active_hashcash 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 47a914f25827b270ed0e1bb2f0fc222316846b48232cf5dceb255c99725f1467
+  data.tar.gz: f5aaf27f5d578cfc271624c4ddd3746365e81424247cd50ed43744cb534ea893
+SHA512:
+  metadata.gz: 9799788e77f0f6d8415d0e69a153a8b88715e34d5742794ed64a0db3a30a41bd619bc54d9c840b1d4d37eff4f0f9cf90ec9bc4c552656aad8f086068997685e0
+  data.tar.gz: f439c8fb6265ae1a2999b6fe3995871762e09b8ab05b38a776dc4e0eafd4fe67d431396323425118f55d596c2f2270ff5160733ccc94fe7f1d47df0eba38ce9f

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2022-07-01
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Alexis Bernard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,85 @@
+# ActiveHashcash
+
+<img align="right" width="200px" src="logo.png" alt="Active Hashcash logo"/>
+
+ActiveHashcash protects your Rails application against DoS and bots.
+
+Hashcash is proof-of-work algorithm, invented by Adam Back in 1997, to protect systems against denial of service attacks.
+ActiveHashcash is an easy way to protect any Rails application against brute force attacks and some bots.
+
+The idea is to force clients to spend some time to solve a hard problem that is very easy to verify for the server.
+We have developped ActiveHashcash after seeing brute force attacks against our Rails application monitoring service [RorVsWild](https://rorvswild.com).
+
+The idea is to enable ActiveHashcash on sensitive forms such as login and registration. While the user is filling the form,
+ActiveHashcash performs the work in JavaScript and set the result into a hidden input text. The form cannot be submitted while the proof of work has not been found.
+The user submits the form, and the stamp is verified by the controller in a before action.
+
+It blocks bots that do not interpret JavaScript since the proof of work is not computed. For the more sophisticated bots, we are happy to slow them down.
+
+Here is a [demo on a login form](https://www.rorvswild.com/session) :
+
+![Active Hashcash GIF preview](demo.gif)
+
+## Limitations
+
+The JavaScript implementation is 10 to 20 times slower than the official C version.
+It needs some work and knowledges to be optimised. Unfortunately, I'm not a JavaScript expert.
+Maybe you have good JS skills to optimize it ?
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem "active_hashcash"
+```
+
+Require hashcash from your JavaScript manifest.
+
+```js
+//= require hashcash
+```
+
+Add a Hashcash hidden field into the form you want to protect.
+
+```erb
+<form>
+  <%= hashcash_hidden_field_tag %>
+</form>
+```
+
+Then you have to define a `before_action :check_hashcash` in you controller.
+
+```ruby
+class SessionController < ApplicationController
+  include ActiveHashcash
+
+  # Only the action receiving the form needs to be protected
+  before_action :check_hashcash, only: :create
+end
+```
+
+To customize some behaviour, you can override most of the methods which begins with `hashcash_`.
+Simply have a look to `active_hashcash.rb`.
+
+You must have Redis in order to prevent double spent stamps. Otherwise it will be useless.
+It automatically tries to connect with the environement variables `ACTIVE_HASHCASH_REDIS_URL` or `REDIS_URL`.
+You can also manually set the URL with `ActiveHashcash.redis_url = redis://user:password@localhost:6379`.
+
+## Complexity
+
+Complexity is the most important parameter. By default its value is 20 and requires most of the time 5 to 20 seconds to be solved on a decent laptop.
+The user won't wait that long, since he needs to fill the form while the problem is solving.
+Howevever, if your application includes people with slow and old devices, then consider lowering this value, to 16 or 18.
+
+You can change the complexity, either with `ActiveHashcash.bits = 20` or by overriding the method `hashcash_bits` in you controller.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/active_hashcash.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+Made by Alexis Bernard at [Base Secrète](https://basesecrete.com).

data/lib/active_hashcash.rb

@@ -0,0 +1,150 @@
+module ActiveHashcash
+  extend ActiveSupport::Concern
+
+  include ActionView::Helpers::FormTagHelper
+
+  included do
+    helper_method :hashcash_hidden_field_tag
+  end
+
+  mattr_accessor :bits, instance_accessor: false, default: 20
+  mattr_accessor :resource, instance_accessor: false
+  mattr_accessor :redis_url, instance_accessor: false
+
+  # TODO: protect_from_brute_force bits: 20, exception: ActionController::InvalidAuthenticityToken, with: :handle_failed_hashcash
+
+  # Call me via a before_action when the form is submitted : `before_action :chech_hashcash, only: :create`
+  def check_hashcash
+    if hashcash_stamp_is_valid? && !hashcash_stamp_spent?
+      hashcash_redis.sadd("active_hashcash_stamps".freeze, hashcash_param)
+      hashcash_after_success
+    else
+      hashcash_after_failure
+    end
+  end
+
+  # Override the methods below in your controller, to change any parameter of behaviour.
+
+  # By default the host name is used as the resource.
+  # It' should be good for most cases and prevent from reusing the same stamp between sites.
+  def hashcash_resource
+    ActiveHashcash.resource || request.host
+  end
+
+  # Define the complexity, the higher the slower it is. Consider lowering this value to not exclude people with old and slow devices.
+  # On a decent laptop, it takes around 30 seconds for the JavaScript implementation to solve a 20 bits complexity and few seconds when it's 16.
+  def hashcash_bits
+    ActiveHashcash.bits
+  end
+
+  # Override if you want to rename the hashcash param.
+  def hashcash_param
+    params[:hashcash]
+  end
+
+  # Override to customize message displayed on submit button while computing hashcash.
+  def hashcash_waiting_message
+    t("active_hashcash.waiting_label")
+  end
+
+  # Override to provide a different behaviour when hashcash failed
+  def hashcash_after_failure
+    raise ActionController::InvalidAuthenticityToken.new("Invalid hashcash #{hashcash_param}")
+  end
+
+  # Maybe you want something special when the hashcash is valid. By default nothing happens.
+  def hashcash_after_success
+    # Override me for your own needs.
+  end
+
+  # Call it inside the form that have to be protected and don't forget to initialize the JavaScript Hascash.setup().
+  # Unless you need something really special, you should not need to override this method.
+  def hashcash_hidden_field_tag(name = :hashcash)
+    options = {resource: hashcash_resource, bits: hashcash_bits, waiting_message: hashcash_waiting_message}
+    hidden_field_tag(name, "", "data-hashcash" => options.to_json)
+  end
+
+  def hashcash_redis
+    @hashcash_redis = Redis.new(url: hashcash_redis_url)
+  end
+
+  def hashcash_redis_url
+    ActiveHashcash.redis_url || ENV["ACTIVE_HASHCASH_REDIS_URL"] || ENV["REDIS_URL"]
+  end
+
+  def hashcash_stamp_is_valid?
+    stamp = Stamp.parse(hashcash_param)
+    stamp.valid? && stamp.bits >= hashcash_bits && stamp.parse_date >= Date.yesterday
+  end
+
+  def hashcash_stamp_spent?
+    hashcash_redis.sismember("active_hashcash_stamps".freeze, hashcash_param)
+  end
+
+
+
+  class Engine < ::Rails::Engine
+    config.assets.paths << File.expand_path("..", __FILE__)
+
+    config.after_initialize { load_translations }
+
+    def load_translations
+      if !I18n.backend.exists?(I18n.locale, "active_hashcash")
+        I18n.backend.store_translations(:de, {active_hashcash: {waiting_label: "Warten auf die Überprüfung ..."}})
+        I18n.backend.store_translations(:en, {active_hashcash: {waiting_label: "Waiting for verification ..."}})
+        I18n.backend.store_translations(:es, {active_hashcash: {waiting_label: "A la espera de la verificación ..."}})
+        I18n.backend.store_translations(:fr, {active_hashcash: {waiting_label: "En attente de vérification ..."}})
+        I18n.backend.store_translations(:it, {active_hashcash: {waiting_label: "In attesa di verifica ..."}})
+        I18n.backend.store_translations(:jp, {active_hashcash: {waiting_label: "検証待ち ..."}})
+        I18n.backend.store_translations(:pt, {active_hashcash: {waiting_label: "À espera de verificação ..."}})
+      end
+    end
+  end
+
+  class Stamp
+    attr_reader :version, :bits, :date, :resource, :extension, :rand, :counter
+
+    def self.parse(string)
+      args = string.split(":")
+      new(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
+    end
+
+    def self.mint(resource, options = {})
+      new(
+        options[:version] || 1,
+        options[:bits] || ActiveHashcash.bits,
+        options[:date] || Date.today.strftime("%y%m%d"),
+        resource,
+        options[:ext],
+        options[:rand] || SecureRandom.alphanumeric(16),
+        options[:counter] || 0).work
+    end
+
+    def initialize(version, bits, date, resource, extension, rand, counter)
+      @version = version
+      @bits = bits.to_i
+      @date = date.respond_to?(:strftime) ? date.strftime("%y%m%d") : date
+      @resource = resource
+      @extension = extension
+      @rand = rand
+      @counter = counter
+    end
+
+    def valid?
+      Digest::SHA1.hexdigest(to_s).hex >> (160-bits) == 0
+    end
+
+    def to_s
+      [version, bits, date, resource, extension, rand, counter].join(":")
+    end
+
+    def parse_date
+      Date.strptime(date, "%y%m%d")
+    end
+
+    def work
+      @counter += 1 until valid?
+      self
+    end
+  end
+end

data/lib/hashcash.js

@@ -0,0 +1,257 @@
+// http://www.hashcash.org/docs/hashcash.html
+// <input type="hiden" name="hashcash" data-hashcash="{resource: 'site.example', bits: 16}"/>
+Hashcash = function(input) {
+  options = JSON.parse(input.getAttribute("data-hashcash"))
+  Hashcash.disableParentForm(input, options)
+  input.dispatchEvent(new CustomEvent("hashcash:mint", {bubbles: true}))
+
+  Hashcash.mint(options.resource, options, function(stamp) {
+    input.value = stamp.toString()
+    Hashcash.enableParentForm(input, options)
+    input.dispatchEvent(new CustomEvent("hashcash:minted", {bubbles: true, detail: {stamp: stamp}}))
+  })
+}
+
+Hashcash.setup = function() {
+  if (document.readyState != "loading") {
+    var input = document.querySelector("input#hashcash")
+    input && new Hashcash(input)
+  } else
+    document.addEventListener("DOMContentLoaded", Hashcash.setup )
+}
+
+Hashcash.disableParentForm = function(input, options) {
+  input.form.querySelectorAll("[type=submit]").forEach(function(submit) {
+    submit.originalValue = submit.value
+    options["waiting_message"] && (submit.value = options["waiting_message"])
+    submit.disabled = true
+  })
+}
+
+Hashcash.enableParentForm = function(input, options) {
+  input.form.querySelectorAll("[type=submit]").forEach(function(submit) {
+    submit.originalValue && (submit.value = submit.originalValue)
+    submit.disabled = null
+  })
+}
+
+Hashcash.default = {
+  version: 1,
+  bits: 20,
+  extension: null,
+}
+
+Hashcash.mint = function(resource, options, callback) {
+  // Format date to YYMMDD
+  var date = new Date
+  var year = date.getFullYear().toString()
+  year = year.slice(year.length - 2, year.length)
+  var month = (date.getMonth() + 1).toString().padStart(2, "0")
+  var day = date.getDate().toString().padStart(2, "0")
+
+  var stamp = new Hashcash.Stamp(
+    options.version || Hashcash.default.version,
+    options.bits || Hashcash.default.bits,
+    options.date || year + month + day,
+    resource,
+    options.extension || Hashcash.default.extension,
+    options.rand || Math.random().toString(36).substr(2, 10),
+  )
+  return stamp.work(callback)
+}
+
+Hashcash.Stamp = function(version, bits, date, resource, extension, rand, counter = 0) {
+  this.version = version
+  this.bits = bits
+  this.date = date
+  this.resource = resource
+  this.extension = extension
+  this.rand = rand
+  this.counter = counter
+}
+
+Hashcash.Stamp.parse = function(string) {
+  var args = string.split(":")
+  return new Hashcash.Stamp(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
+}
+
+Hashcash.Stamp.prototype.toString = function() {
+  return [this.version, this.bits, this.date, this.resource, this.extension, this.rand, this.counter].join(":")
+}
+
+// Trigger the given callback when the problem is solved.
+// In order to not freeze the page, setTimeout is called every 100ms to let some CPU to other tasks.
+Hashcash.Stamp.prototype.work = function(callback) {
+  this.startClock()
+  var timer = performance.now()
+  while (!this.check())
+    if (this.counter++ && performance.now() - timer > 100)
+      return setTimeout(this.work.bind(this), 0, callback)
+  this.stopClock()
+  callback(this)
+}
+
+Hashcash.Stamp.prototype.check = function() {
+  var array = Hashcash.sha1(this.toString())
+  return array[0] >> (160-this.bits) == 0
+}
+
+Hashcash.Stamp.prototype.startClock = function() {
+  this.startedAt || (this.startedAt = performance.now())
+}
+
+Hashcash.Stamp.prototype.stopClock = function() {
+  this.endedAt || (this.endedAt = performance.now())
+  var duration = this.endedAt - this.startedAt
+  var speed = Math.round(this.counter * 1000 / duration)
+  console.debug("Hashcash " + this.toString() + " minted in " + duration + "ms (" + speed + " per seconds)")
+}
+
+/**
+ * Secure Hash Algorithm (SHA1)
+ * http://www.webtoolkit.info/
+ **/
+Hashcash.sha1 = function(msg) {
+  var rotate_left = Hashcash.sha1.rotate_left
+  var Utf8Encode = Hashcash.sha1.Utf8Encode
+
+  var blockstart;
+  var i, j;
+  var W = new Array(80);
+  var H0 = 0x67452301;
+  var H1 = 0xEFCDAB89;
+  var H2 = 0x98BADCFE;
+  var H3 = 0x10325476;
+  var H4 = 0xC3D2E1F0;
+  var A, B, C, D, E;
+  var temp;
+  msg = Utf8Encode(msg);
+  var msg_len = msg.length;
+  var word_array = new Array();
+  for (i = 0; i < msg_len - 3; i += 4) {
+    j = msg.charCodeAt(i) << 24 | msg.charCodeAt(i + 1) << 16 |
+      msg.charCodeAt(i + 2) << 8 | msg.charCodeAt(i + 3);
+    word_array.push(j);
+  }
+  switch (msg_len % 4) {
+    case 0:
+      i = 0x080000000;
+      break;
+    case 1:
+      i = msg.charCodeAt(msg_len - 1) << 24 | 0x0800000;
+      break;
+    case 2:
+      i = msg.charCodeAt(msg_len - 2) << 24 | msg.charCodeAt(msg_len - 1) << 16 | 0x08000;
+      break;
+    case 3:
+      i = msg.charCodeAt(msg_len - 3) << 24 | msg.charCodeAt(msg_len - 2) << 16 | msg.charCodeAt(msg_len - 1) << 8 | 0x80;
+      break;
+  }
+  word_array.push(i);
+  while ((word_array.length % 16) != 14) word_array.push(0);
+  word_array.push(msg_len >>> 29);
+  word_array.push((msg_len << 3) & 0x0ffffffff);
+  for (blockstart = 0; blockstart < word_array.length; blockstart += 16) {
+    for (i = 0; i < 16; i++) W[i] = word_array[blockstart + i];
+    for (i = 16; i <= 79; i++) W[i] = rotate_left(W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16], 1);
+    A = H0;
+    B = H1;
+    C = H2;
+    D = H3;
+    E = H4;
+    for (i = 0; i <= 19; i++) {
+      temp = (rotate_left(A, 5) + ((B & C) | (~B & D)) + E + W[i] + 0x5A827999) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 20; i <= 39; i++) {
+      temp = (rotate_left(A, 5) + (B ^ C ^ D) + E + W[i] + 0x6ED9EBA1) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 40; i <= 59; i++) {
+      temp = (rotate_left(A, 5) + ((B & C) | (B & D) | (C & D)) + E + W[i] + 0x8F1BBCDC) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    for (i = 60; i <= 79; i++) {
+      temp = (rotate_left(A, 5) + (B ^ C ^ D) + E + W[i] + 0xCA62C1D6) & 0x0ffffffff;
+      E = D;
+      D = C;
+      C = rotate_left(B, 30);
+      B = A;
+      A = temp;
+    }
+    H0 = (H0 + A) & 0x0ffffffff;
+    H1 = (H1 + B) & 0x0ffffffff;
+    H2 = (H2 + C) & 0x0ffffffff;
+    H3 = (H3 + D) & 0x0ffffffff;
+    H4 = (H4 + E) & 0x0ffffffff;
+  }
+  return [H0, H1, H2, H3, H4]
+}
+
+Hashcash.hexSha1 = function(msg) {
+  var array = Hashcash.sha1(msg)
+  var cvt_hex = Hashcash.sha1.cvt_hex
+  return cvt_hex(array[0]) + cvt_hex(array[1]) + cvt_hex(array[2]) + cvt_hex(array3) + cvt_hex(array[4])
+}
+
+Hashcash.sha1.rotate_left = function(n, s) {
+  var t4 = (n << s) | (n >>> (32 - s));
+  return t4;
+};
+
+Hashcash.sha1.lsb_hex = function(val) {
+  var str = '';
+  var i;
+  var vh;
+  var vl;
+  for (i = 0; i <= 6; i += 2) {
+    vh = (val >>> (i * 4 + 4)) & 0x0f;
+    vl = (val >>> (i * 4)) & 0x0f;
+    str += vh.toString(16) + vl.toString(16);
+  }
+  return str;
+};
+
+Hashcash.sha1.cvt_hex = function(val) {
+  var str = '';
+  var i;
+  var v;
+  for (i = 7; i >= 0; i--) {
+    v = (val >>> (i * 4)) & 0x0f;
+    str += v.toString(16);
+  }
+  return str;
+};
+
+Hashcash.sha1.Utf8Encode = function(string) {
+  string = string.replace(/\r\n/g, '\n');
+  var utftext = '';
+  for (var n = 0; n < string.length; n++) {
+    var c = string.charCodeAt(n);
+    if (c < 128) {
+      utftext += String.fromCharCode(c);
+    } else if ((c > 127) && (c < 2048)) {
+      utftext += String.fromCharCode((c >> 6) | 192);
+      utftext += String.fromCharCode((c & 63) | 128);
+    } else {
+      utftext += String.fromCharCode((c >> 12) | 224);
+      utftext += String.fromCharCode(((c >> 6) & 63) | 128);
+      utftext += String.fromCharCode((c & 63) | 128);
+    }
+  }
+  return utftext;
+};
+
+Hashcash.setup()

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: active_hashcash
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alexis Bernard
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2022-07-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.2.0
+description: Potect your Rails application against DoS and bots.
+email:
+- alexis@basesecrete.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- lib/active_hashcash.rb
+- lib/hashcash.js
+homepage: https://github.com/BaseSecrete/active_hashcash
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/BaseSecrete/active_hashcash
+  source_code_uri: https://github.com/BaseSecrete/active_hashcash
+  changelog_uri: https://github.com/BaseSecrete/active_hashcash/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.22
+signing_key:
+specification_version: 4
+summary: Potect your Rails application against DoS and bots.
+test_files: []