[feature] proof of work scraper deterrence (#4043)

This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase.

Todo:
- ~~add configuration option so this is disabled by default~~
- ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~
- ~~use our standard templating mechanism going through apiutil helper func~~
- ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized
- ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier
- ~~theme / make look nice??~~
- ~~add a spinner~~
- ~~add entry in example configuration~~
- ~~add documentation~~

Verification page originally based on https://github.com/LucienV1/powtect

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043
Reviewed-by: tobi <tsmethurst@noreply.codeberg.org>
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>

1 files changed, 53 insertions, 0 deletions

diff --git a/web/source/nollamasworker/index.js b/web/source/nollamasworker/index.js
new file mode 100644
index 000000000..b95ec0917
--- /dev/null
+++ b/web/source/nollamasworker/index.js
@@ -0,0 +1,53 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+onmessage = async function(e) {
+	console.log('worker started'); // eslint-disable-line no-console
+
+	const challenge = e.data.challenge;
+	const textEncoder = new TextEncoder();
+
+	// Get difficulty and generate the expected
+	// zero ASCII prefix to check for in hashes.
+	const difficultyStr = e.data.difficulty;
+	const difficulty = parseInt(difficultyStr, 10);
+	const zeroPrefix = '0'.repeat(difficulty);
+
+	let nonce = 0;
+	while (true) { // eslint-disable-line no-constant-condition
+
+		// Create possible solution string from challenge + nonce.
+		const solution = textEncoder.encode(challenge + nonce.toString());
+
+		// Generate SHA256 hashsum of solution string and hex encode the result.
+		const hashBuffer = await crypto.subtle.digest('SHA-256', solution);
+		const hashArray = Array.from(new Uint8Array(hashBuffer));
+		const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+
+		// Check if the hex encoded hash has
+		// difficulty defined zeroes prefix.
+		if (hashHex.startsWith(zeroPrefix)) {
+			postMessage({ nonce: nonce, done: true });
+			break;
+		}
+
+		// Iter.
+		nonce++;
+	}
+};