Add the new CELPHASE art to the stable branch (#209)

* web: add artist credit to footer

Signed-off-by: Xe Iaso <me@xeiaso.net>

* v1.15.2

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

VERSION

@@ -1 +1 @@
-1.14.2
+1.15.2

docs/docs/CHANGELOG.md

@@ -11,7 +11,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.15.2
+
+Zenos yae Galvus: Echo 2
+
+The mascot has been updated with art by [CELPHASE](https://bsky.app/profile/celphase.bsky.social).
+
+## v1.15.1
+
+Zenos yae Galvus: Echo 1
+
+Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f)
+due to an incorrect logic change in a refactor. This allows an attacker to mint a valid
+access token by passing any SHA-256 hash instead of one that matches the proof-of-work
+test.
+
+This case has been added as a regression test. It was not when CVE-2025-24369 was released
+due to the project not having the maturity required to enable this kind of regression testing.
+
+## v1.15.0
+
+Zenos yae Galvus
+
+> Yes...the coming days promise to be most interesting. Most interesting.
+
+Headline changes:
+
 - ed25519 signing keys for Anubis can be stored in the flag `--ed25519-private-key-hex` or envvar `ED25519_PRIVATE_KEY_HEX`; if one is not provided when Anubis starts, a new one is generated and logged
+- Add the ability to set the cookie domain with the envvar `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol`
+- Add the ability to set the cookie partitioned flag with the envvar `COOKIE_PARTITIONED=true`
+
+Many other small changes were made, including but not limited to:
+
 - Fixed and clarified installation instructions
 - Introduced integration tests using Playwright
 - Refactor & Split up Anubis into cmd and lib.go
@@ -19,10 +50,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix default difficulty setting that was broken in a refactor
 - Linting fixes
 - Make dark mode diff lines readable in the documentation
-- Add the ability to set the cookie domain with the envvar `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol`
-- Add the ability to set the cookie partitioned flag with the envvar `COOKIE_PARTITIONED=true`
 - Fix CI based browser smoke test
 
+Users running Anubis' test suite may run into issues with the integration tests on Windows hosts. This is a known issue and will be fixed at some point in the future. In the meantime, use the Windows Subsystem for Linux (WSL).
+
 ## v1.14.2
 
 Livia sas Junius: Echo 2

docs/docusaurus.config.ts

@@ -76,7 +76,7 @@ const config: Config = {
       title: 'Anubis',
       logo: {
         alt: 'A happy jackal woman with brown hair and red eyes',
-        src: 'img/happy.webp',
+        src: 'img/favicon.webp',
       },
       items: [
         {

lib/anubis.go

@@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) {
 }
 
 type Server struct {
-	mux                 *http.ServeMux
+	mux        *http.ServeMux
-	next                http.Handler
+	next       http.Handler
-	priv                ed25519.PrivateKey
+	priv       ed25519.PrivateKey
-	pub                 ed25519.PublicKey
+	pub        ed25519.PublicKey
-	policy              *policy.ParsedConfig
+	policy     *policy.ParsedConfig
-	opts                Options
+	opts       Options
-	DNSBLCache          *decaymap.Impl[string, dnsbl.DroneBLResponse]
+	DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
-	ChallengeDifficulty int
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -428,9 +427,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// compare the leading zeroes
-	if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
+	if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
 		s.ClearCookie(w)
-		lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
 		return

web/index.templ

@@ -153,6 +153,7 @@ templ base(title string, body templ.Component) {
 	href="https://techaro.lol"
 >Techaro</a>. Made with ❤️ in 🇨🇦.
 						</p>
+						<p>Mascot design by <a href="https://bsky.app/profile/celphase.bsky.social">CELPHASE</a>.</p>
 					</center>
 				</footer>
 			</main>
@@ -208,7 +209,7 @@ templ errorPage(message string) {
 		<img
 			id="image"
 			style="width:100%;max-width:256px;"
-			src={ "/.within.website/x/cmd/anubis/static/img/sad.webp?cacheBuster=" + anubis.Version }
+			src={ "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version }
 		/>
 		<p>{ message }.</p>
 		<button onClick="window.location.reload();">Try again</button>

web/index_templ.go

@@ -89,7 +89,7 @@ func base(title string, body templ.Component) templ.Component {
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>. Made with ❤️ in 🇨🇦.</p></center></footer></main></body></html>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>. Made with ❤️ in 🇨🇦.</p><p>Mascot design by <a href=\"https://bsky.app/profile/celphase.bsky.social\">CELPHASE</a>.</p></center></footer></main></body></html>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -126,7 +126,7 @@ func index() templ.Component {
 		templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" +
 			anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 169, Col: 18}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 170, Col: 18}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
 		if templ_7745c5c3_Err != nil {
@@ -140,7 +140,7 @@ func index() templ.Component {
 		templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
 			anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 175, Col: 18}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 176, Col: 18}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
 		if templ_7745c5c3_Err != nil {
@@ -153,7 +153,7 @@ func index() templ.Component {
 		var templ_7745c5c3_Var8 string
 		templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 178, Col: 116}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 179, Col: 116}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
 		if templ_7745c5c3_Err != nil {
@@ -193,9 +193,9 @@ func errorPage(message string) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var10 string
-		templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/sad.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 211, Col: 90}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 212, Col: 93}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
 		if templ_7745c5c3_Err != nil {
@@ -208,7 +208,7 @@ func errorPage(message string) templ.Component {
 		var templ_7745c5c3_Var11 string
 		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(message)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 213, Col: 14}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 214, Col: 14}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
 		if templ_7745c5c3_Err != nil {

web/js/main.mjs

@@ -27,6 +27,22 @@ const imageURL = (mood, cacheBuster) =>
   const spinner = document.getElementById('spinner');
   const anubisVersion = JSON.parse(document.getElementById('anubis_version').textContent);
 
+  const ohNoes = ({ titleMsg, statusMsg, imageSrc }) => {
+    title.innerHTML = titleMsg;
+    status.innerHTML = statusMsg;
+    image.src = imageSrc;
+    progress.style.display = "none";
+  };
+
+  if (!window.isSecureContext) {
+    ohNoes({
+      titleMsg: "Your context is not secure!",
+      statusMsg: `Try connecting over HTTPS or let the admin know to set up HTTPS. For more information, see <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure">MDN</a>.`,
+      imageSrc: imageURL("reject", anubisVersion),
+    });
+    return;
+  }
+
   // const testarea = document.getElementById('testarea');
 
   // const videoWorks = await testVideo(testarea);
@@ -35,9 +51,9 @@ const imageURL = (mood, cacheBuster) =>
   // if (!videoWorks) {
   //   title.innerHTML = "Oh no!";
   //   status.innerHTML = "Checks failed. Please check your browser's settings and try again.";
-  //   image.src = imageURL("sad");
   //   spinner.innerHTML = "";
   //   spinner.style.display = "none";
+  //   image.src = imageURL("reject");
   //   return;
   // }
 
@@ -51,21 +67,21 @@ const imageURL = (mood, cacheBuster) =>
       return r.json();
     })
     .catch(err => {
-      title.innerHTML = "Oh no!";
+      ohNoes({
-      status.innerHTML = `Failed to fetch config: ${err.message}`;
+        titleMsg: "Internal error!",
-      image.src = imageURL("sad", anubisVersion);
+        statusMsg: `Failed to fetch challenge config: ${err.message}`,
-      spinner.innerHTML = "";
+        imageSrc: imageURL("reject", anubisVersion),
-      spinner.style.display = "none";
+      });
       throw err;
     });
 
   const process = algorithms[rules.algorithm];
   if (!process) {
-    title.innerHTML = "Oh no!";
+    ohNoes({
-    status.innerHTML = `Failed to resolve check algorithm. You may want to reload the page.`;
+      titleMsg: "Challenge error!",
-    image.src = imageURL("sad", anubisVersion);
+      statusMsg: `Failed to resolve check algorithm. You may want to reload the page.`,
-    spinner.innerHTML = "";
+      imageSrc: imageURL("reject", anubisVersion),
-    spinner.style.display = "none";
+    });
     return;
   }
 

web/static/js/main.mjs

@@ -1,2 +1,2 @@
-(()=>{function p(r,n=5,t=navigator.hardwareConcurrency||1){return console.debug("fast algo"),new Promise((e,o)=>{let s=URL.createObjectURL(new Blob(["(",y(),")()"],{type:"application/javascript"})),a=[];for(let i=0;i<t;i++){let c=new Worker(s);c.onmessage=d=>{a.forEach(u=>u.terminate()),c.terminate(),e(d.data)},c.onerror=d=>{c.terminate(),o()},c.postMessage({data:r,difficulty:n,nonce:i,threads:t}),a.push(c)}URL.revokeObjectURL(s)})}function y(){return function(){let r=t=>{let e=new TextEncoder().encode(t);return crypto.subtle.digest("SHA-256",e.buffer)};function n(t){return Array.from(t).map(e=>e.toString(16).padStart(2,"0")).join("")}addEventListener("message",async t=>{let e=t.data.data,o=t.data.difficulty,s,a=t.data.nonce,i=t.data.threads;for(;;){let c=await r(e+a),d=new Uint8Array(c),u=!0;for(let m=0;m<o;m++){let l=Math.floor(m/2),g=m%2;if((d[l]>>(g===0?4:0)&15)!==0){u=!1;break}}if(u){s=n(d),console.log(s);break}a+=i}postMessage({hash:s,data:e,difficulty:o,nonce:a})})}.toString()}function f(r,n=5,t=1){return console.debug("slow algo"),new Promise((e,o)=>{let s=URL.createObjectURL(new Blob(["(",b(),")()"],{type:"application/javascript"})),a=new Worker(s);a.onmessage=i=>{a.terminate(),e(i.data)},a.onerror=i=>{a.terminate(),o()},a.postMessage({data:r,difficulty:n}),URL.revokeObjectURL(s)})}function b(){return function(){let r=n=>{let t=new TextEncoder().encode(n);return crypto.subtle.digest("SHA-256",t.buffer).then(e=>Array.from(new Uint8Array(e)).map(o=>o.toString(16).padStart(2,"0")).join(""))};addEventListener("message",async n=>{let t=n.data.data,e=n.data.difficulty,o,s=0;do o=await r(t+s++);while(o.substring(0,e)!==Array(e+1).join("0"));s-=1,postMessage({hash:o,data:t,difficulty:e,nonce:s})})}.toString()}var L={fast:p,slow:f},w=(r="",n={})=>{let t=new URL(r,window.location.href);return Object.entries(n).forEach(e=>{let[o,s]=e;t.searchParams.set(o,s)}),t.toString()},h=(r,n)=>w(`/.within.website/x/cmd/anubis/static/img/${r}.webp`,{cacheBuster:n});(async()=>{let r=document.getElementById("status"),n=document.getElementById("image"),t=document.getElementById("title"),e=document.getElementById("spinner"),o=JSON.parse(document.getElementById("anubis_version").textContent);r.innerHTML="Calculating...";let{challenge:s,rules:a}=await fetch("/.within.website/x/cmd/anubis/api/make-challenge",{method:"POST"}).then(l=>{if(!l.ok)throw new Error("Failed to fetch config");return l.json()}).catch(l=>{throw t.innerHTML="Oh no!",r.innerHTML=`Failed to fetch config: ${l.message}`,n.src=h("sad",o),e.innerHTML="",e.style.display="none",l}),i=L[a.algorithm];if(!i){t.innerHTML="Oh no!",r.innerHTML="Failed to resolve check algorithm. You may want to reload the page.",n.src=h("sad",o),e.innerHTML="",e.style.display="none";return}r.innerHTML=`Calculating...<br/>Difficulty: ${a.report_as}`;let c=Date.now(),{hash:d,nonce:u}=await i(s,a.difficulty),m=Date.now();console.log({hash:d,nonce:u}),t.innerHTML="Success!",r.innerHTML=`Done! Took ${m-c}ms, ${u} iterations`,n.src=h("happy",o),e.innerHTML="",e.style.display="none",setTimeout(()=>{let l=window.location.href;window.location.href=w("/.within.website/x/cmd/anubis/api/pass-challenge",{response:d,nonce:u,redir:l,elapsedTime:m-c})},250)})();})();
+(()=>{function p(s,r=5,e=navigator.hardwareConcurrency||1){return console.debug("fast algo"),new Promise((t,n)=>{let o=URL.createObjectURL(new Blob(["(",S(),")()"],{type:"application/javascript"})),a=[];for(let i=0;i<e;i++){let c=new Worker(o);c.onmessage=d=>{a.forEach(m=>m.terminate()),c.terminate(),t(d.data)},c.onerror=d=>{c.terminate(),n()},c.postMessage({data:s,difficulty:r,nonce:i,threads:e}),a.push(c)}URL.revokeObjectURL(o)})}function S(){return function(){let s=e=>{let t=new TextEncoder().encode(e);return crypto.subtle.digest("SHA-256",t.buffer)};function r(e){return Array.from(e).map(t=>t.toString(16).padStart(2,"0")).join("")}addEventListener("message",async e=>{let t=e.data.data,n=e.data.difficulty,o,a=e.data.nonce,i=e.data.threads;for(;;){let c=await s(t+a),d=new Uint8Array(c),m=!0;for(let u=0;u<n;u++){let g=Math.floor(u/2),l=u%2;if((d[g]>>(l===0?4:0)&15)!==0){m=!1;break}}if(m){o=r(d),console.log(o);break}a+=i}postMessage({hash:o,data:t,difficulty:n,nonce:a})})}.toString()}function f(s,r=5,e=1){return console.debug("slow algo"),new Promise((t,n)=>{let o=URL.createObjectURL(new Blob(["(",L(),")()"],{type:"application/javascript"})),a=new Worker(o);a.onmessage=i=>{a.terminate(),t(i.data)},a.onerror=i=>{a.terminate(),n()},a.postMessage({data:s,difficulty:r}),URL.revokeObjectURL(o)})}function L(){return function(){let s=r=>{let e=new TextEncoder().encode(r);return crypto.subtle.digest("SHA-256",e.buffer).then(t=>Array.from(new Uint8Array(t)).map(n=>n.toString(16).padStart(2,"0")).join(""))};addEventListener("message",async r=>{let e=r.data.data,t=r.data.difficulty,n,o=0;do n=await s(e+o++);while(n.substring(0,t)!==Array(t+1).join("0"));o-=1,postMessage({hash:n,data:e,difficulty:t,nonce:o})})}.toString()}var T={fast:p,slow:f},y=(s="",r={})=>{let e=new URL(s,window.location.href);return Object.entries(r).forEach(t=>{let[n,o]=t;e.searchParams.set(n,o)}),e.toString()},h=(s,r)=>y(`/.within.website/x/cmd/anubis/static/img/${s}.webp`,{cacheBuster:r});(async()=>{let s=document.getElementById("status"),r=document.getElementById("image"),e=document.getElementById("title"),t=document.getElementById("spinner"),n=JSON.parse(document.getElementById("anubis_version").textContent),o=({titleMsg:l,statusMsg:w,imageSrc:b})=>{e.innerHTML=l,s.innerHTML=w,r.src=b,progress.style.display="none"};if(!window.isSecureContext){o({titleMsg:"Your context is not secure!",statusMsg:'Try connecting over HTTPS or let the admin know to set up HTTPS. For more information, see <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure">MDN</a>.',imageSrc:h("reject",n)});return}s.innerHTML="Calculating...";let{challenge:a,rules:i}=await fetch("/.within.website/x/cmd/anubis/api/make-challenge",{method:"POST"}).then(l=>{if(!l.ok)throw new Error("Failed to fetch config");return l.json()}).catch(l=>{throw o({titleMsg:"Internal error!",statusMsg:`Failed to fetch challenge config: ${l.message}`,imageSrc:h("reject",n)}),l}),c=T[i.algorithm];if(!c){o({titleMsg:"Challenge error!",statusMsg:"Failed to resolve check algorithm. You may want to reload the page.",imageSrc:h("reject",n)});return}s.innerHTML=`Calculating...<br/>Difficulty: ${i.report_as}`;let d=Date.now(),{hash:m,nonce:u}=await c(a,i.difficulty),g=Date.now();console.log({hash:m,nonce:u}),e.innerHTML="Success!",s.innerHTML=`Done! Took ${g-d}ms, ${u} iterations`,r.src=h("happy",n),t.innerHTML="",t.style.display="none",setTimeout(()=>{let l=window.location.href;window.location.href=y("/.within.website/x/cmd/anubis/api/pass-challenge",{response:m,nonce:u,redir:l,elapsedTime:g-d})},250)})();})();
 //# sourceMappingURL=main.mjs.map

xess/xess_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.850
+// templ: version: v0.3.857
 package xess
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.