chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/expect.txt

@@ -75,6 +75,7 @@ domainhere
 dracula
 dronebl
 droneblresponse
+dropin
 duckduckbot
 eerror
 ellenjoe
@@ -237,6 +238,7 @@ risc
 ruleset
 runlevels
 RUnlock
+runtimedir
 sas
 sasl
 Scumm
@@ -328,5 +330,4 @@ yoursite
 Zenos
 zizmor
 zombocom
-Zonbocom
 zos

anubis.go

@@ -32,3 +32,7 @@ const APIPrefix = "/.within.website/x/cmd/anubis/api/"
 // DefaultDifficulty is the default "difficulty" (number of leading zeroes)
 // that must be met by the client in order to pass the challenge.
 const DefaultDifficulty = 4
+
+// ForcedLanguage is the language being used instead of the one of the request's Accept-Language header
+// if being set.
+var ForcedLanguage = ""

cmd/anubis/main.go

@@ -50,6 +50,7 @@ var (
 	cookieExpiration         = flag.Duration("cookie-expiration-time", anubis.CookieDefaultExpirationTime, "The amount of time the authorization cookie is valid for")
 	cookiePrefix             = flag.String("cookie-prefix", "techaro.lol-anubis", "prefix for browser cookies created by Anubis")
 	cookiePartitioned        = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support")
+	forcedLanguage           = flag.String("forced-language", "", "if set, this language is being used instead of the one from the request's Accept-Language header")
 	hs512Secret              = flag.String("hs512-secret", "", "secret used to sign JWTs, uses ed25519 if not set")
 	cookieSecure             = flag.Bool("cookie-secure", true, "if true, sets the secure flag on Anubis cookies")
 	ed25519PrivateKeyHex     = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned")
@@ -378,6 +379,7 @@ func main() {
 
 	anubis.CookieName = *cookiePrefix + "-auth"
 	anubis.TestCookieName = *cookiePrefix + "-cookie-verification"
+	anubis.ForcedLanguage = *forcedLanguage
 
 	// If OpenGraph configuration values are not set in the config file, use the
 	// values from flags / envvars.

docs/docs/CHANGELOG.md

@@ -10,15 +10,34 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
 <!-- This changes the project to: -->
+
 - Add `COOKIE_SECURE` option to set the cookie [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies)
 - Sets cookie defaults to use [SameSite: None](https://web.dev/articles/samesite-cookies-explained)
-
 - Determine the `BIND_NETWORK`/`--bind-network` value from the bind address ([#677](https://github.com/TecharoHQ/anubis/issues/677)).
 - Implement localization system. Find locale files in lib/localization/locales/.
 - Implement a [development container](https://containers.dev/) manifest to make contributions easier.
 - Fix dynamic cookie domains functionality ([#731](https://github.com/TecharoHQ/anubis/pull/731))
 - Add option for custom cookie prefix ([#732](https://github.com/TecharoHQ/anubis/pull/732))
+- Remove the "Success" interstitial after a proof of work challenge is concluded.
+- Add option for forcing a specific language ([#742](https://github.com/TecharoHQ/anubis/pull/742))
+
+### Potentially breaking changes
+
+The following potentially breaking change applies to native installs with systemd only:
+
+Each instance of systemd service template now has a unique `RuntimeDirectory`, as opposed to each instance of the service sharing a `RuntimeDirectory`. This change was made to avoid [the `RuntimeDirectory` getting nuked any time one of the Anubis instances restarts](https://github.com/TecharoHQ/anubis/issues/748).
+
+If you configured Anubis' unix sockets to listen on `/run/anubis/foo.sock` for instance `anubis@foo`, you will need to configure Anubis to listen on `/run/anubis/foo/sock` and additionally configure your HTTP load balancer as appropriate.
+
+If you need the legacy behaviour, install this [systemd unit dropin](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/):
+
+```systemd
+# /etc/systemd/system/anubis@.service.d/50-runtimedir.conf
+[Service]
+RuntimeDirectory=anubis
+```
 
 ## v1.20.0: Thancred Waters
 

internal/thoth/asnchecker.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )
 

internal/thoth/asnchecker_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/TecharoHQ/anubis/internal/thoth"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )
 

internal/thoth/geoipchecker.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )
 

internal/thoth/geoipchecker_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/TecharoHQ/anubis/internal/thoth"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 )
 
 var _ checker.Impl = &thoth.GeoIPChecker{}

lib/anubis.go

@@ -26,17 +26,14 @@ import (
 	"github.com/TecharoHQ/anubis/internal/dnsbl"
 	"github.com/TecharoHQ/anubis/internal/ogtags"
 	"github.com/TecharoHQ/anubis/lib/challenge"
-	"github.com/TecharoHQ/anubis/lib/checker"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/TecharoHQ/anubis/lib/policy"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 
 	// challenge implementations
 	_ "github.com/TecharoHQ/anubis/lib/challenge/metarefresh"
 	_ "github.com/TecharoHQ/anubis/lib/challenge/proofofwork"
-
-	// checker implementations
-	_ "github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
 )
 
 var (

lib/challenge/metarefresh/metarefresh_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.898
+// templ: version: v0.3.906
 package metarefresh
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/checker/registry.go

@@ -1,42 +0,0 @@
-package checker
-
-import (
-	"encoding/json"
-	"sort"
-	"sync"
-)
-
-type Factory interface {
-	ValidateConfig(json.RawMessage) error
-	Create(json.RawMessage) (Impl, error)
-}
-
-var (
-	registry map[string]Factory = map[string]Factory{}
-	regLock  sync.RWMutex
-)
-
-func Register(name string, factory Factory) {
-	regLock.Lock()
-	defer regLock.Unlock()
-
-	registry[name] = factory
-}
-
-func Get(name string) (Factory, bool) {
-	regLock.RLock()
-	defer regLock.RUnlock()
-	result, ok := registry[name]
-	return result, ok
-}
-
-func Methods() []string {
-	regLock.RLock()
-	defer regLock.RUnlock()
-	var result []string
-	for method := range registry {
-		result = append(result, method)
-	}
-	sort.Strings(result)
-	return result
-}

lib/checker/remoteaddress/remoteaddress.go

@@ -1,106 +0,0 @@
-package remoteaddress
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/netip"
-
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/gaissmai/bart"
-)
-
-var (
-	ErrNoRemoteAddresses = errors.New("remoteaddress: no remote addresses defined")
-)
-
-func init() {
-	checker.Register("remote_address", Factory{})
-}
-
-type Factory struct{}
-
-func (Factory) ValidateConfig(inp json.RawMessage) error {
-	var fc fileConfig
-	if err := json.Unmarshal([]byte(inp), &fc); err != nil {
-		return fmt.Errorf("%w: %w", config.ErrUnparseableConfig, err)
-	}
-
-	if err := fc.Valid(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (Factory) Create(inp json.RawMessage) (checker.Impl, error) {
-	c := struct {
-		RemoteAddr []netip.Prefix `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
-	}{}
-
-	if err := json.Unmarshal([]byte(inp), &c); err != nil {
-		return nil, fmt.Errorf("%w: %w", config.ErrUnparseableConfig, err)
-	}
-
-	table := new(bart.Lite)
-
-	for _, cidr := range c.RemoteAddr {
-		table.Insert(cidr)
-	}
-
-	return &Impl{
-		prefixTable: table,
-		hash:        internal.FastHash(string(inp)),
-	}, nil
-}
-
-type fileConfig struct {
-	RemoteAddr []string `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
-}
-
-func (fc fileConfig) Valid() error {
-	var errs []error
-
-	if len(fc.RemoteAddr) == 0 {
-		errs = append(errs, ErrNoRemoteAddresses)
-	}
-
-	for _, cidr := range fc.RemoteAddr {
-		if _, err := netip.ParsePrefix(cidr); err != nil {
-			errs = append(errs, fmt.Errorf("%w: cidr %q is invalid: %w", config.ErrInvalidCIDR, cidr, err))
-		}
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("%w: %w", policy.ErrMisconfiguration, errors.Join(errs...))
-	}
-
-	return nil
-}
-
-type Impl struct {
-	prefixTable *bart.Lite
-	hash        string
-}
-
-func (rac *Impl) Check(r *http.Request) (bool, error) {
-	host := r.Header.Get("X-Real-Ip")
-	if host == "" {
-		return false, fmt.Errorf("%w: header X-Real-Ip is not set", policy.ErrMisconfiguration)
-	}
-
-	addr, err := netip.ParseAddr(host)
-	if err != nil {
-		return false, fmt.Errorf("%w: %s is not an IP address: %w", policy.ErrMisconfiguration, host, err)
-	}
-
-	return rac.prefixTable.Contains(addr), nil
-}
-
-func (rac *Impl) Hash() string {
-	return rac.hash
-}

lib/checker/remoteaddress/remoteaddress_test.go

@@ -1,238 +0,0 @@
-package remoteaddress
-
-import (
-	_ "embed"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"net/netip"
-	"strings"
-	"testing"
-
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/gaissmai/bart"
-)
-
-func TestFactoryIsCheckerFactory(t *testing.T) {
-	if _, ok := (any(Factory{})).(checker.Factory); !ok {
-		t.Fatal("Factory is not an instance of checker.Factory")
-	}
-}
-
-func TestFactoryValidateConfig(t *testing.T) {
-	f := Factory{}
-
-	for _, tt := range []struct {
-		name string
-		data []byte
-		err  error
-	}{
-		{
-			name: "basic valid",
-			data: []byte(`{
-  "remote_addresses": [
-    "1.1.1.1/32"
-  ]
-}`),
-		},
-		{
-			name: "not json",
-			data: []byte(`]`),
-			err:  config.ErrUnparseableConfig,
-		},
-		{
-			name: "no cidr",
-			data: []byte(`{
-  "remote_addresses": []
-}`),
-			err: ErrNoRemoteAddresses,
-		},
-		{
-			name: "bad cidr",
-			data: []byte(`{
-  "remote_addresses": [
-    "according to all laws of aviation"
-  ]
-}`),
-			err: config.ErrInvalidCIDR,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			data := json.RawMessage(tt.data)
-
-			if err := f.ValidateConfig(data); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Fatal("validation didn't do what was expected")
-			}
-		})
-	}
-}
-
-func TestFactoryCreate(t *testing.T) {
-	f := Factory{}
-
-	for _, tt := range []struct {
-		name  string
-		data  []byte
-		err   error
-		ip    string
-		match bool
-	}{
-		{
-			name: "basic valid",
-			data: []byte(`{
-  "remote_addresses": [
-    "1.1.1.1/32"
-  ]
-}`),
-			ip:    "1.1.1.1",
-			match: true,
-		},
-		{
-			name: "bad cidr",
-			data: []byte(`{
-  "remote_addresses": [
-    "according to all laws of aviation"
-  ]
-}`),
-			err: config.ErrUnparseableConfig,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			data := json.RawMessage(tt.data)
-
-			impl, err := f.Create(data)
-			if !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Fatal("creation didn't do what was expected")
-			}
-
-			if tt.err != nil {
-				return
-			}
-
-			r, err := http.NewRequest(http.MethodGet, "/", nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			if tt.ip != "" {
-				r.Header.Add("X-Real-Ip", tt.ip)
-			}
-
-			match, err := impl.Check(r)
-
-			if tt.match != match {
-				t.Errorf("match: %v, wanted: %v", match, tt.match)
-			}
-
-			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
-				t.Errorf("err: %v, wanted: %v", err, tt.err)
-			}
-
-			if impl.Hash() == "" {
-				t.Error("hash method returns empty string")
-			}
-		})
-	}
-}
-
-func racFromCidrs(t *testing.T, inp []string) *Impl {
-	t.Helper()
-
-	var result Impl
-	result.prefixTable = new(bart.Lite)
-	result.hash = internal.FastHash(strings.Join(inp, ","))
-
-	for _, cidr := range inp {
-		pfx, err := netip.ParsePrefix(cidr)
-		if err != nil {
-			t.Errorf("prefix %q is invalid: %v", cidr, err)
-			continue
-		}
-
-		result.prefixTable.Insert(pfx)
-	}
-
-	return &result
-}
-
-func TestRemoteAddrChecker(t *testing.T) {
-	for _, tt := range []struct {
-		err   error
-		name  string
-		ip    string
-		cidrs []string
-		ok    bool
-	}{
-		{
-			name:  "match_ipv4",
-			cidrs: []string{"0.0.0.0/0"},
-			ip:    "1.1.1.1",
-			ok:    true,
-			err:   nil,
-		},
-		{
-			name:  "match_ipv6",
-			cidrs: []string{"::/0"},
-			ip:    "cafe:babe::",
-			ok:    true,
-			err:   nil,
-		},
-		{
-			name:  "not_match_ipv4",
-			cidrs: []string{"1.1.1.1/32"},
-			ip:    "1.1.1.2",
-			ok:    false,
-			err:   nil,
-		},
-		{
-			name:  "not_match_ipv6",
-			cidrs: []string{"cafe:babe::/128"},
-			ip:    "cafe:babe:4::/128",
-			ok:    false,
-			err:   nil,
-		},
-		{
-			name:  "no_ip_set",
-			cidrs: []string{"::/0"},
-			ok:    false,
-			err:   policy.ErrMisconfiguration,
-		},
-		{
-			name:  "invalid_ip",
-			cidrs: []string{"::/0"},
-			ip:    "According to all natural laws of aviation",
-			ok:    false,
-			err:   policy.ErrMisconfiguration,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			rac := racFromCidrs(t, tt.cidrs)
-
-			r, err := http.NewRequest(http.MethodGet, "/", nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			if tt.ip != "" {
-				r.Header.Add("X-Real-Ip", tt.ip)
-			}
-
-			ok, err := rac.Check(r)
-
-			if tt.ok != ok {
-				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
-			}
-
-			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
-				t.Errorf("err: %v, wanted: %v", err, tt.err)
-			}
-		})
-	}
-}

lib/localization/localization.go

@@ -3,6 +3,7 @@ package localization
 import (
 	"embed"
 	"encoding/json"
+	"github.com/TecharoHQ/anubis"
 	"net/http"
 	"strings"
 	"sync"
@@ -57,14 +58,14 @@ func NewLocalizationService() *LocalizationService {
 
 		globalService = &LocalizationService{bundle: bundle}
 	})
-	
+
 	// Safety check - if globalService is still nil, create a minimal one
 	if globalService == nil {
 		bundle := i18n.NewBundle(language.English)
 		bundle.RegisterUnmarshalFunc("json", json.Unmarshal)
 		globalService = &LocalizationService{bundle: bundle}
 	}
-	
+
 	return globalService
 }
 
@@ -93,8 +94,13 @@ func (sl *SimpleLocalizer) T(messageID string) string {
 	return sl.Localizer.MustLocalize(&i18n.LocalizeConfig{MessageID: messageID})
 }
 
-// GetLocalizer creates a localizer based on the request's Accept-Language header
+// GetLocalizer creates a localizer based on the request's Accept-Language header or forcedLanguage option
 func GetLocalizer(r *http.Request) *SimpleLocalizer {
-	localizer := NewLocalizationService().GetLocalizerFromRequest(r)
+	var localizer *i18n.Localizer
+	if anubis.ForcedLanguage == "" {
+		localizer = NewLocalizationService().GetLocalizerFromRequest(r)
+	} else {
+		localizer = NewLocalizationService().GetLocalizer(anubis.ForcedLanguage)
+	}
 	return &SimpleLocalizer{Localizer: localizer}
 }

lib/policy/bot.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 )
 

lib/policy/checker.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/gaissmai/bart"
 )
 

lib/policy/checker/checker.go

@@ -10,7 +10,7 @@ import (
 )
 
 type Impl interface {
-	Check(*http.Request) (matches bool, err error)
+	Check(*http.Request) (bool, error)
 	Hash() string
 }
 

lib/policy/config/config.go

@@ -31,7 +31,6 @@ var (
 	ErrCantSetBotAndImportValuesAtOnce   = errors.New("config.BotOrImport: can't set bot rules and import values at the same time")
 	ErrMustSetBotOrImportRules           = errors.New("config.BotOrImport: rule definition is invalid, you must set either bot rules or an import statement, not both")
 	ErrStatusCodeNotValid                = errors.New("config.StatusCode: status code not valid, must be between 100 and 599")
-	ErrUnparseableConfig                 = errors.New("config: can't parse configuration file")
 )
 
 type Rule string

lib/policy/policy.go

@@ -9,7 +9,7 @@ import (
 	"sync/atomic"
 
 	"github.com/TecharoHQ/anubis/internal/thoth"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"

run/anubis@.service

@@ -12,7 +12,7 @@ CacheDirectory=anubis/%i
 CacheDirectoryMode=0755
 StateDirectory=anubis/%i
 StateDirectoryMode=0755
-RuntimeDirectory=anubis
+RuntimeDirectory=anubis/%i
 RuntimeDirectoryMode=0755
 ReadWritePaths=/run
 

web/index_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.898
+// templ: version: v0.3.906
 package web
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

web/js/main.mjs

@@ -212,11 +212,6 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
     const t1 = Date.now();
     console.log({ hash, nonce });
 
-    title.innerHTML = t('success');
-    status.innerHTML = `${t('done_took')} ${t1 - t0}ms, ${nonce} ${t('iterations')}`;
-    image.src = imageURL("happy", anubisVersion, basePrefix);
-    progress.style.display = "none";
-
     if (userReadDetails) {
       const container = document.getElementById("progress");
 
@@ -251,17 +246,15 @@ const t = (key) => translations[`js_${key}`] || translations[key] || key;
       container.onclick = onDetailsExpand;
       setTimeout(onDetailsExpand, 30000);
     } else {
-      setTimeout(() => {
-        const redir = window.location.href;
-        window.location.replace(
-          u(`${basePrefix}/.within.website/x/cmd/anubis/api/pass-challenge`, {
-            response: hash,
-            nonce,
-            redir,
-            elapsedTime: t1 - t0,
-          }),
-        );
-      }, 250);
+      const redir = window.location.href;
+      window.location.replace(
+        u(`${basePrefix}/.within.website/x/cmd/anubis/api/pass-challenge`, {
+          response: hash,
+          nonce,
+          redir,
+          elapsedTime: t1 - t0,
+        }),
+      );
     }
   } catch (err) {
     ohNoes({