feat: implement hashcash proof-of-work for session creation

Add SHA-256-based hashcash proof-of-work requirement to POST /session to prevent abuse via rapid session creation. The server advertises the required difficulty via GET /server (hashcash_bits field), and clients must include a valid stamp in the X-Hashcash request header. Server-side: - New internal/hashcash package with stamp validation (format, bits, date, resource, replay prevention via in-memory spent set) - Config: NEOIRC_HASHCASH_BITS env var (default 20, set 0 to disable) - GET /server includes hashcash_bits when > 0 - POST /session validates X-Hashcash header when enabled - Returns HTTP 402 for missing/invalid stamps Client-side: - SPA: fetches hashcash_bits from /server, computes stamp using Web Crypto API with batched SHA-256, shows 'Computing proof-of-work...' feedback during computation - CLI: api package gains MintHashcash() function, CreateSession() auto-fetches server info and computes stamp when required Stamp format: 1:bits:YYMMDD:resource::counter (standard hashcash) closes #11
2026-03-10 02:51:15 -07:00
parent f287fdf6d1
commit b48e164d88
9 changed files with 558 additions and 88 deletions
--- a/cmd/neoirc-cli/api/client.go
+++ b/cmd/neoirc-cli/api/client.go
@@ -43,13 +43,34 @@ func NewClient(baseURL string) *Client {
 }

 // CreateSession creates a new session on the server.
+// If the server requires hashcash proof-of-work, it
+// automatically fetches the difficulty and computes a
+// valid stamp.
 func (client *Client) CreateSession(
 	nick string,
 ) (*SessionResponse, error) {
-	data, err := client.do(
+	// Fetch server info to check for hashcash requirement.
+	info, err := client.GetServerInfo()
+
+	var headers map[string]string
+
+	if err == nil && info.HashcashBits > 0 {
+		resource := info.Name
+		if resource == "" {
+			resource = "neoirc"
+		}
+
+		stamp := MintHashcash(info.HashcashBits, resource)
+		headers = map[string]string{
+			"X-Hashcash": stamp,
+		}
+	}
+
+	data, err := client.doWithHeaders(
 		http.MethodPost,
 		"/api/v1/session",
 		&SessionRequest{Nick: nick},
+		headers,
 	)
 	if err != nil {
 		return nil, err
@@ -261,6 +282,16 @@ func (client *Client) GetServerInfo() (
 func (client *Client) do(
 	method, path string,
 	body any,
+) ([]byte, error) {
+	return client.doWithHeaders(
+		method, path, body, nil,
+	)
+}
+
+func (client *Client) doWithHeaders(
+	method, path string,
+	body any,
+	extraHeaders map[string]string,
 ) ([]byte, error) {
 	var bodyReader io.Reader

@@ -293,6 +324,10 @@ func (client *Client) do(
 		)
 	}

+	for key, val := range extraHeaders {
+		request.Header.Set(key, val)
+	}
+
 	resp, err := client.HTTPClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)