active_hashcash 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81d808ca54efb58e16c61524bde0aee355f5a7b003ef4cb6cda2e9b672c7a284
-  data.tar.gz: 6ec6f99dd02e353bb4e86bb9db8e65ecf35dc46e13051e401b62608700b7fde5
+  metadata.gz: 29b1886eff044771c56c4eeff7dfcc4a305262fd39b9633a43522e1a8a465f7a
+  data.tar.gz: 0ad53ba4ebdcec34064f33cc1ea2f75dc95ce6ffb57a733604174e0059c37521
 SHA512:
-  metadata.gz: 17f8b181f15b009b850fea2e1ead3a5cb904218d8877b31d9b6a2e5f2578972a6a1a2837cdbda46013987911a88198d543dd7f3a79f68b455a969a005a3fbfc8
-  data.tar.gz: 2b02561bf0516b2accb42ac64fe8d93b7bf956bb9474fcadec93db08f4be551d9eea430884d133d08b92156a9d10440ac8f48067207c95d3b72e4268752748dd
+  metadata.gz: 794687bc50403b03a63e4855451bec53751b6da4a20ef1674bdbf0d66dfdfacfaa68f3d1416a14a0a1bdf823b4641b8a16e6b70aba288278883170c7a73b6202
+  data.tar.gz: 7b0ca6f84cb75b2e49b5747034393c778023a2efb6974b97ba9fab084074da57cb78f5014de5d26e20af378bb8a86788f833f02e036e5feb56e8aee52c3b87d9

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+# Changelog of ActiveHashcash
+
+## 0.3.0 - 2024-03-14
+
+- Increase complexity automatically to slowdown brute force attacks
+- Add mountable dashboard to list latest stamps and most frequent IP addresses
+- Store stamps into the database instead of Redis
+- Fix ActiveHashcash::Store#add? by converting stamp to a string
+
 ## 0.2.0 - 2022-08-02
 
 - Add ActiveHashcash::Store#clean to removed expired stamps

data/README.md

@@ -2,29 +2,34 @@
 
 <img align="right" width="200px" src="logo.png" alt="Active Hashcash logo"/>
 
-ActiveHashcash protects your Rails application against brute force attacks, DoS and bots.
+ActiveHashcash protects Rails applications against bots and brute force attacks without annoying humans.
 
 Hashcash is proof-of-work algorithm, invented by Adam Back in 1997, to protect systems against denial of service attacks.
-ActiveHashcash is an easy way to protect any Rails application against brute force attacks and some bots.
+ActiveHashcash is an easy way to protect any Rails application against brute force attacks and bots.
 
 The idea is to force clients to spend some time to solve a hard problem that is very easy to verify for the server.
 We have developped ActiveHashcash after seeing brute force attacks against our Rails application monitoring service [RorVsWild](https://rorvswild.com).
 
-The idea is to enable ActiveHashcash on sensitive forms such as login and registration. While the user is filling the form,
-ActiveHashcash performs the work in JavaScript and set the result into a hidden input text. The form cannot be submitted while the proof of work has not been found.
-The user submits the form, and the stamp is verified by the controller in a before action.
+ActiveHashcash is ideal to set up on sensitive forms such as login and registration.
+While the user is filling the form, the problem is solved in JavaScript and set the result into a hidden input text.
+The form cannot be submitted while the proof of work has not been found.
+Then the user submits the form, and the stamp is verified by the controller in a before action.
 
-It blocks bots that do not interpret JavaScript since the proof of work is not computed. For the more sophisticated bots, we are happy to slow them down.
+It blocks bots that do not interpret JavaScript since the proof of work is not computed.
+More sophisticated bots and brute force attacks are slow down.
+Moreover the complexity increases automatically for IP addresses sending many requests.
+Thus it becomes very CPU costly for attackers.
 
-Here is a [demo on a registration form](https://www.rorvswild.com/account/new) :
+Finally legitimate users are not annoyed by asking to solve a puzzle or clicking on the all images containing a bus.
+Here is a [demo on a registration form](https://www.rorvswild.com/session) :
 
 ![Active Hashcash GIF preview](demo.gif)
 
-## Limitations
+---
 
-The JavaScript implementation is 10 to 20 times slower than the official C version.
-It needs some work and knowledges to be optimised. Unfortunately, I'm not a JavaScript expert.
-Maybe you have good JS skills to optimize it ?
+<img align="left" height="24px" src="rorvswild_logo.jpg" alt="RorVsWild logo"/>Made by <a href="https://www.rorvswild.com">RorVsWild</a>, performances & exceptions monitoring for Ruby on Rails applications.
+
+---
 
 ## Installation
 
@@ -62,26 +67,108 @@ end
 To customize some behaviour, you can override most of the methods which begins with `hashcash_`.
 Simply have a look to `active_hashcash.rb`.
 
+Stamps are stored into into the database to prevents from spending them more than once.
+You must run a migration:
+
+```
+rails active_hashcash:install:migrations
+rails db:migrate
+```
+
+### Dashboard
+
+There is a mountable dahsboard which allows to see all spent stamps.
+It's not mandatory, but useful for monitoring purpose.
+
+![ActiveHashcash dashboard](active_hashcash_dashboard.png "ActiveHashcash dashboard")
+
+```ruby
+# config/routes.rb
+mount ActiveHashcash::Engine, at: "hashcash"
+```
+
+ActiveHashcash cannot guess how you handle user authentication, because it is different for all Rails applications.
+So you have to monkey patch `ActiveHashcash::ApplicationController` in order to inject your own mechanism.
+The patch can be saved wherever you want.
+For example, I like to have all the patches in one place, so I put them in `lib/patches`.
+
+```ruby
+# lib/patches/active_hashcash.rb
+
+ActiveHashcash::ApplicationController.class_eval do
+    before_action :require_admin
+
+    def require_admin
+      # This example supposes there are current_user and User#admin? methods
+      raise ActionController::RoutingError.new("Not found") unless current_user.try(:admin?)
+    end
+  end
+end
+```
+
+Then you have to require the monkey patch.
+Because it's loaded via require, it won't be reloaded in development.
+Since you are not supposed to change this file often, it should not be an issue.
+
+```ruby
+# config/application.rb
+config.after_initialize do
+  require "patches/active_hashcash"
+end
+```
+
+If you use Devise, you can check the permission directly from routes.rb:
+
+```ruby
+# config/routes.rb
+authenticate :user, -> (u) { u.admin? } do # Supposing there is a User#admin? method
+  mount ActiveHashcash::Engine, at: "hashcash" # http://localhost:3000/hashcash
+end
+```
+
+### Before version 0.3.0
+
 You must have Redis in order to prevent double spent stamps. Otherwise it will be useless.
 It automatically tries to connect with the environement variables `ACTIVE_HASHCASH_REDIS_URL` or `REDIS_URL`.
 You can also manually set the URL with `ActiveHashcash.redis_url = redis://user:password@localhost:6379`.
 
 You should call `ActiveHashcash::Store#clean` once a day, to remove expired stamps.
 
+To upgrade from 0.2.0 you must run the migration :
+
+```
+rails active_hashcash:install:migrations
+rails db:migrate
+```
+
 ## Complexity
 
 Complexity is the most important parameter. By default its value is 20 and requires most of the time 5 to 20 seconds to be solved on a decent laptop.
 The user won't wait that long, since he needs to fill the form while the problem is solving.
 Howevever, if your application includes people with slow and old devices, then consider lowering this value, to 16 or 18.
 
-You can change the complexity, either with `ActiveHashcash.bits = 20` or by overriding the method `hashcash_bits` in you controller.
+You can change the minimum complexity with `ActiveHashcash.bits = 20`.
+
+Since version 0.3.0, the complexity increases with the number of stamps spent during le last 24H from the same IP address.
+Thus it becomes very efficient to slow down brute force attacks.
+
+## Limitations
+
+The JavaScript implementation is 10 to 20 times slower than the official C version.
+I first used the SubtleCrypto API but it is surprisingly slower than a custom SHA1 implementation.
+Maybe I did in an unefficient way 2df3ba5?
+Another idea would be to compile the work algorithm in wasm.
+
+Unfortunately, I'm not a JavaScript expert.
+Maybe you have good JS skills to optimize it?
+Any help would be appreciate to better fights bots and brute for attacks!
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/active_hashcash.
+Bug reports and pull requests are welcome on GitHub at https://github.com/BaseSecrete/active_hashcash.
 
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
-Made by Alexis Bernard at [Base Secrète](https://basesecrete.com).
+Made by Alexis Bernard at [RorVsWild](https://www.rorvswild.com).

data/lib/active_hashcash/engine.rb

@@ -1,19 +1,7 @@
 module ActiveHashcash
   class Engine < ::Rails::Engine
-    config.assets.paths << File.expand_path("../..", __FILE__)
+    config.assets.paths << File.expand_path("../..", __FILE__) if config.respond_to?(:assets)
 
-    config.after_initialize { load_translations }
-
-    def load_translations
-      if !I18n.backend.exists?(I18n.locale, "active_hashcash")
-        I18n.backend.store_translations(:de, {active_hashcash: {waiting_label: "Warten auf die Überprüfung ..."}})
-        I18n.backend.store_translations(:en, {active_hashcash: {waiting_label: "Waiting for verification ..."}})
-        I18n.backend.store_translations(:es, {active_hashcash: {waiting_label: "A la espera de la verificación ..."}})
-        I18n.backend.store_translations(:fr, {active_hashcash: {waiting_label: "En attente de vérification ..."}})
-        I18n.backend.store_translations(:it, {active_hashcash: {waiting_label: "In attesa di verifica ..."}})
-        I18n.backend.store_translations(:jp, {active_hashcash: {waiting_label: "検証待ち ..."}})
-        I18n.backend.store_translations(:pt, {active_hashcash: {waiting_label: "À espera de verificação ..."}})
-      end
-    end
+    isolate_namespace ActiveHashcash
   end
 end

data/lib/active_hashcash/version.rb

@@ -1,3 +1,3 @@
 module ActiveHashcash
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/active_hashcash.rb

@@ -1,3 +1,6 @@
+require "active_hashcash/version"
+require "active_hashcash/engine"
+
 module ActiveHashcash
   extend ActiveSupport::Concern
 
@@ -7,31 +10,41 @@ module ActiveHashcash
     helper_method :hashcash_hidden_field_tag
   end
 
-  mattr_accessor :bits, instance_accessor: false, default: 20
   mattr_accessor :resource, instance_accessor: false
-  mattr_accessor :redis_url, instance_accessor: false, default: ENV["ACTIVE_HASHCASH_REDIS_URL"] || ENV["REDIS_URL"]
-
-  def self.store
-    @store ||= Store.new(Redis.new(url: ActiveHashcash.redis_url))
-  end
 
-  def self.store=(store)
-    @store = store
-  end
+  # This is base complexity.
+  # Consider lowering it to not exclude people with old and slow devices.
+  mattr_accessor :bits, instance_accessor: false, default: 16
 
-  # TODO: protect_from_brute_force bits: 20, exception: ActionController::InvalidAuthenticityToken, with: :handle_failed_hashcash
+  mattr_accessor :date_format, instance_accessor: false, default: "%y%m%d"
 
-  # Call me via a before_action when the form is submitted : `before_action :chech_hashcash, only: :create`
+  # Call me via a before_action when the form is submitted : `before_action :check_hashcash, only: :create`
   def check_hashcash
-    stamp = hashcash_param && Stamp.parse(hashcash_param)
-    if stamp && stamp.verify(hashcash_resource, hashcash_bits, Date.yesterday) && ActiveHashcash.store.add?(stamp)
+    attrs = {
+      ip_address: hashcash_ip_address,
+      request_path: hashcash_request_path,
+      context: hashcash_stamp_context
+    }
+    if hashcash_param && Stamp.spend(hashcash_param, hashcash_resource, hashcash_bits, Date.yesterday, attrs)
       hashcash_after_success
     else
       hashcash_after_failure
     end
   end
 
-  # Override the methods below in your controller, to change any parameter of behaviour.
+  # Override the methods below in your controller, to change any parameter or behaviour.
+
+  def hashcash_ip_address
+    request.remote_ip
+  end
+
+  def hashcash_request_path
+    request.path
+  end
+
+  def hashcash_stamp_context
+    # Override this method to store custom data for each stamp
+  end
 
   # By default the host name is used as the resource.
   # It' should be good for most cases and prevent from reusing the same stamp between sites.
@@ -39,10 +52,15 @@ module ActiveHashcash
     ActiveHashcash.resource || request.host
   end
 
-  # Define the complexity, the higher the slower it is. Consider lowering this value to not exclude people with old and slow devices.
-  # On a decent laptop, it takes around 30 seconds for the JavaScript implementation to solve a 20 bits complexity and few seconds when it's 16.
+  # Returns the complexity, the higher the slower it is.
+  # Complexity is increased logarithmicly for each IP during the last 24H to slowdown brute force attacks.
+  # The minimun value returned is `ActiveHashcash.bits`.
   def hashcash_bits
-    ActiveHashcash.bits
+    if (previous_stamp_count = ActiveHashcash::Stamp.where(ip_address: hashcash_ip_address).where(created_at: 1.day.ago..).count) > 0
+      (ActiveHashcash.bits + Math.log2(previous_stamp_count)).floor
+    else
+      ActiveHashcash.bits
+    end
   end
 
   # Override if you want to rename the hashcash param.
@@ -72,7 +90,3 @@ module ActiveHashcash
     hidden_field_tag(name, "", "data-hashcash" => options.to_json)
   end
 end
-
-require "active_hashcash/stamp"
-require "active_hashcash/store"
-require "active_hashcash/engine"

data/lib/tasks/active_hashcash_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :active_hashcash do
+#   # Task goes here
+# end

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: active_hashcash
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Alexis Bernard
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-08-02 00:00:00.000000000 Z
+date: 2024-03-14 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: redis
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -38,8 +24,8 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 5.2.0
-description: ActiveHashcash protects your Rails application against brute force attacks,
-  DoS and bots.
+description: Protect Rails applications against bots and brute force attacks without
+  annoying humans.
 email:
 - alexis@basesecrete.com
 executables: []
@@ -51,10 +37,9 @@ files:
 - README.md
 - lib/active_hashcash.rb
 - lib/active_hashcash/engine.rb
-- lib/active_hashcash/stamp.rb
-- lib/active_hashcash/store.rb
 - lib/active_hashcash/version.rb
 - lib/hashcash.js
+- lib/tasks/active_hashcash_tasks.rake
 homepage: https://github.com/BaseSecrete/active_hashcash
 licenses:
 - MIT
@@ -62,7 +47,7 @@ metadata:
   homepage_uri: https://github.com/BaseSecrete/active_hashcash
   source_code_uri: https://github.com/BaseSecrete/active_hashcash
   changelog_uri: https://github.com/BaseSecrete/active_hashcash/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -78,8 +63,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.2.22
-signing_key:
+signing_key: 
 specification_version: 4
-summary: ActiveHashcash protects your Rails application against brute force attacks,
-  DoS and bots.
+summary: Protect Rails applications against bots and brute force attacks without annoying
+  humans.
 test_files: []

data/lib/active_hashcash/stamp.rb

@@ -1,52 +0,0 @@
-module ActiveHashcash
-  class Stamp
-    attr_reader :version, :bits, :date, :resource, :extension, :rand, :counter
-
-    def self.parse(string)
-      args = string.split(":")
-      new(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
-    end
-
-    def self.mint(resource, options = {})
-      new(
-        options[:version] || 1,
-        options[:bits] || ActiveHashcash.bits,
-        options[:date] || Date.today.strftime("%y%m%d"),
-        resource,
-        options[:ext],
-        options[:rand] || SecureRandom.alphanumeric(16),
-        options[:counter] || 0).work
-    end
-
-    def initialize(version, bits, date, resource, extension, rand, counter)
-      @version = version
-      @bits = bits.to_i
-      @date = date.respond_to?(:strftime) ? date.strftime("%y%m%d") : date
-      @resource = resource
-      @extension = extension
-      @rand = rand
-      @counter = counter
-    end
-
-    def valid?
-      Digest::SHA1.hexdigest(to_s).hex >> (160-bits) == 0
-    end
-
-    def verify(resource, bits, date)
-      self.resource == resource && self.bits >= bits && parse_date >= date && valid?
-    end
-
-    def to_s
-      [version, bits, date, resource, extension, rand, counter].join(":")
-    end
-
-    def parse_date
-      Date.strptime(date, "%y%m%d")
-    end
-
-    def work
-      @counter += 1 until valid?
-      self
-    end
-  end
-end

data/lib/active_hashcash/store.rb

@@ -1,25 +0,0 @@
-module ActiveHashcash
-  class Store
-    attr_reader :redis
-
-    def initialize(redis = Redis.new(url: ActiveHashcash.redis_url || ENV["ACTIVE_HASHCASH_REDIS_URL"] || ENV["REDIS_URL"]))
-      @redis = redis
-    end
-
-    def add?(stamp)
-      redis.sadd("active_hashcash_stamps_#{stamp.date}", stamp) ? self : nil
-    end
-
-    def clear
-      redis.del(redis.keys("active_hashcash_stamps*"))
-    end
-
-    def clean
-      today = Date.today.strftime("%y%m%d")
-      yesterday = (Date.today - 1).strftime("%y%m%d")
-      keep = ["active_hashcash_stamps_#{today}", "active_hashcash_stamps_#{yesterday}"]
-      keys = redis.keys("active_hashcash_stamps*")
-      redis.del(keys - keep)
-    end
-  end
-end