Post · bonfire.cafe

@zirias@mastodon.bsd.cafe · 5 months ago

There's a lot that could still be improved in #swad, but I don't get that "proof of work" idea out of my mind, so I started a branch to work on it:

https://github.com/Zirias/swad/pull/1

I really think it makes sense when you want some publicly known "guest login" which is still protected against #bots. Not sure yet whether this will succeed, we will see!

It certainly won't be as "fancy" as #anubis, but do the same thing functionally: Require the client to find a #nonce that, combined with a server-provided #challenge, hashes to something with 'n' leading zeros using #sha256. In contrast to anubis, swad won't have to proxy everything (but rely on nginx' auth_request), and no challenge will be issued when the user logs in with credentials some other credentials checker accepts.

Felix Palmen :freebsd: :c64:

@zirias@mastodon.bsd.cafe replied · 5 months ago

Some progress, I can successfully "hijack" #swad's login handler to display a special hidden form with (currently dummy) javascript attached plus a random challenge. Also, verify a nonce (passed as a password) whether when appended to the challenge hashes to a #sha256 hash with "x" leading zero nibbles.

So, now I "just" have to write some #javascript to make this fly ... 🙈

Felix Palmen :freebsd: :c64:

@zirias@mastodon.bsd.cafe replied · 5 months ago

Some progress on the #javascript side as well. It does solve the puzzle 🥳

It doesn't submit it to the server yet. It does it single-threaded so far. It does only minimal error checking, if any. But hey, it works!

Javascript found a nonce that makes the challenge hash to a sha256 hash with 5 leading zeros. The nonce is shown in an alert, the hash printed to the console log.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.21 no JS en

Automatic federation enabled