token: use an http header for the token

2025-04-13 17:58:27 +01:00
parent 4986f525f6
commit 1c5758c466
5 changed files with 33 additions and 5 deletions
--- a/html/index.html
+++ b/html/index.html
@@ -286,10 +286,7 @@
                    ).then((res) => {
                        if (res.status == 200) {
                            console.log("Got token.");
-                                const json = res.json().then((parsed) => {
-                                document.cookie = "CheckpointToken=" + parsed.token + "; path=/";
-                                window.location.reload();
-                            });
+                            window.location.reload();
                        } else
                            console.log("Server error");
                    });
--- a/html/index.min.html
+++ b/html/index.min.html
@@ -1,2 +1,2 @@
 <!DOCTYPE html><head><title>STOP! - Checkpoint</title></head><body style="background-color:#0e0e0e;overflow:hidden"><style>@font-face{font-family:"Noto Sans";src:url(/checkpoint/NotoSans.woff)}*{font-family:"Noto Sans"}.middle-box{display:block;position:absolute;width:30rem;height:calc(100% - 2rem);left:calc(50% - 15rem);top:1rem;background-color:#111;border-radius:.5rem;border:1px solid #280d0e}.big-icon{margin:0;padding:0;font-size:8rem;color:#fff;width:100%;text-align:center}.subtext{margin:0;padding:0;font-size:3rem;color:#d9d9d9;width:100%;text-align:center}.text-hr{margin:auto;margin-top:1rem;margin-bottom:1rem;padding:0;background-color:#444;width:50%;box-shadow:none;text-align:center;height:1px;border:none}.text-hr-small{margin:auto;margin-top:1rem;margin-bottom:1rem;padding:0;background-color:#444;width:25%;box-shadow:none;text-align:center;height:1px;border:none}.text-description{margin:0;padding:0;font-size:1rem;color:#d9d9d9;width:85%;margin-left:7.5%;text-align:center}.text-question{margin:0;margin-top:4rem;padding:0;font-size:1.4rem;color:#d9d9d9;width:85%;margin-left:7.5%;text-align:center}.bottom-bar{position:absolute;width:100%;height:auto;bottom:.4rem;left:0}.bottom-hash-text{margin:0;padding:0;font-size:1rem;color:#d9d9d9;width:85%;margin-left:7.5%;text-align:center}.bottom-credit-text{display:block;margin:0;padding:0;font-size:.5rem;color:#4b4b4b;width:98%;text-align:right;transition:ease-in-out .1s;margin-top:.2rem}.bottom-credit-text:hover,.bottom-credit-text:link:hover,.bottom-credit-text:visited:hover{color:#764343;cursor:pointer}.bottom-credit-text:link,.bottom-credit-text:visited{color:#4b4b4b}.bottom-progress{position:relative;height:3px;background-color:#222;width:80%;margin-left:10%;margin-bottom:.8rem}.bottom-progress-light{position:absolute;left:0;top:0;width:0%;height:3px;background-color:#692225;transition:ease-in-out .1s}@media (pointer:none),(pointer:coarse){.big-icon{margin-top:10rem}.middle-box{width:90%;left:5%}.subtext{font-size:6rem}.text-description{font-size:3rem}.text-hr{height:3px}.bottom-hash-text{font-size:2.5rem}.bottom-credit-text{font-size:1rem}}</style><div class="middle-box"><p class="big-icon">&#128721;</p><p class="subtext" id="subtext">STOP!</p><hr class="text-hr"><p class="text-description">Verifying that you are not a bot. This might take a short moment.<br><br>You do not need to do anything.</p><p class="text-question">Why am I seeing this?</p><hr class="text-hr-small"><p class="text-description">This website protects itself from AI bots and scrapers by asking you to complete a cryptographic challenge before allowing you entry.</p><div class="bottom-bar"><div class="bottom-progress"><div class="bottom-progress-light" name="progress-light"></div></div><p class="bottom-hash-text" id="results">Difficulty {{ tl:text challengeDifficulty }}, elapsed 0ms, 0h, 0h/s</p><a class="bottom-credit-text" href="https://github.com/vaxerski/checkpoint"><i>Powered by checkpoint v{{ tl:text checkpointVersion }}</i></a></div></div>
-<script type="text/javascript">setTimeout(async function(){var e=0,t=Date.now();let n="{{ tl:text challengeNonce }}",o=parseInt("{{ tl:text challengeDifficulty }}");function $(e){let t=o;for(let n=0;n<t;n+=1)if("0"!=e[n])return!1;return!0}function l(e){return e>1e6?parseInt(e/1e5)/10+"M":parseInt(e/100)/10+"k"}function r(e){return e>1e3?parseInt(e/100)/10+"s":e+"ms"}function i(e){return Math.floor((1-1/(Math.pow(e/Math.pow(2,4*o)*3,2)+1))*100)}function s(e){document.getElementById("results").innerHTML="Success! Completed challenge after "+l(e)+" iterations, in "+r(Math.floor(Date.now()-t))+".",document.getElementsByName("progress-light")[0].style.width="100%";let o=JSON.stringify({challenge:n,solution:e});fetch("/checkpoint/challenge",{headers:{"Content-Type":"application/json"},method:"POST",body:o}).then(e=>{200==e.status?(console.log("Got token."),e.json().then(e=>{document.cookie="CheckpointToken="+e.token+"; path=/",window.location.reload()})):console.log("Server error")})}let c=new TextEncoder;for(;;){let _=c.encode(n+e),a=await window.crypto.subtle.digest("SHA-256",_),u=Array.from(new Uint8Array(a)),f=u.map(e=>e.toString(16).padStart(2,"0")).join("");if($(f)){s(e),console.log("Success: it "+e+": "+f);break}if(++e%11377==0){let g=Math.floor(Date.now()-t),h=e/(g/1e3);document.getElementById("results").innerHTML="Difficulty: "+o+", elapsed "+r(g)+", "+l(e)+"h, "+l(h)+"h/s",document.getElementsByName("progress-light")[0].style.width=i(e)+"%"}}},100);var currentTitle=1;setInterval(()=>{let e=["STOP","HALT","ST&#0211;J","ARR&#0202;T","&#1057;&#1058;&#1030;&#1049;"];document.getElementById("subtext").innerHTML=e[currentTitle]+"!",++currentTitle>=e.length&&(currentTitle=0)},2e3);</script></body>
+<script type="text/javascript">setTimeout(async function(){var e=0,t=Date.now();let n="{{ tl:text challengeNonce }}",o=parseInt("{{ tl:text challengeDifficulty }}");function $(e){let t=o;for(let n=0;n<t;n+=1)if("0"!=e[n])return!1;return!0}function l(e){return e>1e6?parseInt(e/1e5)/10+"M":parseInt(e/100)/10+"k"}function r(e){return e>1e3?parseInt(e/100)/10+"s":e+"ms"}function i(e){return Math.floor((1-1/(Math.pow(e/Math.pow(2,4*o)*3,2)+1))*100)}function s(e){document.getElementById("results").innerHTML="Success! Completed challenge after "+l(e)+" iterations, in "+r(Math.floor(Date.now()-t))+".",document.getElementsByName("progress-light")[0].style.width="100%";let o=JSON.stringify({challenge:n,solution:e});fetch("/checkpoint/challenge",{headers:{"Content-Type":"application/json"},method:"POST",body:o}).then(e=>{200==e.status?(console.log("Got token."),window.location.reload()):console.log("Server error")})}let c=new TextEncoder;for(;;){let _=c.encode(n+e),a=await window.crypto.subtle.digest("SHA-256",_),u=Array.from(new Uint8Array(a)),f=u.map(e=>e.toString(16).padStart(2,"0")).join("");if($(f)){s(e),console.log("Success: it "+e+": "+f);break}if(++e%11377==0){let g=Math.floor(Date.now()-t),h=e/(g/1e3);document.getElementById("results").innerHTML="Difficulty: "+o+", elapsed "+r(g)+", "+l(e)+"h, "+l(h)+"h/s",document.getElementsByName("progress-light")[0].style.width=i(e)+"%"}}},100);var currentTitle=1;setInterval(()=>{let e=["STOP","HALT","ST&#0211;J","ARR&#0202;T","&#1057;&#1058;&#1030;&#1049;"];document.getElementById("subtext").innerHTML=e[currentTitle]+"!",++currentTitle>=e.length&&(currentTitle=0)},2e3);</script></body>
--- a/src/core/Handler.cpp
+++ b/src/core/Handler.cpp
@@ -4,6 +4,7 @@
 #include "../headers/xforwardfor.hpp"
 #include "../headers/gitProtocolHeader.hpp"
 #include "../headers/acceptLanguageHeader.hpp"
+#include "../headers/setCookieHeader.hpp"
 #include "../debug/log.hpp"
 #include "../GlobalState.hpp"
 #include "../config/Config.hpp"
@@ -344,6 +345,8 @@ void CServerHandler::challengeSubmitted(const Pistache::Http::Request& req, Pist
    resp.success = true;
    resp.token   = TOKEN;

+    response.headers().add(std::make_shared<SetCookieHeader>("CheckpointToken=" + TOKEN + "; HttpOnly; Path=/; Secure; SameSite=Lax"));
+
    response.send(Pistache::Http::Code::Ok, glz::write_json(resp).value());
 }

--- a/src/headers/setCookieHeader.hpp
+++ b/src/headers/setCookieHeader.hpp
@@ -0,0 +1,26 @@
+#include <pistache/http_headers.h>
+#include <pistache/net.h>
+
+class SetCookieHeader : public Pistache::Http::Header::Header {
+  public:
+    NAME("Set-Cookie");
+
+    SetCookieHeader(const std::string& cookie = "") : m_cookie(cookie) {
+        ;
+    }
+
+    void parse(const std::string& str) override {
+        m_cookie = str;
+    }
+
+    void write(std::ostream& os) const override {
+        os << m_cookie;
+    }
+
+    std::string from() const {
+        return m_cookie;
+    }
+
+  private:
+    std::string m_cookie = "";
+};
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -13,6 +13,7 @@
 #include "headers/cfHeader.hpp"
 #include "headers/gitProtocolHeader.hpp"
 #include "headers/acceptLanguageHeader.hpp"
+#include "headers/setCookieHeader.hpp"

 #include "debug/log.hpp"

@@ -76,6 +77,7 @@ int main(int argc, char** argv, char** envp) {
    Pistache::Http::Header::Registry::instance().registerHeader<XForwardedForHeader>();
    Pistache::Http::Header::Registry::instance().registerHeader<GitProtocolHeader>();
    Pistache::Http::Header::Registry::instance().registerHeader<AcceptLanguageHeader>();
+    Pistache::Http::Header::Registry::instance().registerHeader<SetCookieHeader>();

    g_pDB = std::make_unique<CDatabase>();