feat: implement hashcash proof-of-work for session creation
Add SHA-256-based hashcash proof-of-work requirement to POST /session to prevent abuse via rapid session creation. The server advertises the required difficulty via GET /server (hashcash_bits field), and clients must include a valid stamp in the X-Hashcash request header. Server-side: - New internal/hashcash package with stamp validation (format, bits, date, resource, replay prevention via in-memory spent set) - Config: NEOIRC_HASHCASH_BITS env var (default 20, set 0 to disable) - GET /server includes hashcash_bits when > 0 - POST /session validates X-Hashcash header when enabled - Returns HTTP 402 for missing/invalid stamps Client-side: - SPA: fetches hashcash_bits from /server, computes stamp using Web Crypto API with batched SHA-256, shows 'Computing proof-of-work...' feedback during computation - CLI: api package gains MintHashcash() function, CreateSession() auto-fetches server info and computes stamp when required Stamp format: 1:bits:YYMMDD:resource::counter (standard hashcash) closes #11
This commit is contained in:
clawbot
@@ -85,6 +85,7 @@ func newTestServer(
|
||||
|
||||
cfg.DBURL = dbURL
|
||||
cfg.Port = 0
|
||||
cfg.HashcashBits = 0
|
||||
|
||||
return cfg, nil
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user