From d8c4d9fc5a62741f0c4c2b692a3a94874714bbcc Mon Sep 17 00:00:00 2001 From: kim Date: Mon, 28 Apr 2025 20:12:27 +0000 Subject: [feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi Co-authored-by: kim Co-committed-by: kim --- web/source/nollamasworker/index.js | 53 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 web/source/nollamasworker/index.js (limited to 'web/source/nollamasworker/index.js') diff --git a/web/source/nollamasworker/index.js b/web/source/nollamasworker/index.js new file mode 100644 index 000000000..b95ec0917 --- /dev/null +++ b/web/source/nollamasworker/index.js @@ -0,0 +1,53 @@ +/* + GoToSocial + Copyright (C) GoToSocial Authors admin@gotosocial.org + SPDX-License-Identifier: AGPL-3.0-or-later + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +onmessage = async function(e) { + console.log('worker started'); // eslint-disable-line no-console + + const challenge = e.data.challenge; + const textEncoder = new TextEncoder(); + + // Get difficulty and generate the expected + // zero ASCII prefix to check for in hashes. + const difficultyStr = e.data.difficulty; + const difficulty = parseInt(difficultyStr, 10); + const zeroPrefix = '0'.repeat(difficulty); + + let nonce = 0; + while (true) { // eslint-disable-line no-constant-condition + + // Create possible solution string from challenge + nonce. + const solution = textEncoder.encode(challenge + nonce.toString()); + + // Generate SHA256 hashsum of solution string and hex encode the result. + const hashBuffer = await crypto.subtle.digest('SHA-256', solution); + const hashArray = Array.from(new Uint8Array(hashBuffer)); + const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); + + // Check if the hex encoded hash has + // difficulty defined zeroes prefix. + if (hashHex.startsWith(zeroPrefix)) { + postMessage({ nonce: nonce, done: true }); + break; + } + + // Iter. + nonce++; + } +}; -- cgit v1.2.3