versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2026-03-13 05:49:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(api): Implement Challenges API

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-06-13 22:03:51 -10:00
parent 924ff9b2d4
commit 8f9472b221
No known key found for this signature in database
26 changed files with 2656 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

55
docs/api/challenges.md Normal file
View file

@ -0,0 +1,55 @@
# Challenges API
Some API routes may require a cryptographic challenge to be solved before the request can be made. This is to prevent abuse of the API by bots and other malicious actors. The challenge is a simple mathematical problem that can be solved by any client.
This is a form of proof of work CAPTCHA, and should be mostly invisible to users. The challenge is generated by the server and sent to the client, which must solve it and send the solution back to the server.
## Solving a Challenge
Challenges are powered by the [Altcha](https://altcha.org/) library. You may either reimplement their solution code (which is very simple), or use [`altcha-lib`](https://github.com/altcha-org/altcha-lib) to solve the challenges.
## Request Challenge
```http
POST /api/v1/challenges
```
Generates a new challenge for the client to solve.
### Response
```ts
// 200 OK
{
id: string,
algorithm: "SHA-256" | "SHA-384" | "SHA-512",
challenge: string;
maxnumber?: number;
salt: string;
signature: string;
}
```
## Sending a Solution
To send a solution with any request, add the following headers:
- `X-Challenge-Solution`: A base64 encoded string of the following JSON object:
```ts
{
number: number; // Solution to the challenge
algorithm: "SHA-256" | "SHA-384" | "SHA-512";
challenge: string;
salt: string,
signature: string,
}
```
Example: `{"number": 42, "algorithm": "SHA-256", "challenge": "xxxx", "salt": "abc", "signature": "def"}` -> `eyJudW1iZXIiOjQyLCJhbGdvcml0aG0iOiJTSEEtMjU2IiwiY2hhbGxlbmdlIjoieHh4eCIsInNhbHQiOiJhYmMiLCJzaWduYXR1cmUiOiJkZWYifQ==`
A challenge solution is valid for 5 minutes (configurable) after the challenge is generated. No solved challenge may be used more than once.
## Routes Requiring Challenges
If challenges are enabled, the following routes will require a challenge to be solved before the request can be made:
- `POST /api/v1/accounts`
Which routes require challenges may eventually be expanded or made configurable.

4
docs/api/index.md
View file

@ -12,6 +12,10 @@ For client developers. Please read [the documentation](./emojis.md).
For client developers. Please read [the documentation](./roles.md).
## Challenges API
For client developers. Please read [the documentation](./challenges.md).
## Moderation API
> [!WARNING]