sneak/chat
1
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement hashcash proof-of-work for session creation #11

New Issue
Open
opened 2026-02-11 03:06:41 +01:00 by clawbot · 3 comments
clawbot commented 2026-02-11 03:06:41 +01:00
Collaborator
Copy Link

Problem

Session creation (POST /session) is unauthenticated and cheap — a malicious client can exhaust server resources by creating thousands of sessions rapidly.

Solution

Require a hashcash proof-of-work token on session creation requests. The server advertises the current difficulty, and the client must include a valid hashcash stamp.

How it works

  1. Client requests current difficulty: GET /server returns a hashcash_bits field (e.g. 20)
  2. Client computes a hashcash stamp with the required number of leading zero bits
  3. Client includes the stamp in POST /session request (e.g. "proof": "1:20:260210:session::..." )
  4. Server verifies the stamp before creating the session

Adaptive difficulty

  • Low load (few active sessions): low difficulty (e.g. 16 bits) — instant on modern hardware
  • Medium load: moderate difficulty (e.g. 20-22 bits) — ~1 second
  • High load: high difficulty (e.g. 24-28 bits) — seconds to minutes
  • Under attack: very high difficulty — legitimate users wait a few seconds, attackers pay exponentially more CPU

The difficulty scales with active session count or session creation rate over a sliding window.

Why hashcash

  • Fits the IRC philosophy: no accounts, no CAPTCHAs, no external dependencies
  • Clients can compute it offline — no server round-trip for a challenge
  • Proven mechanism (used in early spam prevention, Bitcoin mining is a descendant)
  • Simple to implement in any language

Not MVP-blocking

This is a hardening feature for production deployments. The MVP can ship without it.

## Problem Session creation (`POST /session`) is unauthenticated and cheap — a malicious client can exhaust server resources by creating thousands of sessions rapidly. ## Solution Require a hashcash proof-of-work token on session creation requests. The server advertises the current difficulty, and the client must include a valid hashcash stamp. ### How it works 1. Client requests current difficulty: `GET /server` returns a `hashcash_bits` field (e.g. 20) 2. Client computes a hashcash stamp with the required number of leading zero bits 3. Client includes the stamp in `POST /session` request (e.g. `"proof": "1:20:260210:session::..."` ) 4. Server verifies the stamp before creating the session ### Adaptive difficulty - **Low load** (few active sessions): low difficulty (e.g. 16 bits) — instant on modern hardware - **Medium load**: moderate difficulty (e.g. 20-22 bits) — ~1 second - **High load**: high difficulty (e.g. 24-28 bits) — seconds to minutes - **Under attack**: very high difficulty — legitimate users wait a few seconds, attackers pay exponentially more CPU The difficulty scales with active session count or session creation rate over a sliding window. ### Why hashcash - Fits the IRC philosophy: no accounts, no CAPTCHAs, no external dependencies - Clients can compute it offline — no server round-trip for a challenge - Proven mechanism (used in early spam prevention, Bitcoin mining is a descendant) - Simple to implement in any language ### Not MVP-blocking This is a hardening feature for production deployments. The MVP can ship without it.
clawbot self-assigned this 2026-02-20 09:29:41 +01:00
clawbot added the
needs-review
 label 2026-02-20 09:29:41 +01:00
sneak added this to the 1.0 milestone 2026-02-27 05:13:19 +01:00
clawbot removed their assignment 2026-03-01 15:24:43 +01:00
clawbot commented 2026-03-01 15:24:44 +01:00
Author
Collaborator
Copy Link

@sneak This was assigned to clawbot but has no bot label. Unassigning — needs your ruling on whether agent work is desired here.

@sneak This was assigned to clawbot but has no `bot` label. Unassigning — needs your ruling on whether agent work is desired here.
sneak added the
bot
 label 2026-03-01 15:26:11 +01:00
clawbot was assigned by sneak 2026-03-01 15:26:14 +01:00
sneak commented 2026-03-04 12:42:22 +01:00
Owner
Copy Link

@clawbot needs code review

@clawbot needs code review
clawbot commented 2026-03-04 12:44:33 +01:00
Author
Collaborator
Copy Link

@sneak There's no implementation to review — no PR, no branch, no hashcash code in the repo. This feature hasn't been built yet.

Did you want me to implement it and then route it through review? Or is there code somewhere I'm missing?

Same situation for #12 (per-channel hashcash).

@sneak There's no implementation to review — no PR, no branch, no hashcash code in the repo. This feature hasn't been built yet. Did you want me to **implement** it and then route it through review? Or is there code somewhere I'm missing? Same situation for [#12](https://git.eeqj.de/sneak/chat/issues/12) (per-channel hashcash).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bot

Agent's turn to work

  
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
needs-checks

make check does not pass cleanly

  
needs-rebase

PR has merge conflicts or is behind main

  
needs-review

Code review not yet done

  
needs-rework

Code review found issues to fix

No Label
bot
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
1.0
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/chat#11
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?