From d8c4d9fc5a62741f0c4c2b692a3a94874714bbcc Mon Sep 17 00:00:00 2001 From: kim Date: Mon, 28 Apr 2025 20:12:27 +0000 Subject: [feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi Co-authored-by: kim Co-committed-by: kim --- internal/config/helpers.gen.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'internal/config/helpers.gen.go') diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go index 56eb0e3e8..8fc4475b7 100644 --- a/internal/config/helpers.gen.go +++ b/internal/config/helpers.gen.go @@ -2906,6 +2906,31 @@ func GetAdvancedHeaderFilterMode() string { return global.GetAdvancedHeaderFilte // SetAdvancedHeaderFilterMode safely sets the value for global configuration 'AdvancedHeaderFilterMode' field func SetAdvancedHeaderFilterMode(v string) { global.SetAdvancedHeaderFilterMode(v) } +// GetAdvancedScraperDeterrence safely fetches the Configuration value for state's 'AdvancedScraperDeterrence' field +func (st *ConfigState) GetAdvancedScraperDeterrence() (v bool) { + st.mutex.RLock() + v = st.config.AdvancedScraperDeterrence + st.mutex.RUnlock() + return +} + +// SetAdvancedScraperDeterrence safely sets the Configuration value for state's 'AdvancedScraperDeterrence' field +func (st *ConfigState) SetAdvancedScraperDeterrence(v bool) { + st.mutex.Lock() + defer st.mutex.Unlock() + st.config.AdvancedScraperDeterrence = v + st.reloadToViper() +} + +// AdvancedScraperDeterrenceFlag returns the flag name for the 'AdvancedScraperDeterrence' field +func AdvancedScraperDeterrenceFlag() string { return "advanced-scraper-deterrence" } + +// GetAdvancedScraperDeterrence safely fetches the value for global configuration 'AdvancedScraperDeterrence' field +func GetAdvancedScraperDeterrence() bool { return global.GetAdvancedScraperDeterrence() } + +// SetAdvancedScraperDeterrence safely sets the value for global configuration 'AdvancedScraperDeterrence' field +func SetAdvancedScraperDeterrence(v bool) { global.SetAdvancedScraperDeterrence(v) } + // GetHTTPClientAllowIPs safely fetches the Configuration value for state's 'HTTPClient.AllowIPs' field func (st *ConfigState) GetHTTPClientAllowIPs() (v []string) { st.mutex.RLock() -- cgit v1.2.3