feat: implement hashcash proof-of-work for session creation (#63)
All checks were successful
check / check (push) Successful in 1m2s
All checks were successful
check / check (push) Successful in 1m2s
## Summary Implement SHA-256-based hashcash proof-of-work for `POST /session` to prevent abuse via rapid session creation. closes #11 ## What Changed ### Server - **New `internal/hashcash` package**: Validates hashcash stamps (format, difficulty bits, date/expiry, resource, replay prevention via in-memory spent set with TTL pruning) - **Config**: `NEOIRC_HASHCASH_BITS` env var (default 20, set to 0 to disable) - **`GET /api/v1/server`**: Now includes `hashcash_bits` field when > 0 - **`POST /api/v1/session`**: Validates `X-Hashcash` header when hashcash is enabled; returns HTTP 402 for missing/invalid stamps ### Clients - **Web SPA**: Fetches `hashcash_bits` from `/server`, computes stamp using Web Crypto API (`crypto.subtle.digest`) with batched parallelism (1024 hashes/batch), shows "Computing proof-of-work..." feedback - **CLI (`neoirc-cli`)**: `CreateSession()` auto-fetches server info and computes a valid hashcash stamp when required; new `MintHashcash()` function in the API package ### Documentation - README updated with full hashcash documentation: stamp format, computing stamps, configuration, difficulty table - Server info and session creation API docs updated with hashcash fields/headers - Roadmap updated (hashcash marked as implemented) ## Stamp Format Standard hashcash: `1:bits:YYMMDD:resource::counter` The SHA-256 hash of the entire stamp string must have at least `bits` leading zero bits. ## Validation Rules - Version must be `1` - Claimed bits ≥ required bits - Resource must match server name - Date within 48 hours (not expired, not too far in future) - SHA-256 hash has required leading zero bits - Stamp not previously used (replay prevention) ## Testing - All existing tests pass (hashcash disabled in test config with `HashcashBits: 0`) - `docker build .` passes (lint + test + build) <!-- session: agent:sdlc-manager:subagent:f98d712e-8a40-4013-b3d7-588cbff670f4 --> Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Co-authored-by: clawbot <clawbot@noreply.eeqj.de> Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: Jeffrey Paul <sneak@noreply.example.org> Reviewed-on: #63 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
This commit was merged in pull request #63.
This commit is contained in:
@@ -8,6 +8,56 @@ const MEMBER_REFRESH_INTERVAL = 10000;
|
||||
const ACTION_PREFIX = "\x01ACTION ";
|
||||
const ACTION_SUFFIX = "\x01";
|
||||
|
||||
// Hashcash proof-of-work helpers using Web Crypto API.
|
||||
|
||||
function checkLeadingZeros(hashBytes, bits) {
|
||||
let count = 0;
|
||||
for (let i = 0; i < hashBytes.length; i++) {
|
||||
if (hashBytes[i] === 0) {
|
||||
count += 8;
|
||||
continue;
|
||||
}
|
||||
let b = hashBytes[i];
|
||||
while ((b & 0x80) === 0) {
|
||||
count++;
|
||||
b <<= 1;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return count >= bits;
|
||||
}
|
||||
|
||||
async function mintHashcash(bits, resource) {
|
||||
const encoder = new TextEncoder();
|
||||
const now = new Date();
|
||||
const date =
|
||||
String(now.getUTCFullYear()).slice(2) +
|
||||
String(now.getUTCMonth() + 1).padStart(2, "0") +
|
||||
String(now.getUTCDate()).padStart(2, "0");
|
||||
const prefix = `1:${bits}:${date}:${resource}::`;
|
||||
let nonce = Math.floor(Math.random() * 0x100000);
|
||||
const batchSize = 1024;
|
||||
|
||||
for (;;) {
|
||||
const stamps = [];
|
||||
const hashPromises = [];
|
||||
for (let i = 0; i < batchSize; i++) {
|
||||
const stamp = prefix + (nonce + i).toString(16);
|
||||
stamps.push(stamp);
|
||||
hashPromises.push(
|
||||
crypto.subtle.digest("SHA-256", encoder.encode(stamp)),
|
||||
);
|
||||
}
|
||||
const hashes = await Promise.all(hashPromises);
|
||||
for (let i = 0; i < hashes.length; i++) {
|
||||
if (checkLeadingZeros(new Uint8Array(hashes[i]), bits)) {
|
||||
return stamps[i];
|
||||
}
|
||||
}
|
||||
nonce += batchSize;
|
||||
}
|
||||
}
|
||||
|
||||
function api(path, opts = {}) {
|
||||
const token = localStorage.getItem("neoirc_token");
|
||||
const headers = {
|
||||
@@ -60,12 +110,16 @@ function LoginScreen({ onLogin }) {
|
||||
const [motd, setMotd] = useState("");
|
||||
const [serverName, setServerName] = useState("NeoIRC");
|
||||
const inputRef = useRef();
|
||||
const hashcashBitsRef = useRef(0);
|
||||
const hashcashResourceRef = useRef("neoirc");
|
||||
|
||||
useEffect(() => {
|
||||
api("/server")
|
||||
.then((s) => {
|
||||
if (s.name) setServerName(s.name);
|
||||
if (s.motd) setMotd(s.motd);
|
||||
hashcashBitsRef.current = s.hashcash_bits || 0;
|
||||
if (s.name) hashcashResourceRef.current = s.name;
|
||||
})
|
||||
.catch(() => {});
|
||||
const saved = localStorage.getItem("neoirc_token");
|
||||
@@ -81,9 +135,22 @@ function LoginScreen({ onLogin }) {
|
||||
e.preventDefault();
|
||||
setError("");
|
||||
try {
|
||||
let hashcashStamp = "";
|
||||
if (hashcashBitsRef.current > 0) {
|
||||
setError("Computing proof-of-work...");
|
||||
hashcashStamp = await mintHashcash(
|
||||
hashcashBitsRef.current,
|
||||
hashcashResourceRef.current,
|
||||
);
|
||||
setError("");
|
||||
}
|
||||
const reqBody = { nick: nick.trim() };
|
||||
if (hashcashStamp) {
|
||||
reqBody.pow_token = hashcashStamp;
|
||||
}
|
||||
const res = await api("/session", {
|
||||
method: "POST",
|
||||
body: JSON.stringify({ nick: nick.trim() }),
|
||||
body: JSON.stringify(reqBody),
|
||||
});
|
||||
localStorage.setItem("neoirc_token", res.token);
|
||||
onLogin(res.nick);
|
||||
|
||||
Reference in New Issue
Block a user