active_hashcash 0.2.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81d808ca54efb58e16c61524bde0aee355f5a7b003ef4cb6cda2e9b672c7a284
-  data.tar.gz: 6ec6f99dd02e353bb4e86bb9db8e65ecf35dc46e13051e401b62608700b7fde5
+  metadata.gz: dbc710b7b2cc6fef0667915ac1a95ccfdd6d1cb3eaa1fa9b97d29ef81e79985d
+  data.tar.gz: 323c22e60aa27d2d87e39ee8f5c356d2fc6e8190426e49831a29d762d2e74f28
 SHA512:
-  metadata.gz: 17f8b181f15b009b850fea2e1ead3a5cb904218d8877b31d9b6a2e5f2578972a6a1a2837cdbda46013987911a88198d543dd7f3a79f68b455a969a005a3fbfc8
-  data.tar.gz: 2b02561bf0516b2accb42ac64fe8d93b7bf956bb9474fcadec93db08f4be551d9eea430884d133d08b92156a9d10440ac8f48067207c95d3b72e4268752748dd
+  metadata.gz: ed74328b7b1f91eb2dece7a29efb5b9d68079872694e589caca3e79de1a06e6d0bd5d2556dcab12f92fcede4c08b075a4dc4b9077e79c8511cb4045ce509c82c
+  data.tar.gz: e8f580f0668529b3bd7e220f2bdbd4b2eae6bc63272228b9cb4d1fe75ef0e30202983e3e06d91664558d36239137b69d7ba96996c80b370f4b1638300f77781a

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+# Changelog of ActiveHashcash
+
+## Unrelease
+
+- Fix gem spec list files
+
+## 0.3.0 - 2024-03-14
+
+- Increase complexity automatically to slowdown brute force attacks
+- Add mountable dashboard to list latest stamps and most frequent IP addresses
+- Store stamps into the database instead of Redis
+- Fix ActiveHashcash::Store#add? by converting stamp to a string
+
 ## 0.2.0 - 2022-08-02
 
 - Add ActiveHashcash::Store#clean to removed expired stamps

data/README.md

@@ -2,29 +2,34 @@
 
 <img align="right" width="200px" src="logo.png" alt="Active Hashcash logo"/>
 
-ActiveHashcash protects your Rails application against brute force attacks, DoS and bots.
+ActiveHashcash protects Rails applications against bots and brute force attacks without annoying humans.
 
 Hashcash is proof-of-work algorithm, invented by Adam Back in 1997, to protect systems against denial of service attacks.
-ActiveHashcash is an easy way to protect any Rails application against brute force attacks and some bots.
+ActiveHashcash is an easy way to protect any Rails application against brute force attacks and bots.
 
 The idea is to force clients to spend some time to solve a hard problem that is very easy to verify for the server.
 We have developped ActiveHashcash after seeing brute force attacks against our Rails application monitoring service [RorVsWild](https://rorvswild.com).
 
-The idea is to enable ActiveHashcash on sensitive forms such as login and registration. While the user is filling the form,
-ActiveHashcash performs the work in JavaScript and set the result into a hidden input text. The form cannot be submitted while the proof of work has not been found.
-The user submits the form, and the stamp is verified by the controller in a before action.
+ActiveHashcash is ideal to set up on sensitive forms such as login and registration.
+While the user is filling the form, the problem is solved in JavaScript and set the result into a hidden input text.
+The form cannot be submitted while the proof of work has not been found.
+Then the user submits the form, and the stamp is verified by the controller in a before action.
 
-It blocks bots that do not interpret JavaScript since the proof of work is not computed. For the more sophisticated bots, we are happy to slow them down.
+It blocks bots that do not interpret JavaScript since the proof of work is not computed.
+More sophisticated bots and brute force attacks are slow down.
+Moreover the complexity increases automatically for IP addresses sending many requests.
+Thus it becomes very CPU costly for attackers.
 
-Here is a [demo on a registration form](https://www.rorvswild.com/account/new) :
+Finally legitimate users are not annoyed by asking to solve a puzzle or clicking on the all images containing a bus.
+Here is a [demo on a registration form](https://www.rorvswild.com/session) :
 
 ![Active Hashcash GIF preview](demo.gif)
 
-## Limitations
+---
 
-The JavaScript implementation is 10 to 20 times slower than the official C version.
-It needs some work and knowledges to be optimised. Unfortunately, I'm not a JavaScript expert.
-Maybe you have good JS skills to optimize it ?
+<img align="left" height="24px" src="rorvswild_logo.jpg" alt="RorVsWild logo"/>Made by <a href="https://www.rorvswild.com">RorVsWild</a>, performances & exceptions monitoring for Ruby on Rails applications.
+
+---
 
 ## Installation
 
@@ -62,26 +67,108 @@ end
 To customize some behaviour, you can override most of the methods which begins with `hashcash_`.
 Simply have a look to `active_hashcash.rb`.
 
+Stamps are stored into into the database to prevents from spending them more than once.
+You must run a migration:
+
+```
+rails active_hashcash:install:migrations
+rails db:migrate
+```
+
+### Dashboard
+
+There is a mountable dahsboard which allows to see all spent stamps.
+It's not mandatory, but useful for monitoring purpose.
+
+![ActiveHashcash dashboard](active_hashcash_dashboard.png "ActiveHashcash dashboard")
+
+```ruby
+# config/routes.rb
+mount ActiveHashcash::Engine, at: "hashcash"
+```
+
+ActiveHashcash cannot guess how you handle user authentication, because it is different for all Rails applications.
+So you have to monkey patch `ActiveHashcash::ApplicationController` in order to inject your own mechanism.
+The patch can be saved wherever you want.
+For example, I like to have all the patches in one place, so I put them in `lib/patches`.
+
+```ruby
+# lib/patches/active_hashcash.rb
+
+ActiveHashcash::ApplicationController.class_eval do
+    before_action :require_admin
+
+    def require_admin
+      # This example supposes there are current_user and User#admin? methods
+      raise ActionController::RoutingError.new("Not found") unless current_user.try(:admin?)
+    end
+  end
+end
+```
+
+Then you have to require the monkey patch.
+Because it's loaded via require, it won't be reloaded in development.
+Since you are not supposed to change this file often, it should not be an issue.
+
+```ruby
+# config/application.rb
+config.after_initialize do
+  require "patches/active_hashcash"
+end
+```
+
+If you use Devise, you can check the permission directly from routes.rb:
+
+```ruby
+# config/routes.rb
+authenticate :user, -> (u) { u.admin? } do # Supposing there is a User#admin? method
+  mount ActiveHashcash::Engine, at: "hashcash" # http://localhost:3000/hashcash
+end
+```
+
+### Before version 0.3.0
+
 You must have Redis in order to prevent double spent stamps. Otherwise it will be useless.
 It automatically tries to connect with the environement variables `ACTIVE_HASHCASH_REDIS_URL` or `REDIS_URL`.
 You can also manually set the URL with `ActiveHashcash.redis_url = redis://user:password@localhost:6379`.
 
 You should call `ActiveHashcash::Store#clean` once a day, to remove expired stamps.
 
+To upgrade from 0.2.0 you must run the migration :
+
+```
+rails active_hashcash:install:migrations
+rails db:migrate
+```
+
 ## Complexity
 
 Complexity is the most important parameter. By default its value is 20 and requires most of the time 5 to 20 seconds to be solved on a decent laptop.
 The user won't wait that long, since he needs to fill the form while the problem is solving.
 Howevever, if your application includes people with slow and old devices, then consider lowering this value, to 16 or 18.
 
-You can change the complexity, either with `ActiveHashcash.bits = 20` or by overriding the method `hashcash_bits` in you controller.
+You can change the minimum complexity with `ActiveHashcash.bits = 20`.
+
+Since version 0.3.0, the complexity increases with the number of stamps spent during le last 24H from the same IP address.
+Thus it becomes very efficient to slow down brute force attacks.
+
+## Limitations
+
+The JavaScript implementation is 10 to 20 times slower than the official C version.
+I first used the SubtleCrypto API but it is surprisingly slower than a custom SHA1 implementation.
+Maybe I did in an unefficient way 2df3ba5?
+Another idea would be to compile the work algorithm in wasm.
+
+Unfortunately, I'm not a JavaScript expert.
+Maybe you have good JS skills to optimize it?
+Any help would be appreciate to better fights bots and brute for attacks!
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/active_hashcash.
+Bug reports and pull requests are welcome on GitHub at https://github.com/BaseSecrete/active_hashcash.
 
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
-Made by Alexis Bernard at [Base Secrète](https://basesecrete.com).
+Made by Alexis Bernard at [RorVsWild](https://www.rorvswild.com).

data/app/assets/config/active_hashcash_manifest.js

@@ -0,0 +1 @@
+//= link_directory ../stylesheets/active_hashcash .css

data/app/assets/javascripts/hashcash.js

@@ -0,0 +1,257 @@
+// http://www.hashcash.org/docs/hashcash.html
+// <input type="hiden" name="hashcash" data-hashcash="{resource: 'site.example', bits: 16}"/>
+Hashcash = function(input) {
+  options = JSON.parse(input.getAttribute("data-hashcash"))
+  Hashcash.disableParentForm(input, options)
+  input.dispatchEvent(new CustomEvent("hashcash:mint", {bubbles: true}))
+
+  Hashcash.mint(options.resource, options, function(stamp) {
+    input.value = stamp.toString()
+    Hashcash.enableParentForm(input, options)
+    input.dispatchEvent(new CustomEvent("hashcash:minted", {bubbles: true, detail: {stamp: stamp}}))
+  })
+}
+
+Hashcash.setup = function() {
+  if (document.readyState != "loading") {
+    var input = document.querySelector("input#hashcash")
+    input && new Hashcash(input)
+  } else
+    document.addEventListener("DOMContentLoaded", Hashcash.setup )
+}
+
+Hashcash.disableParentForm = function(input, options) {
+  input.form.querySelectorAll("[type=submit]").forEach(function(submit) {
+    submit.originalValue = submit.value
+    options["waiting_message"] && (submit.value = options["waiting_message"])
+    submit.disabled = true
+  })
+}
+
+Hashcash.enableParentForm = function(input, options) {
+  input.form.querySelectorAll("[type=submit]").forEach(function(submit) {
+    submit.originalValue && (submit.value = submit.originalValue)
+    submit.disabled = null
+  })
+}
+
+Hashcash.default = {
+  version: 1,
+  bits: 20,
+  extension: null,
+}
+
+Hashcash.mint = function(resource, options, callback) {
+  // Format date to YYMMDD
+  var date = new Date
+  var year = date.getFullYear().toString()
+  year = year.slice(year.length - 2, year.length)
+  var month = (date.getMonth() + 1).toString().padStart(2, "0")
+  var day = date.getDate().toString().padStart(2, "0")
+
+  var stamp = new Hashcash.Stamp(
+    options.version || Hashcash.default.version,
+    options.bits || Hashcash.default.bits,
+    options.date || year + month + day,
+    resource,
+    options.extension || Hashcash.default.extension,
+    options.rand || Math.random().toString(36).substr(2, 10),
+  )
+  return stamp.work(callback)
+}
+
+Hashcash.Stamp = function(version, bits, date, resource, extension, rand, counter = 0) {
+  this.version = version
+  this.bits = bits
+  this.date = date
+  this.resource = resource
+  this.extension = extension
+  this.rand = rand
+  this.counter = counter
+}
+
+Hashcash.Stamp.parse = function(string) {
+  var args = string.split(":")
+  return new Hashcash.Stamp(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
+}
+
+Hashcash.Stamp.prototype.toString = function() {
+  return [this.version, this.bits, this.date, this.resource, this.extension, this.rand, this.counter].join(":")
+}
+
+// Trigger the given callback when the problem is solved.
+// In order to not freeze the page, setTimeout is called every 100ms to let some CPU to other tasks.
+Hashcash.Stamp.prototype.work = function(callback) {
+  this.startClock()
+  var timer = performance.now()
+  while (!this.check())
+    if (this.counter++ && performance.now() - timer > 100)
+      return setTimeout(this.work.bind(this), 0, callback)
+  this.stopClock()
+  callback(this)
+}
+
+Hashcash.Stamp.prototype.check = function() {
+  var array = Hashcash.sha1(this.toString())
+  return array[0] >> (160-this.bits) == 0
+}
+
+Hashcash.Stamp.prototype.startClock = function() {
+  this.startedAt || (this.startedAt = performance.now())
+}
+
+Hashcash.Stamp.prototype.stopClock = function() {
+  this.endedAt || (this.endedAt = performance.now())
+  var duration = this.endedAt - this.startedAt
+  var speed = Math.round(this.counter * 1000 / duration)
+  console.debug("Hashcash " + this.toString() + " minted in " + duration + "ms (" + speed + " per seconds)")
+}
+
+/**
+ * Secure Hash Algorithm (SHA1)
+ * http://www.webtoolkit.info/
+ **/
+Hashcash.sha1 = function(msg) {
+  var rotate_left = Hashcash.sha1.rotate_left
+  var Utf8Encode = Hashcash.sha1.Utf8Encode
+
+  var blockstart;
+  var i, j;
+  var W = new Array(80);
+  var H0 = 0x67452301;
+  var H1 = 0xEFCDAB89;
+  var H2 = 0x98BADCFE;
+  var H3 = 0x10325476;
+  var H4 = 0xC3D2E1F0;
+  var A, B, C, D, E;
+  var temp;
+  msg = Utf8Encode(msg);
+  var msg_len = msg.length;
+  var word_array = new Array();
+  for (i = 0; i < msg_len - 3; i += 4) {
+    j = msg.charCodeAt(i) << 24 | msg.charCodeAt(i + 1) << 16 |
+      msg.charCodeAt(i + 2) << 8 | msg.charCodeAt(i + 3);
+    word_array.push(j);
+  }
+  switch (msg_len % 4) {
+    case 0:
+      i = 0x080000000;
+      break;
+    case 1:
+      i = msg.charCodeAt(msg_len - 1) << 24 | 0x0800000;
+      break;
+    case 2:
+      i = msg.charCodeAt(msg_len - 2) << 24 | msg.charCodeAt(msg_len - 1) << 16 | 0x08000;
+      break;
+    case 3:
+      i = msg.charCodeAt(msg_len - 3) << 24 | msg.charCodeAt(msg_len - 2) << 16 | msg.charCodeAt(msg_len - 1) << 8 | 0x80;
+      break;
+  }
+  word_array.push(i);
+  while ((word_array.length % 16) != 14) word_array.push(0);
+  word_array.push(msg_len >>> 29);
+  word_array.push((msg_len << 3) & 0x0ffffffff);
+  for (blockstart = 0; blockstart < word_array.length; blockstart += 16) {
+    for (i = 0; i < 16; i++) W[i] = word_array[blockstart + i];
+    for (i = 16; i <= 79; i++) W[i] = rotate_left(W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16], 1);
+    A = H0;
+    B = H1;
+    C = H2;
+    D = H3;
+    E = H4;
+    for (i = 0; i <= 19; i++) {
+      temp = (rotate_left(A, 5) + ((B & C) | (~B & D)) + E + W[i] + 0x5A827999) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 20; i <= 39; i++) {
+      temp = (rotate_left(A, 5) + (B ^ C ^ D) + E + W[i] + 0x6ED9EBA1) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 40; i <= 59; i++) {
+      temp = (rotate_left(A, 5) + ((B & C) | (B & D) | (C & D)) + E + W[i] + 0x8F1BBCDC) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 60; i <= 79; i++) {
+      temp = (rotate_left(A, 5) + (B ^ C ^ D) + E + W[i] + 0xCA62C1D6) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    H0 = (H0 + A) & 0x0ffffffff;
+    H1 = (H1 + B) & 0x0ffffffff;
+    H2 = (H2 + C) & 0x0ffffffff;
+    H3 = (H3 + D) & 0x0ffffffff;
+    H4 = (H4 + E) & 0x0ffffffff;
+  }
+  return [H0, H1, H2, H3, H4]
+}
+
+Hashcash.hexSha1 = function(msg) {
+  var array = Hashcash.sha1(msg)
+  var cvt_hex = Hashcash.sha1.cvt_hex
+  return cvt_hex(array[0]) + cvt_hex(array[1]) + cvt_hex(array[2]) + cvt_hex(array3) + cvt_hex(array[4])
+}
+
+Hashcash.sha1.rotate_left = function(n, s) {
+  var t4 = (n << s) | (n >>> (32 - s));
+  return t4;
+};
+
+Hashcash.sha1.lsb_hex = function(val) {
+  var str = '';
+  var i;
+  var vh;
+  var vl;
+  for (i = 0; i <= 6; i += 2) {
+    vh = (val >>> (i * 4 + 4)) & 0x0f;
+    vl = (val >>> (i * 4)) & 0x0f;
+    str += vh.toString(16) + vl.toString(16);
+  }
+  return str;
+};
+
+Hashcash.sha1.cvt_hex = function(val) {
+  var str = '';
+  var i;
+  var v;
+  for (i = 7; i >= 0; i--) {
+    v = (val >>> (i * 4)) & 0x0f;
+    str += v.toString(16);
+  }
+  return str;
+};
+
+Hashcash.sha1.Utf8Encode = function(string) {
+  string = string.replace(/\r\n/g, '\n');
+  var utftext = '';
+  for (var n = 0; n < string.length; n++) {
+    var c = string.charCodeAt(n);
+    if (c < 128) {
+      utftext += String.fromCharCode(c);
+    } else if ((c > 127) && (c < 2048)) {
+      utftext += String.fromCharCode((c >> 6) | 192);
+      utftext += String.fromCharCode((c & 63) | 128);
+    } else {
+      utftext += String.fromCharCode((c >> 12) | 224);
+      utftext += String.fromCharCode(((c >> 6) & 63) | 128);
+      utftext += String.fromCharCode((c & 63) | 128);
+    }
+  }
+  return utftext;
+};
+
+Hashcash.setup()

data/app/assets/stylesheets/active_hashcash/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/active_hashcash/addresses_controller.rb

@@ -0,0 +1,7 @@
+module ActiveHashcash
+  class AddressesController < ApplicationController
+    def index
+      @addresses = Stamp.filter_by(params).group(:ip_address).order(count_all: :desc).limit(1000).count
+    end
+  end
+end

data/app/controllers/active_hashcash/application_controller.rb

@@ -0,0 +1,4 @@
+module ActiveHashcash
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/active_hashcash/assets_controller.rb

@@ -0,0 +1,34 @@
+module ActiveHashcash
+  class AssetsController < ApplicationController
+    protect_from_forgery except: :show
+
+    Mime::Type.register "image/x-icon", :ico
+
+    def show
+      if endpoints.include?(file_name = File.basename(request.path))
+        file_path = ActiveHashcash::Engine.root.join / "app/views/active_hashcash/assets" / file_name
+        if File.exists?("#{file_path}.erb")
+          render(params[:id], mime_type: mime_type)
+        else
+          render(file: file_path)
+        end
+        expires_in(1.day, public: true)
+      else
+        raise ActionController::RoutingError.new
+      end
+    end
+
+    private
+
+    def endpoints
+      return @endpoints if @endpoints
+      folder = ActiveHashcash::Engine.root.join("app/views", controller_path)
+      files = folder.each_child.map { |path| File.basename(path).delete_suffix(".erb") }
+      @endpoints = files.delete_if { |str| str.start_with?("_") }
+    end
+
+    def mime_type
+      Mime::Type.lookup_by_extension(File.extname(request.path).delete_prefix("."))
+    end
+  end
+end

data/app/controllers/active_hashcash/stamps_controller.rb

@@ -0,0 +1,11 @@
+module ActiveHashcash
+  class StampsController < ApplicationController
+    def index
+      @stamps = Stamp.filter_by(params).order(created_at: :desc).limit(1000)
+    end
+
+    def show
+      @stamp = Stamp.find(params[:id])
+    end
+  end
+end

data/app/helpers/active_hashcash/addresses_helper.rb

@@ -0,0 +1,4 @@
+module ActiveHashcash
+  module AddressesHelper
+  end
+end

data/app/helpers/active_hashcash/application_helper.rb

@@ -0,0 +1,4 @@
+module ActiveHashcash
+  module ApplicationHelper
+  end
+end

data/app/helpers/active_hashcash/stamps_helper.rb

@@ -0,0 +1,4 @@
+module ActiveHashcash
+  module StampsHelper
+  end
+end

data/app/jobs/active_hashcash/application_job.rb

@@ -0,0 +1,4 @@
+module ActiveHashcash
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/active_hashcash/application_mailer.rb

@@ -0,0 +1,6 @@
+module ActiveHashcash
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/active_hashcash/application_record.rb

@@ -0,0 +1,5 @@
+module ActiveHashcash
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/active_hashcash/stamp.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module ActiveHashcash
+  class Stamp < ApplicationRecord
+    validates_presence_of :version, :bits, :date, :resource, :rand, :counter
+
+    scope :created_from, -> (date) { where(created_at: date..) }
+    scope :created_to, -> (date) { where(created_at: ..date) }
+
+    scope :bits_from, -> (value) { where(bits: value..) }
+    scope :bits_to, -> (value) { where(bits: ..value) }
+
+    scope :ip_address_starts_with, -> (string) { where("ip_address LIKE ?", sanitize_sql_like(string) + "%") }
+    scope :request_path_starts_with, -> (string) { where("request_path LIKE ?", sanitize_sql_like(string) + "%") }
+
+    def self.filter_by(params)
+      scope = all
+      scope = scope.request_path_starts_with(params[:request_path_starts_with]) if params[:request_path_starts_with].present?
+      scope = scope.ip_address_starts_with(params[:ip_address_starts_with]) if params[:ip_address_starts_with].present?
+      scope = scope.created_from(params[:created_from]) if params[:created_from].present?
+      scope = scope.created_to(params[:created_to]) if params[:created_to].present?
+      scope = scope.bits_from(params[:bits_from]) if params[:bits_from].present?
+      scope = scope.bits_to(params[:bits_to]) if params[:bits_to].present?
+      scope
+    end
+
+    def self.spend(string, resource, bits, date, options = {})
+      return false unless stamp = parse(string)
+      stamp.attributes = options
+      stamp.verify(resource, bits, date) && stamp.save
+    rescue ActiveRecord::RecordNotUnique
+      false
+    end
+
+    def self.parse(string)
+      return unless string
+      args = string.split(":")
+      return if args.size != 7
+      new(version: args[0], bits: args[1], date: Date.strptime(args[2], ActiveHashcash.date_format), resource: args[3], ext: args[4], rand: args[5], counter: args[6])
+    end
+
+    def self.mint(resource, attributes = {})
+      new({
+        version: 1,
+        bits: ActiveHashcash.bits,
+        date: Date.today.strftime(ActiveHashcash.date_format),
+        resource: resource,
+        rand: SecureRandom.alphanumeric(16),
+        counter: 0,
+      }.merge(attributes)).work
+    end
+
+    def work
+      counter.next! until authentic?
+      self
+    end
+
+    def authentic?
+      Digest::SHA1.hexdigest(to_s).hex >> (160-bits) == 0
+    end
+
+    def verify(resource, bits, date)
+      self.resource == resource && self.bits >= bits && self.date >= date && !self.date.future? && authentic?
+    end
+
+    def to_s
+      [version.to_i, bits, date.strftime("%y%m%d"), resource, ext, rand, counter].join(":")
+    end
+  end
+end

data/app/views/active_hashcash/addresses/index.html.erb

@@ -0,0 +1,17 @@
+<details>
+  <summary>Filters</summary>
+  <%= render "active_hashcash/stamps/filters" %>
+</details>
+
+<table>
+  <tr>
+    <th><%= ActiveHashcash::Stamp.human_attribute_name(:ip_address) %></th>
+    <th><%= ActiveHashcash::Stamp.model_name.human.pluralize %></th>
+  </tr>
+  <% for (address, count) in @addresses %>
+    <tr>
+      <td><%= link_to address, stamps_path(ip_address_starts_with: address) %></td>
+      <td><%= number_with_delimiter count %></td>
+    </tr>
+  <% end %>
+</table>

data/app/views/active_hashcash/assets/_logo.svg.erb

@@ -0,0 +1 @@
+<svg viewBox="0 0 50.4 50.4" xmlns="http://www.w3.org/2000/svg"><g fill="#08773c"><path d="m25.2 0c-13.9 0-25.2 11.3-25.2 25.2s11.3 25.2 25.2 25.2 25.2-11.3 25.2-25.2-11.31-25.2-25.2-25.2zm0 46.4c-11.69 0-21.2-9.51-21.2-21.2s9.51-21.2 21.2-21.2 21.2 9.51 21.2 21.2-9.51 21.2-21.2 21.2z"/><path d="m33 12.04h-4v7.58h-7.89v-7.58h-4v7.58h-4.98v4h4.98v2.69h-4.98v4h4.98v7.58h4v-7.58h7.89v7.58h4v-7.58h4.98v-4h-4.98v-2.69h4.98v-4h-4.98zm-4 14.27h-7.89v-2.69h7.89z"/></g></svg>