-already-passed-challenge",
-  "action": "ALLOW",
-  "expression": {
-    "all": [
-      "\"Cookie\" in headers",
-      "headers[\"Cookie\"].contains(\"anubis-auth\")",
-      "\"Hx-Request\" in headers",
-      "headers[\"Hx-Request\"] == \"true\""
-    ]
-  }
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
 ```yaml
 - name: allow-htmx-iff-already-passed-challenge
   action: ALLOW
@@ -39,7 +18,4 @@ To work around this, you can make a custom [expression](../configuration/express
       - 'headers["Hx-Request"] == "true"'
 ```
 
-</TabItem>
-</Tabs>
-
 This will reduce some security because it does not assert the validity of the Anubis auth cookie, however in trade it improves the experience for existing users.

docs/docs/admin/policies.mdx

@@ -7,6 +7,10 @@ import TabItem from "@theme/TabItem";
 
 Out of the box, Anubis is pretty heavy-handed. It will aggressively challenge everything that might be a browser (usually indicated by having `Mozilla` in its user agent). However, some bots are smart enough to get past the challenge. Some things that look like bots may actually be fine (IE: RSS readers). Some resources need to be visible no matter what. Some resources and remotes are fine to begin with.
 
+Anubis lets you customize its configuration with a Policy File. This is a YAML document that spells out what actions Anubis should take when evaluating requests. The [default configuration](https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml) explains everything, but this page contains an overview of everything you can do with it.
+
+## Bot Policies
+
 Bot policies let you customize the rules that Anubis uses to allow, deny, or challenge incoming requests. Currently you can set policies by the following matches:
 
 - Request path
@@ -18,75 +22,18 @@ As of version v1.17.0 or later, configuration can be written in either JSON or Y
 
 Here's an example rule that denies [Amazonbot](https://developer.amazon.com/en/amazonbot):
 
-<Tabs>
-<TabItem value="json" label="JSON" default>
-
-```json
-{
-  "name": "amazonbot",
-  "user_agent_regex": "Amazonbot",
-  "action": "DENY"
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML">
-
 ```yaml
 - name: amazonbot
   user_agent_regex: Amazonbot
   action: DENY
 ```
 
-</TabItem>
-</Tabs>
-
 When this rule is evaluated, Anubis will check the `User-Agent` string of the request. If it contains `Amazonbot`, Anubis will send an error page to the user saying that access is denied, but in such a way that makes scrapers think they have correctly loaded the webpage.
 
 Right now the only kinds of policies you can write are bot policies. Other forms of policies will be added in the future.
 
 Here is a minimal policy file that will protect against most scraper bots:
 
-<Tabs>
-<TabItem value="json" label="JSON" default>
-
-```json
-{
-  "bots": [
-    {
-      "name": "cloudflare-workers",
-      "headers_regex": {
-        "CF-Worker": ".*"
-      },
-      "action": "DENY"
-    },
-    {
-      "name": "well-known",
-      "path_regex": "^/.well-known/.*$",
-      "action": "ALLOW"
-    },
-    {
-      "name": "favicon",
-      "path_regex": "^/favicon.ico$",
-      "action": "ALLOW"
-    },
-    {
-      "name": "robots-txt",
-      "path_regex": "^/robots.txt$",
-      "action": "ALLOW"
-    },
-    {
-      "name": "generic-browser",
-      "user_agent_regex": "Mozilla",
-      "action": "CHALLENGE"
-    }
-  ]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML">
-
 ```yaml
 bots:
   - name: cloudflare-workers
@@ -107,22 +54,20 @@ bots:
     action: CHALLENGE
 ```
 
-</TabItem>
-</Tabs>
-
 This allows requests to [`/.well-known`](https://en.wikipedia.org/wiki/Well-known_URI), `/favicon.ico`, `/robots.txt`, and challenges any request that has the word `Mozilla` in its User-Agent string. The [default policy file](https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.json) is a bit more cohesive, but this should be more than enough for most users.
 
 If no rules match the request, it is allowed through. For more details on this default behavior and its implications, see [Default allow behavior](./default-allow-behavior.mdx).
 
-## Writing your own rules
+### Writing your own rules
 
-There are three actions that can be returned from a rule:
+There are four actions that can be returned from a rule:
 
-| Action      | Effects                                                                           |
-| :---------- | :-------------------------------------------------------------------------------- |
-| `ALLOW`     | Bypass all further checks and send the request to the backend.                    |
-| `DENY`      | Deny the request and send back an error message that scrapers think is a success. |
-| `CHALLENGE` | Show a challenge page and/or validate that clients have passed a challenge.       |
+| Action      | Effects                                                                                                                             |
+| :---------- | :---------------------------------------------------------------------------------------------------------------------------------- |
+| `ALLOW`     | Bypass all further checks and send the request to the backend.                                                                      |
+| `DENY`      | Deny the request and send back an error message that scrapers think is a success.                                                   |
+| `CHALLENGE` | Show a challenge page and/or validate that clients have passed a challenge.                                                         |
+| `WEIGH`     | Change the [request weight](#request-weight) for this request. See the [request weight](#request-weight) docs for more information. |
 
 Name your rules in lower case using kebab-case. Rule names will be exposed in Prometheus metrics.
 
@@ -130,27 +75,6 @@ Name your rules in lower case using kebab-case. Rule names will be exposed in Pr
 
 Rules can also have their own challenge settings. These are customized using the `"challenge"` key. For example, here is a rule that makes challenges artificially hard for connections with the substring "bot" in their user agent:
 
-<Tabs>
-<TabItem value="json" label="JSON" default>
-
-This rule has been known to have a high false positive rate in testing. Please use this with care.
-
-```json
-{
-  "name": "generic-bot-catchall",
-  "user_agent_regex": "(?i:bot|crawler)",
-  "action": "CHALLENGE",
-  "challenge": {
-    "difficulty": 16,
-    "report_as": 4,
-    "algorithm": "slow"
-  }
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML">
-
 This rule has been known to have a high false positive rate in testing. Please use this with care.
 
 ```yaml
@@ -164,16 +88,13 @@ This rule has been known to have a high false positive rate in testing. Please u
     algorithm: slow # intentionally waste CPU cycles and time
 ```
 
-</TabItem>
-</Tabs>
-
 Challenges can be configured with these settings:
 
-| Key          | Example  | Description                                                                                                                                                                                    |
-| :----------- | :------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `difficulty` | `4`      | The challenge difficulty (number of leading zeros) for proof-of-work. See [Why does Anubis use Proof-of-Work?](/docs/design/why-proof-of-work) for more details.                               |
-| `report_as`  | `4`      | What difficulty the UI should report to the user. Useful for messing with industrial-scale scraping efforts.                                                                                   |
-| `algorithm`  | `"fast"` | The algorithm used on the client to run proof-of-work calculations. This must be set to `"fast"` or `"slow"`. See [Proof-of-Work Algorithm Selection](./algorithm-selection) for more details. |
+| Key          | Example  | Description                                                                                                                                                      |
+| :----------- | :------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `difficulty` | `4`      | The challenge difficulty (number of leading zeros) for proof-of-work. See [Why does Anubis use Proof-of-Work?](/docs/design/why-proof-of-work) for more details. |
+| `report_as`  | `4`      | What difficulty the UI should report to the user. Useful for messing with industrial-scale scraping efforts.                                                     |
+| `algorithm`  | `"fast"` | The challenge method to use. See [the list of challenge methods](./configuration/challenges/) for more information.                                              |
 
 ### Remote IP based filtering
 
@@ -181,21 +102,6 @@ The `remote_addresses` field of a Bot rule allows you to set the IP range that t
 
 For example, you can allow a search engine to connect if and only if its IP address matches the ones they published:
 
-<Tabs>
-<TabItem value="json" label="JSON" default>
-
-```json
-{
-  "name": "qwantbot",
-  "user_agent_regex": "\\+https\\:\\/\\/help\\.qwant\\.com/bot/",
-  "action": "ALLOW",
-  "remote_addresses": ["91.242.162.0/24"]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML">
-
 ```yaml
 - name: qwantbot
   user_agent_regex: \+https\://help\.qwant\.com/bot/
@@ -204,25 +110,8 @@ For example, you can allow a search engine to connect if and only if its IP addr
   remote_addresses: ["91.242.162.0/24"]
 ```
 
-</TabItem>
-</Tabs>
-
 This also works at an IP range level without any other checks:
 
-<Tabs>
-<TabItem value="json" label="JSON" default>
-
-```json
-{
-  "name": "internal-network",
-  "action": "ALLOW",
-  "remote_addresses": ["100.64.0.0/10"]
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML">
-
 ```yaml
 name: internal-network
 action: ALLOW
@@ -230,9 +119,6 @@ remote_addresses:
   - 100.64.0.0/10
 ```
 
-</TabItem>
-</Tabs>
-
 ## Imprint / Impressum support
 
 Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.

docs/docs/design/how-anubis-works.mdx

@@ -102,18 +102,6 @@ When a client passes a challenge, Anubis sets an HTTP cookie named `"techaro.lol
 
 This ensures that the token has enough metadata to prove that the token is valid (due to the token's signature), but also so that the server can independently prove the token is valid. This cookie is allowed to be set without triggering an EU cookie banner notification; but depending on facts and circumstances, you may wish to disclose this to your users.
 
-## Challenge format
-
-Challenges are formed by taking some user request metadata and using that to generate a SHA-256 checksum. The following request headers are used:
-
-- `Accept-Encoding`: The content encodings that the requestor supports, such as gzip.
-- `X-Real-Ip`: The IP address of the requestor, as set by a reverse proxy server.
-- `User-Agent`: The user agent string of the requestor.
-- The current time in UTC rounded to the nearest week.
-- The fingerprint (checksum) of Anubis' private ED25519 key.
-
-This forms a fingerprint of the requestor using metadata that any requestor already is sending. It also uses time as an input, which is known to both the server and requestor due to the nature of linear timelines. Depending on facts and circumstances, you may wish to disclose this to your users.
-
 ## JWT signing
 
 Anubis uses an ed25519 keypair to sign the JWTs issued when challenges are passed. Anubis will generate a new ed25519 keypair every time it starts. At this time, there is no way to share this keypair between instance of Anubis, but that will be addressed in future versions.

docs/docs/user/known-instances.md

@@ -112,4 +112,8 @@ This page contains a non-exhaustive list with all websites using Anubis.
   - https://bbs.archlinux32.org/
   - https://bugs.archlinux32.org/
   </details>
-
+- <details>
+  <summary>HackLab.TO</summary>
+  - https://hacklab.to/
+  - https://knowledge.hacklab.to/
+  </details>

internal/log.go

@@ -26,8 +26,8 @@ func InitSlog(level string) {
 	slog.SetDefault(slog.New(h))
 }
 
-func GetRequestLogger(r *http.Request) *slog.Logger {
-	return slog.With(
+func GetRequestLogger(base *slog.Logger, r *http.Request) *slog.Logger {
+	return base.With(
 		"host", r.Host,
 		"method", r.Method,
 		"path", r.URL.Path,

internal/ogtags/cache.go

@@ -5,7 +5,9 @@ import (
 	"errors"
 	"log/slog"
 	"net/url"
+	"strings"
 	"syscall"
+	"time"
 )
 
 // GetOGTags is the main function that retrieves Open Graph tags for a URL
@@ -45,6 +47,18 @@ func (c *OGTagCache) GetOGTags(ctx context.Context, url *url.URL, originalHost s
 	// Store in cache
 	c.cache.Set(ctx, cacheKey, ogTags, c.ogTimeToLive)
 
+	for k, v := range ogTags {
+		switch {
+		case strings.HasSuffix(k, "image"), strings.HasSuffix(k, "audio"), strings.HasSuffix(k, "secure_url"), strings.HasSuffix(k, "video"):
+			v, _ = strings.CutPrefix(v, "http://")
+			v, _ = strings.CutPrefix(v, "https://")
+			slog.Debug("setting ogtags allow for", "url", k)
+			if err := c.cache.Underlying.Set(ctx, "ogtags:allow:"+v, []byte(k), time.Hour); err != nil {
+				slog.Debug("can't set ogtag allow cache", "err", err)
+			}
+		}
+	}
+
 	return ogTags, nil
 }
 

internal/ogtags/cache_test.go

@@ -1,6 +1,7 @@
 package ogtags
 
 import (
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -9,6 +10,7 @@ import (
 	"time"
 
 	"github.com/TecharoHQ/anubis/lib/policy/config"
+	"github.com/TecharoHQ/anubis/lib/store"
 	"github.com/TecharoHQ/anubis/lib/store/memory"
 )
 
@@ -166,8 +168,13 @@ func TestGetOGTags(t *testing.T) {
 		if !ok || initialValue != cachedValue {
 			t.Errorf("Cache does not line up: expected %s: %s, got: %s", key, initialValue, cachedValue)
 		}
-
 	}
+
+	t.Run("ensure image is cached as allow", func(t *testing.T) {
+		if _, err := cache.cache.Underlying.Get(t.Context(), "ogtags:allow:example.com/image.jpg"); errors.Is(err, store.ErrNotFound) {
+			t.Fatal("ogtags allow caching for example.com/image.jpg did not work")
+		}
+	})
 }
 
 // TestGetOGTagsWithHostConsideration tests the behavior of the cache with and without host consideration and for multiple hosts in a theoretical setup.

lib/anubis.go

@@ -75,6 +75,7 @@ type Server struct {
 	hs512Secret []byte
 	opts        Options
 	store       store.Interface
+	logger      *slog.Logger
 }
 
 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
@@ -150,7 +151,13 @@ func (s *Server) maybeReverseProxyOrPage(w http.ResponseWriter, r *http.Request)
 }
 
 func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpStatusOnly bool) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
+
+	if val, _ := s.store.Get(r.Context(), fmt.Sprintf("ogtags:allow:%s%s", r.Host, r.URL.String())); val != nil {
+		lg.Debug("serving opengraph tag asset")
+		s.ServeHTTPNext(w, r)
+		return
+	}
 
 	// Adjust cookie path if base prefix is not empty
 	cookiePath := "/"
@@ -158,7 +165,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 		cookiePath = strings.TrimSuffix(anubis.BasePrefix, "/") + "/"
 	}
 
-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		localizer := localization.GetLocalizer(r)
@@ -274,7 +281,7 @@ func (s *Server) checkRules(w http.ResponseWriter, r *http.Request, cr policy.Ch
 		return true
 	default:
 		s.ClearCookie(w, CookieOpts{Path: cookiePath, Host: r.Host})
-		slog.Error("CONFIG ERROR: unknown rule", "rule", cr.Rule)
+		lg.Error("CONFIG ERROR: unknown rule", "rule", cr.Rule)
 		s.respondWithError(w, r, fmt.Sprintf("%s \"maybeReverseProxy.Rules\"", localizer.T("internal_server_error")))
 		return true
 	}
@@ -310,7 +317,7 @@ func (s *Server) handleDNSBL(w http.ResponseWriter, r *http.Request, ip string,
 }
 
 func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)
 
 	redir := r.FormValue("redir")
@@ -329,7 +336,7 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 	r.URL.Path = redir
 
 	encoder := json.NewEncoder(w)
-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		w.WriteHeader(http.StatusInternalServerError)
@@ -381,7 +388,7 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)
 
 	redir := r.FormValue("redir")
@@ -428,7 +435,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cr, rule, err := s.check(r)
+	cr, rule, err := s.check(r, lg)
 	if err != nil {
 		lg.Error("check failed", "err", err)
 		s.respondWithError(w, r, fmt.Sprintf("%s \"passChallenge\"", localizer.T("internal_server_error")))
@@ -509,7 +516,7 @@ func cr(name string, rule config.Rule, weight int) policy.CheckResult {
 }
 
 // Check evaluates the list of rules, and returns the result
-func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error) {
+func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *policy.Bot, error) {
 	host := r.Header.Get("X-Real-Ip")
 	if host == "" {
 		return decaymap.Zilch[policy.CheckResult](), nil, fmt.Errorf("[misconfiguration] X-Real-Ip header is not set")
@@ -533,7 +540,7 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 			case config.RuleDeny, config.RuleAllow, config.RuleBenchmark, config.RuleChallenge:
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
-				slog.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
+				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
 				weight += b.Weight.Adjust
 			}
 		}
@@ -542,7 +549,7 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 	for _, t := range s.policy.Thresholds {
 		result, _, err := t.Program.ContextEval(r.Context(), &policy.ThresholdRequest{Weight: weight})
 		if err != nil {
-			slog.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
+			lg.Error("error when evaluating threshold expression", "expression", t.Expression.String(), "err", err)
 			continue
 		}
 

lib/anubis_test.go

@@ -169,7 +169,7 @@ func httpClient(t *testing.T) *http.Client {
 }
 
 func TestLoadPolicies(t *testing.T) {
-	for _, fname := range []string{"botPolicies.json", "botPolicies.yaml"} {
+	for _, fname := range []string{"botPolicies.yaml"} {
 		t.Run(fname, func(t *testing.T) {
 			fin, err := data.BotPolicies.Open(fname)
 			if err != nil {
@@ -343,7 +343,7 @@ func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {
 
 			req.Header.Add("X-Real-Ip", "127.0.0.1")
 
-			cr, bot, err := s.check(req)
+			cr, bot, err := s.check(req, s.logger)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -583,7 +583,7 @@ func TestCloudflareWorkersRule(t *testing.T) {
 				req.Header.Add("X-Real-Ip", "127.0.0.1")
 				req.Header.Add("Cf-Worker", "true")
 
-				cr, _, err := s.check(req)
+				cr, _, err := s.check(req, s.logger)
 				if err != nil {
 					t.Fatal(err)
 				}
@@ -601,7 +601,7 @@ func TestCloudflareWorkersRule(t *testing.T) {
 
 				req.Header.Add("X-Real-Ip", "127.0.0.1")
 
-				cr, _, err := s.check(req)
+				cr, _, err := s.check(req, s.logger)
 				if err != nil {
 					t.Fatal(err)
 				}

lib/config.go

@@ -43,6 +43,7 @@ type Options struct {
 	OpenGraph           config.OpenGraph
 	ServeRobotsTXT      bool
 	CookieSecure        bool
+	Logger              *slog.Logger
 }
 
 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
@@ -89,8 +90,12 @@ func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty
 }
 
 func New(opts Options) (*Server, error) {
+	if opts.Logger == nil {
+		opts.Logger = slog.With("subsystem", "anubis")
+	}
+
 	if opts.ED25519PrivateKey == nil && opts.HS512Secret == nil {
-		slog.Debug("opts.PrivateKey not set, generating a new one")
+		opts.Logger.Debug("opts.PrivateKey not set, generating a new one")
 		_, priv, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return nil, fmt.Errorf("lib: can't generate private key: %v", err)
@@ -108,6 +113,7 @@ func New(opts Options) (*Server, error) {
 		opts:        opts,
 		OGTags:      ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph, opts.Policy.Store),
 		store:       opts.Policy.Store,
+		logger:      opts.Logger,
 	}
 
 	mux := http.NewServeMux()

lib/http.go

@@ -120,7 +120,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}
 
-	lg := internal.GetRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 
 	if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") && randomChance(64) {
 		lg.Error("client was given a challenge but does not in fact support gzip compression")

lib/localization/locales/is.json

@@ -2,7 +2,7 @@
   "loading": "Hleður...",
   "why_am_i_seeing": "Af hverju er ég að sjá þetta?",
   "protected_by": "Verndað með",
-  "protected_from": "From",
+  "protected_from": "Frá",
   "made_with": "Gert í 🇨🇦 með ❤️",
   "mascot_design": "Lukkudýrið hannað af",
   "ai_companies_explanation": "Þú ert að sjá þetta vegna þess að kerfisstjóri þessa vefsvæðis hefur sett upp Anubis til að vernda vefþjóninn fyrir holskeflu beiðna frá svokölluðum gervigreindarfyrirtækjum sem samviskulaust eru að skrapa upplýsingar af vefsvæðum annarra. Þetta getur valdið og veldur töfum og truflunum á þessum vefsvæðum, sem aftur veldur því að efni þeirra verður öllum óaðgengilegt.",

lib/localization/locales/tr.json

@@ -2,19 +2,19 @@
   "loading": "Yükleniyor...",
   "why_am_i_seeing": "Bunu neden görüyorum?",
   "protected_by": "Koruma sağlayan:",
-  "protected_from": "From",
-  "made_with": "🇨🇦'da ❤️ ile yapıldı",
+  "protected_from": "Yapan:",
+  "made_with": "🇨🇦’da ❤️ ile yapıldı",
   "mascot_design": "Maskot tasarımı:",
-  "ai_companies_explanation": "Bunu görüyorsunuz çünkü bu web sitesinin yöneticisi, yapay zeka şirketlerinin web sitelerini agresif şekilde kazımasına karşı sunucuyu korumak için Anubis'i kurdu. Bu tarz kazımalar sitelerin erişilemez olmasına ve kesintilere neden olabiliyor.",
-  "anubis_compromise": "Anubis bir uzlaşmadır. Anubis, spam e-postaları azaltmak için önerilen bir iş kanıtı sistemi olan Hashcash benzeri bir sistemi kullanır. Bireysel kullanımda bu ek yük göz ardı edilebilir olsa da, büyük ölçekli kazıyıcılarda birikerek kazımayı oldukça maliyetli hale getirir.",
-  "hack_purpose": "Bu geçici bir çözümdür. Esas amacı, başsız tarayıcıları parmak iziyle tanımlamak için daha fazla zaman kazandırmak, ve bu sayede meşru kullanıcıların bu zorluk sayfasını görmesini önlemektir.",
+  "ai_companies_explanation": "Bunu görüyorsunuz; çünkü bu web sitesinin yöneticisi, yapay zekâ şirketlerinin web sitelerini agresif şekilde kazımasına karşı sunucuyu korumak için Anubis’i kurdu. Bu tarz kazımalar sitelerin erişilemez olmasına ve kesintilere neden olabiliyor.",
+  "anubis_compromise": "Anubis bir uzlaşmadır. Anubis, istenmeyen e-postaları azaltmak için önerilen bir iş kanıtı sistemi olan Hashcash benzeri bir sistemi kullanır. Bireysel kullanımda bu ek yük göz ardı edilebilir olsa da, büyük ölçekli kazıyıcılarda birikerek kazımayı oldukça maliyetli hale getirir.",
+  "hack_purpose": "Bu geçici bir çözümdür. Esas amacı, başsız tarayıcıları parmak iziyle tanımlamak için daha fazla zaman kazandırmak ve bu sayede meşru kullanıcıların bu zorluk sayfasını görmesini önlemektir.",
   "jshelter_note": "Lütfen dikkat: Anubis, JShelter gibi eklentilerin devre dışı bıraktığı modern JavaScript özelliklerini gerektirir. Lütfen bu alan adı için JShelter veya benzeri eklentileri devre dışı bırakın.",
   "version_info": "Bu web sitesi şu Anubis sürümünü çalıştırıyor:",
   "try_again": "Tekrar dene",
   "go_home": "Ana sayfaya dön",
-  "contact_webmaster": "ya da engellenmemeniz gerektiğini düşünüyorsanız, lütfen şu adrese e-posta gönderin:",
+  "contact_webmaster": "veya engellenmemeniz gerektiğini düşünüyorsanız lütfen şu adrese e-posta gönderin:",
   "connection_security": "Bağlantınızın güvenliği sağlanırken lütfen bekleyin.",
-  "javascript_required": "Ne yazık ki bu aşamayı geçebilmek için JavaScript’i etkinleştirmeniz gerekiyor. Bunun nedeni, yapay zeka şirketlerinin web barındırma konusundaki sosyal sözleşmeyi değiştirmiş olmasıdır. JavaScript’siz bir çözüm geliştirilmektedir.",
+  "javascript_required": "Ne yazık ki bu aşamayı geçebilmek için JavaScript’i etkinleştirmeniz gerekiyor. Bunun nedeni, yapay zekâ şirketlerinin web barındırma konusundaki sosyal sözleşmeyi değiştirmiş olmasıdır. JavaScript’siz bir çözüm geliştirilmektedir.",
   "benchmark_requires_js": "Kıyaslama aracının çalıştırılması için JavaScript’in etkin olması gereklidir.",
   "difficulty": "Zorluk:",
   "algorithm": "Algoritma:",
@@ -25,19 +25,19 @@
   "iters_a": "Tekrar A",
   "time_b": "Süre B",
   "iters_b": "Tekrar B",
-  "static_check_endpoint": "Bu sadece ters proxy'nizin kullanması için bir kontrol adresidir.",
+  "static_check_endpoint": "Bu sadece, ters vekil sunucunuzun kullanması için bir kontrol adresidir.",
   "authorization_required": "Yetkilendirme gerekli",
   "cookies_disabled": "Tarayıcınız çerezleri devre dışı bırakacak şekilde yapılandırılmış. Anubis, gerçek bir kullanıcı olduğunuzu doğrulamak için çerezlere ihtiyaç duyar. Lütfen bu alan adı için çerezleri etkinleştirin.",
-  "access_denied": "Erişim Reddedildi: hata kodu",
+  "access_denied": "Erişim reddedildi: Hata kodu",
   "dronebl_entry": "DroneBL bir giriş bildirdi",
   "see_dronebl_lookup": "bakınız",
-  "internal_server_error": "Sunucu Hatası: Yönetici Anubis'i yanlış yapılandırmış. Lütfen yöneticinizle iletişime geçin ve şunun civarındaki kayıtlara bakmasını isteyin:",
+  "internal_server_error": "Sunucu Hatası: Yönetici Anubis’i yanlış yapılandırmış. Lütfen yöneticinizle iletişime geçin ve şu civardaki kayıtlara bakmasını isteyin:",
   "invalid_redirect": "Geçersiz yönlendirme",
-  "redirect_not_parseable": "Yönlendirme URL'si çözümlenemiyor",
+  "redirect_not_parseable": "Yönlendirme URL’si çözümlenemiyor",
   "redirect_domain_not_allowed": "Yönlendirme alan adına izin verilmiyor",
   "failed_to_sign_jwt": "JWT imzalanamadı",
   "invalid_invocation": "Geçersiz MakeChallenge çağrısı",
-  "client_error_browser": "İstemci Hatası: Lütfen tarayıcınızın güncel olduğundan emin olun ve daha sonra tekrar deneyin.",
+  "client_error_browser": "İstemci hatası: Lütfen tarayıcınızın güncel olduğundan emin olun ve daha sonra tekrar deneyin.",
   "oh_noes": "Ah hayır!",
   "benchmarking_anubis": "Anubis kıyaslanıyor!",
   "you_are_not_a_bot": "Bot değilsiniz!",
@@ -61,4 +61,4 @@
   "js_finished_reading": "Okumayı bitirdim, devam et →",
   "js_calculation_error": "Hesaplama hatası!",
   "js_calculation_error_msg": "Zorluk hesaplaması başarısız oldu:"
-}
+}

lib/policy/config/check.go

@@ -0,0 +1,53 @@
+//go:build ignore
+
+package config
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/TecharoHQ/anubis/lib/checker"
+)
+
+var (
+	ErrUnknownCheckType = errors.New("config.Bot.Check: unknown check type")
+)
+
+type AllChecks struct {
+	All []Check `json:"all"`
+}
+
+type AnyChecks struct {
+	All []Check `json:"any"`
+}
+
+type Check struct {
+	Type string          `json:"type"`
+	Args json.RawMessage `json:"args"`
+}
+
+func (c *Check) Valid(ctx context.Context) error {
+	var errs []error
+
+	if len(c.Type) == 0 {
+		errs = append(errs, ErrNoStoreBackend)
+	}
+
+	fac, ok := checker.Get(c.Type)
+	switch ok {
+	case true:
+		if err := fac.Valid(ctx, c.Args); err != nil {
+			errs = append(errs, err)
+		}
+	case false:
+		errs = append(errs, fmt.Errorf("%w: %q", ErrUnknownCheckType, c.Type))
+	}
+
+	if len(errs) != 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}

lib/policy/policy.go

@@ -149,6 +149,10 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 			if parsedBot.Challenge.Algorithm == "" {
 				parsedBot.Challenge.Algorithm = config.DefaultAlgorithm
 			}
+
+			if parsedBot.Challenge.Algorithm == "slow" {
+				slog.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", parsedBot.Name)
+			}
 		}
 
 		if b.Weight != nil {
@@ -163,6 +167,10 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 	}
 
 	for _, t := range c.Thresholds {
+		if t.Challenge != nil && t.Challenge.Algorithm == "slow" {
+			slog.Warn("use of deprecated algorithm \"slow\" detected, please update this to \"fast\" when possible", "name", t.Name)
+		}
+
 		if t.Name == "legacy-anubis-behaviour" && t.Expression.String() == "true" {
 			if !warnedAboutThresholds.Load() {
 				slog.Warn("configuration file does not contain thresholds, see docs for details on how to upgrade", "fname", fname, "docs_url", "https://anubis.techaro.lol/docs/admin/configuration/thresholds/")

lib/policy/policy_test.go

@@ -13,13 +13,13 @@ import (
 func TestDefaultPolicyMustParse(t *testing.T) {
 	ctx := thothmock.WithMockThoth(t)
 
-	fin, err := data.BotPolicies.Open("botPolicies.json")
+	fin, err := data.BotPolicies.Open("botPolicies.yaml")
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer fin.Close()
 
-	if _, err := ParseConfig(ctx, fin, "botPolicies.json", anubis.DefaultDifficulty); err != nil {
+	if _, err := ParseConfig(ctx, fin, "botPolicies.yaml", anubis.DefaultDifficulty); err != nil {
 		t.Fatalf("can't parse config: %v", err)
 	}
 }

package-lock.json

@@ -8,6 +8,9 @@
       "name": "@techaro/anubis",
       "version": "1.21.3",
       "license": "ISC",
+      "dependencies": {
+        "@aws-crypto/sha256-js": "^5.2.0"
+      },
       "devDependencies": {
         "cssnano": "^7.1.0",
         "cssnano-preset-advanced": "^7.0.8",
@@ -19,6 +22,44 @@
         "postcss-url": "^10.1.3"
       }
     },
+    "node_modules/@aws-crypto/sha256-js": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/sha256-js/-/sha256-js-5.2.0.tgz",
+      "integrity": "sha512-FFQQyu7edu4ufvIZ+OadFpHHOt+eSTBaYaki44c+akjg7qZg9oOQeLlk77F6tSYqjDAFClrHJk9tMf0HdVyOvA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
+    "node_modules/@aws-crypto/util": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/util/-/util-5.2.0.tgz",
+      "integrity": "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "^3.222.0",
+        "@smithy/util-utf8": "^2.0.0",
+        "tslib": "^2.6.2"
+      }
+    },
+    "node_modules/@aws-sdk/types": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.840.0.tgz",
+      "integrity": "sha512-xliuHaUFZxEx1NSXeLLZ9Dyu6+EJVQKEoD+yM+zqUo3YDZ7medKJWY6fIOKiPX/N7XbLdBYwajb15Q7IL8KkeA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
     "node_modules/@esbuild/aix-ppc64": {
       "version": "0.25.8",
       "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.8.tgz",
@@ -461,6 +502,56 @@
         "node": ">=18"
       }
     },
+    "node_modules/@smithy/is-array-buffer": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.2.0.tgz",
+      "integrity": "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@smithy/types": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.3.1.tgz",
+      "integrity": "sha512-UqKOQBL2x6+HWl3P+3QqFD4ncKq0I8Nuz9QItGv5WuKuMHuuwlhvqcZCoXGfc+P1QmfJE7VieykoYYmrOoFJxA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-buffer-from": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.2.0.tgz",
+      "integrity": "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/is-array-buffer": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@smithy/util-utf8": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz",
+      "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-buffer-from": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/ansi-regex": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
@@ -2515,6 +2606,12 @@
         "node": ">=8.0"
       }
     },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD"
+    },
     "node_modules/universalify": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.1.tgz",

package.json

@@ -26,5 +26,8 @@
     "postcss-import": "^16.1.1",
     "postcss-import-url": "^7.2.0",
     "postcss-url": "^10.1.3"
+  },
+  "dependencies": {
+    "@aws-crypto/sha256-js": "^5.2.0"
   }
-}
+}

test/palemoon/amd64/test.sh

@@ -13,6 +13,11 @@ function capture_vnc_snapshots() {
   done
 }
 
+function timeout() {
+  sleep 180
+  exit 1
+}
+
 source ../../lib/lib.sh
 
 if [ "$GITHUB_ACTIONS" = "true" ]; then
@@ -24,6 +29,7 @@ set -euo pipefail
 build_anubis_ko
 mint_cert relayd
 
+timeout &
 go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
 
 docker compose down -t 1 || :

web/build.sh

@@ -8,7 +8,7 @@ LICENSE='/*
 @licstart  The following is the entire license notice for the
 JavaScript code in this page.
 
-Copyright (c) 2025 Xe Iaso <me@xeiaso.net>
+Copyright (c) 2025 Xe Iaso <xe.iaso@techaro.lol>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -28,6 +28,9 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
+Includes code from https://github.com/aws/aws-sdk-js-crypto-helpers which is
+used under the terms of the Apache 2 license.
+
 @licend  The above is the entire license notice
 for the JavaScript code in this page.
 */'
@@ -36,9 +39,9 @@ for the JavaScript code in this page.
 mkdir -p static/locales
 cp ../lib/localization/locales/*.json static/locales/
 
-esbuild js/main.mjs --sourcemap --bundle --minify --outfile=static/js/main.mjs "--banner:js=${LICENSE}"
-gzip -f -k -n static/js/main.mjs
-zstd -f -k --ultra -22 static/js/main.mjs
-brotli -fZk static/js/main.mjs
-
-esbuild js/bench.mjs --sourcemap --bundle --minify --outfile=static/js/bench.mjs
+for file in js/*.mjs js/worker/*.mjs; do
+  esbuild "${file}" --sourcemap --bundle --minify --outfile=static/"${file}" --banner:js="${LICENSE}"
+  gzip -f -k -n static/${file}
+  zstd -f -k --ultra -22 static/${file}
+  brotli -fZk static/${file}
+done

web/js/algorithms/fast.mjs

@@ -0,0 +1,77 @@
+export default function process(
+  { basePrefix, version },
+  data,
+  difficulty = 5,
+  signal = null,
+  progressCallback = null,
+  threads = Math.max(navigator.hardwareConcurrency / 2, 1),
+) {
+  console.debug("fast algo");
+
+  let workerMethod = window.crypto !== undefined ? "webcrypto" : "purejs";
+
+  if (navigator.userAgent.includes("Firefox") || navigator.userAgent.includes("Goanna")) {
+    console.log("Firefox detected, using pure-JS fallback");
+    workerMethod = "purejs";
+  }
+
+  return new Promise((resolve, reject) => {
+    let webWorkerURL = `${basePrefix}/.within.website/x/cmd/anubis/static/js/worker/sha256-${workerMethod}.mjs?cacheBuster=${version}`;
+
+    console.log(webWorkerURL);
+
+    const workers = [];
+    let settled = false;
+
+    const cleanup = () => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      workers.forEach((w) => w.terminate());
+      if (signal != null) {
+        signal.removeEventListener("abort", onAbort);
+      }
+    };
+
+    const onAbort = () => {
+      console.log("PoW aborted");
+      cleanup();
+      reject(new DOMException("Aborted", "AbortError"));
+    };
+
+    if (signal != null) {
+      if (signal.aborted) {
+        return onAbort();
+      }
+      signal.addEventListener("abort", onAbort, { once: true });
+    }
+
+    for (let i = 0; i < threads; i++) {
+      let worker = new Worker(webWorkerURL);
+
+      worker.onmessage = (event) => {
+        if (typeof event.data === "number") {
+          progressCallback?.(event.data);
+        } else {
+          cleanup();
+          resolve(event.data);
+        }
+      };
+
+      worker.onerror = (event) => {
+        cleanup();
+        reject(event);
+      };
+
+      worker.postMessage({
+        data,
+        difficulty,
+        nonce: i,
+        threads,
+      });
+
+      workers.push(worker);
+    }
+  });
+}

web/js/algorithms/index.mjs

@@ -0,0 +1,6 @@
+import fast from "./fast.mjs";
+
+export default {
+  fast: fast,
+  slow: fast, // XXX(Xe): slow is deprecated, but keep this around in case anything goes bad
+}

web/js/bench.mjs

@@ -1,11 +1,6 @@
-import processFast from "./proof-of-work.mjs";
-import processSlow from "./proof-of-work-slow.mjs";
+import algorithms from "./algorithms/index.mjs";
 
 const defaultDifficulty = 4;
-const algorithms = {
-  fast: processFast,
-  slow: processSlow,
-};
 
 const status = document.getElementById("status");
 const difficultyInput = document.getElementById("difficulty-input");
@@ -42,7 +37,7 @@ const benchmarkTrial = async (stats, difficulty, algorithm, signal) => {
     .join("");
 
   const t0 = performance.now();
-  const { hash, nonce } = await process(challenge, Number(difficulty), signal);
+  const { hash, nonce } = await process({ basePrefix: "/", version: "devel" }, challenge, Number(difficulty), signal);
   const t1 = performance.now();
   console.log({ hash, nonce });
 

web/js/main.mjs

@@ -1,10 +1,4 @@
-import processFast from "./proof-of-work.mjs";
-import processSlow from "./proof-of-work-slow.mjs";
-
-const algorithms = {
-  fast: processFast,
-  slow: processSlow,
-};
+import algorithms from "./algorithms/index.mjs";
 
 // from Xeact
 const u = (url = "", params = {}) => {
@@ -75,11 +69,6 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
   await initTranslations();
 
   const dependencies = [
-    {
-      name: "WebCrypto",
-      msg: t('web_crypto_error'),
-      value: window.crypto,
-    },
     {
       name: "Web Workers",
       msg: t('web_workers_error'),
@@ -119,15 +108,6 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
     progress.style.display = "none";
   };
 
-  if (!window.isSecureContext) {
-    ohNoes({
-      titleMsg: t('context_not_secure'),
-      statusMsg: t('context_not_secure_msg'),
-      imageSrc: imageURL("reject", anubisVersion, basePrefix),
-    });
-    return;
-  }
-
   status.innerHTML = t('calculating');
 
   for (const { value, name, msg } of dependencies) {
@@ -171,6 +151,7 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
   try {
     const t0 = Date.now();
     const { hash, nonce } = await process(
+      { basePrefix, version: anubisVersion },
       challenge,
       rules.difficulty,
       null,

web/js/proof-of-work-slow.mjs

@@ -1,99 +0,0 @@
-// https://dev.to/ratmd/simple-proof-of-work-in-javascript-3kgm
-
-export default function process(
-  data,
-  difficulty = 5,
-  signal = null,
-  progressCallback = null,
-  _threads = 1,
-) {
-  console.debug("slow algo");
-  return new Promise((resolve, reject) => {
-    let webWorkerURL = URL.createObjectURL(
-      new Blob(["(", processTask(), ")()"], { type: "application/javascript" }),
-    );
-
-    let worker = new Worker(webWorkerURL);
-    let settled = false;
-
-    const cleanup = () => {
-      if (settled) return;
-      settled = true;
-      worker.terminate();
-      if (signal != null) {
-        signal.removeEventListener("abort", onAbort);
-      }
-      URL.revokeObjectURL(webWorkerURL);
-    };
-
-    const onAbort = () => {
-      console.log("PoW aborted");
-      cleanup();
-      reject(new DOMException("Aborted", "AbortError"));
-    };
-
-    if (signal != null) {
-      if (signal.aborted) {
-        return onAbort();
-      }
-      signal.addEventListener("abort", onAbort, { once: true });
-    }
-
-    worker.onmessage = (event) => {
-      if (typeof event.data === "number") {
-        progressCallback?.(event.data);
-      } else {
-        cleanup();
-        resolve(event.data);
-      }
-    };
-
-    worker.onerror = (event) => {
-      cleanup();
-      reject(event);
-    };
-
-    worker.postMessage({
-      data,
-      difficulty,
-    });
-  });
-}
-
-function processTask() {
-  return function () {
-    const sha256 = (text) => {
-      const encoded = new TextEncoder().encode(text);
-      return crypto.subtle.digest("SHA-256", encoded.buffer).then((result) =>
-        Array.from(new Uint8Array(result))
-          .map((c) => c.toString(16).padStart(2, "0"))
-          .join(""),
-      );
-    };
-
-    addEventListener("message", async (event) => {
-      let data = event.data.data;
-      let difficulty = event.data.difficulty;
-
-      let hash;
-      let nonce = 0;
-      do {
-        if ((nonce & 1023) === 0) {
-          postMessage(nonce);
-        }
-        hash = await sha256(data + nonce++);
-      } while (
-        hash.substring(0, difficulty) !== Array(difficulty + 1).join("0")
-      );
-
-      nonce -= 1; // last nonce was post-incremented
-
-      postMessage({
-        hash,
-        data,
-        difficulty,
-        nonce,
-      });
-    });
-  }.toString();
-}

web/js/proof-of-work.mjs

@@ -1,137 +0,0 @@
-export default function process(
-  data,
-  difficulty = 5,
-  signal = null,
-  progressCallback = null,
-  threads = Math.max(navigator.hardwareConcurrency / 2, 1),
-) {
-  console.debug("fast algo");
-  return new Promise((resolve, reject) => {
-    let webWorkerURL = URL.createObjectURL(
-      new Blob(["(", processTask(), ")()"], { type: "application/javascript" }),
-    );
-
-    const workers = [];
-    let settled = false;
-
-    const cleanup = () => {
-      if (settled) {
-        return;
-      }
-      settled = true;
-      workers.forEach((w) => w.terminate());
-      if (signal != null) {
-        signal.removeEventListener("abort", onAbort);
-      }
-      URL.revokeObjectURL(webWorkerURL);
-    };
-
-    const onAbort = () => {
-      console.log("PoW aborted");
-      cleanup();
-      reject(new DOMException("Aborted", "AbortError"));
-    };
-
-    if (signal != null) {
-      if (signal.aborted) {
-        return onAbort();
-      }
-      signal.addEventListener("abort", onAbort, { once: true });
-    }
-
-    for (let i = 0; i < threads; i++) {
-      let worker = new Worker(webWorkerURL);
-
-      worker.onmessage = (event) => {
-        if (typeof event.data === "number") {
-          progressCallback?.(event.data);
-        } else {
-          cleanup();
-          resolve(event.data);
-        }
-      };
-
-      worker.onerror = (event) => {
-        cleanup();
-        reject(event);
-      };
-
-      worker.postMessage({
-        data,
-        difficulty,
-        nonce: i,
-        threads,
-      });
-
-      workers.push(worker);
-    }
-  });
-}
-
-function processTask() {
-  return function () {
-    const sha256 = (text) => {
-      const encoded = new TextEncoder().encode(text);
-      return crypto.subtle.digest("SHA-256", encoded.buffer);
-    };
-
-    function uint8ArrayToHexString(arr) {
-      return Array.from(arr)
-        .map((c) => c.toString(16).padStart(2, "0"))
-        .join("");
-    }
-
-    addEventListener("message", async (event) => {
-      let data = event.data.data;
-      let difficulty = event.data.difficulty;
-      let hash;
-      let nonce = event.data.nonce;
-      let threads = event.data.threads;
-
-      const threadId = nonce;
-      let localIterationCount = 0;
-
-      while (true) {
-        const currentHash = await sha256(data + nonce);
-        const thisHash = new Uint8Array(currentHash);
-        let valid = true;
-
-        for (let j = 0; j < difficulty; j++) {
-          const byteIndex = Math.floor(j / 2); // which byte we are looking at
-          const nibbleIndex = j % 2; // which nibble in the byte we are looking at (0 is high, 1 is low)
-
-          let nibble =
-            (thisHash[byteIndex] >> (nibbleIndex === 0 ? 4 : 0)) & 0x0f; // Get the nibble
-
-          if (nibble !== 0) {
-            valid = false;
-            break;
-          }
-        }
-
-        if (valid) {
-          hash = uint8ArrayToHexString(thisHash);
-          console.log(hash);
-          break;
-        }
-
-        nonce += threads;
-
-        // send a progress update every 1024 iterations so that the user can be informed of
-        // the state of the challenge.
-        if (threadId == 0 && localIterationCount === 1024) {
-          postMessage(nonce);
-          localIterationCount = 0;
-        }
-        localIterationCount++;
-      }
-
-      postMessage({
-        hash,
-        data,
-        difficulty,
-        nonce,
-      });
-    });
-  }.toString();
-}

web/js/video.mjs

@@ -1,16 +0,0 @@
-const videoElement = `<video id="videotest" width="0" height="0" src="/.within.website/x/cmd/anubis/static/testdata/black.mp4"></video>`;
-
-export const testVideo = async (testarea) => {
-  testarea.innerHTML = videoElement;
-  return await new Promise((resolve) => {
-    const video = document.getElementById("videotest");
-    video.oncanplay = () => {
-      testarea.style.display = "none";
-      resolve(true);
-    };
-    video.onerror = () => {
-      testarea.style.display = "none";
-      resolve(false);
-    };
-  });
-};

web/js/worker/sha256-purejs.mjs

@@ -0,0 +1,61 @@
+import { Sha256 } from '@aws-crypto/sha256-js';
+
+const calculateSHA256 = (text) => {
+  const hash = new Sha256();
+  hash.update(text);
+  return hash.digest();
+};
+
+function toHexString(arr) {
+  return Array.from(arr)
+    .map((c) => c.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+addEventListener('message', async ({ data: eventData }) => {
+  const { data, difficulty, threads } = eventData;
+  let nonce = eventData.nonce;
+  const isMainThread = nonce === 0;
+  let iterations = 0;
+
+  const requiredZeroBytes = Math.floor(difficulty / 2);
+  const isDifficultyOdd = difficulty % 2 !== 0;
+
+  for (; ;) {
+    const hashBuffer = await calculateSHA256(data + nonce);
+    const hashArray = new Uint8Array(hashBuffer);
+
+    let isValid = true;
+    for (let i = 0; i < requiredZeroBytes; i++) {
+      if (hashArray[i] !== 0) {
+        isValid = false;
+        break;
+      }
+    }
+
+    if (isValid && isDifficultyOdd) {
+      if ((hashArray[requiredZeroBytes] >> 4) !== 0) {
+        isValid = false;
+      }
+    }
+
+    if (isValid) {
+      const finalHash = toHexString(hashArray);
+      postMessage({
+        hash: finalHash,
+        data,
+        difficulty,
+        nonce,
+      });
+      return; // Exit worker
+    }
+
+    nonce += threads;
+    iterations++;
+
+    // Send a progress update from the main thread every 1024 iterations.
+    if (isMainThread && (iterations & 1023) === 0) {
+      postMessage(nonce);
+    }
+  }
+});

web/js/worker/sha256-webcrypto.mjs

@@ -0,0 +1,57 @@
+const encoder = new TextEncoder();
+const calculateSHA256 = async (input) => {
+  const data = encoder.encode(input);
+  return await crypto.subtle.digest("SHA-256", data);
+};
+
+const toHexString = (byteArray) => {
+  return byteArray.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+};
+
+addEventListener("message", async ({ data: eventData }) => {
+  const { data, difficulty, threads } = eventData;
+  let nonce = eventData.nonce;
+  const isMainThread = nonce === 0;
+  let iterations = 0;
+
+  const requiredZeroBytes = Math.floor(difficulty / 2);
+  const isDifficultyOdd = difficulty % 2 !== 0;
+
+  for (; ;) {
+    const hashBuffer = await calculateSHA256(data + nonce);
+    const hashArray = new Uint8Array(hashBuffer);
+
+    let isValid = true;
+    for (let i = 0; i < requiredZeroBytes; i++) {
+      if (hashArray[i] !== 0) {
+        isValid = false;
+        break;
+      }
+    }
+
+    if (isValid && isDifficultyOdd) {
+      if ((hashArray[requiredZeroBytes] >> 4) !== 0) {
+        isValid = false;
+      }
+    }
+
+    if (isValid) {
+      const finalHash = toHexString(hashArray);
+      postMessage({
+        hash: finalHash,
+        data,
+        difficulty,
+        nonce,
+      });
+      return; // Exit worker
+    }
+
+    nonce += threads;
+    iterations++;
+
+    // Send a progress update from the main thread every 1024 iterations.
+    if (isMainThread && (iterations & 1023) === 0) {
+      postMessage(nonce);
+    }
+  }
+});

yeetfile.js

@@ -16,7 +16,6 @@ $`npm run assets`;
         documentation: {
             "./README.md": "README.md",
             "./LICENSE": "LICENSE",
-            "./data/botPolicies.json": "botPolicies.json",
             "./data/botPolicies.yaml": "botPolicies.yaml",
         },